Re: [Samba] Kerberos authentication for non-windows KDCs

[Sean P. Elble]

On Wed, 12 Mar 2008, Jeremy Allison wrote:


On Wed, Mar 12, 2008 at 11:07:28PM +0100, Olivier Sessink wrote:

Jeremy Allison wrote:


That's just not true. Many people are successfully using Samba3 to
authenticate
with tokens from MIT or Heimdal kerberos servers.
The problem is getting the Windows clients to *get* these tickets, not in
Samba interpreting them.


Is 'getting' or 'using' the kerberos ticket the problem?

One can install MIT kerberos on windows, and I suppose getting the tickets
from an MIT KDC should be possible then, but will the cifs stack in windows
actually use those tickets?


In this case - using. MS have a whitepaper on using Windows clients
with MIT kerberos, but you have to have stand-alone accounts on
individual machines - not domain accounts. It's completely useless
and non-scalable in the real world.

When they change this I'll start to believe the "interoperability"
line...


First off, my apologies for supplying some incorrect information. I had no 
idea Samba was capable of accepting Kerberos tickets, which is a nice 
feature to have.


That said, this is the problem I have run into with my attempt to learn 
how to combine Samba, OpenLDAP, and Kerberos. It's not terribly difficult 
to integrate the three, but the Holy Grail of using MIT Kerberos (or 
Kerberos of any variety, really) on Windows as a member of a Samba 
domain to authenticate to a Samba server seems to be something we will only
see with Samba 4. Please correct me if I am wrong in saying that, but that 
is how it has appeared to me for quite some time.


And once again, my apologies for the incorrect information. My mind always 
thinks Windows is the client, and Samba is the server, ignoring other 
possible configurations for no real good reason. :-)



Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin



SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] LDAP and Kerberos configuration

[Sean P. Elble]

Unfortunately, this type of setup is very far from trivial. LDAP and 
Kerberos combined can be quite a bit of a pain as it is, and throwing 
Samba into the mix only makes things even more painful. That said, the 
following link is pretty much the best thing on the web (IMHO) with regard 
to doing this:


http://aput.net/~jheiss/krbldap/

The link is a bit out-of-date, and has a few errors that were pretty 
painful to diagnose and fix, but I did eventually get a completely 
replicated LDAP/Kerberos setup, with a single Samba PDC at the moment 
(this is at home, so I'm not *THAT* concerned about the Samba box dying).


I did e-mail the author of the document to note the errors and omissions, 
but I never received a reply, nor were my changes added to his site. 
That's a real shame, because his documents were (and still are, for the 
most part) quite good.


I don't have any of my notes on the subject handy, but the largest issues 
that I can remember off hand were:


1. Some the LDAP ACL entries were not correct, or were out-of-date with 
current versions of LDAP.


2. I'm pretty sure there was quite a few more steps invovled with getting 
Samba to play nicely with a standard LDAP+Kerberos setup. Also, note that 
with a standard MIT Kerberos distribution, you will NOT be able to store 
Windows passwords in the MIT Kerberos database. The best you can do, as 
things stand right now, without any patches to either Samba or Kerberos, 
is sync the Kerberos passwords (to be used with everything but Samba) with 
the NTLM password hashes stored in the LDAP directory. If you choose to 
use Heimdal, I understand that it is possible to use the Samba NT password 
hashes for the Kerberos authentication as well, per Andrew Bartlett's 
reply to me on the subject from back in April 
.


3. Kerberos replication has a few more steps than are detailed on his 
page, and really aren't all that clear in any of the official MIT Kerberos 
documentation either (i.e. you must create a database on each of your 
Kerberos slaves before kpropd will replicate - you won't get any error 
messages that indicate that problem either).


I will try and post my notes on the subject later tonight, and I'm sure 
I'd hear some corrections to make to them, but in the meantime, the link I 
referenced to above is about as good as it gets if you want SSO for 
Linux/UNIX and Windows systems, with the backend being served by Linux or 
UNIX. At least until Samba 4 comes out, anyway . . . ;-) :-)


--
+-+
|  Sean Elble |
|  Virginia Tech, Class of 2008   |
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
|  Web:  http://www.sessys.com/~elbles/   |
|  Cell: 860.946.9477 |
+-+

On Tue, 3 Jul 2007, Nick Bartos wrote:


Good luck, I've been looking for the same thing for some time now.




Hello,

I am looking for configuration of SAMBA  3.0.25a with LDAP registry and
Authentication with Kerberos.
Any help is appreciated.

Iliya

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin



SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] New to this list. How to Samba Archives.

[Sean P. Elble]

On Thu, 20 Jul 2006, Ariel Duran wrote:


Hello all,



What is the easiest way to search the samba archives? The archive doesn't
have a search option like the qmail archives search option.



The easiest way to search the archives is to goto:

http://marc.theaimsgroup.com/

And scrolling down until you get to the Samba portion. You can click on a 
mailing list, and then run a search on it. Many, many mailing lists are 
there, so it's really a great resource for sysadmins. HTH.





Regards,

Ariel Duran




--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] direct descent into home directory

[Sean P. Elble]

I just want to make sure I understand you correctly before making any 
other recommendations. It sounds as though your users are able to login, 
and have a drive mapped to some directory on your server that CONTAINS all 
your users' home directories. Is that correct? If it is, how do you have 
your home directories setup compared to what is listed for each user in 
/etc/passwd (or corresponding LDAP entry)? Samba *SHOULD* be mapping each 
home directory accessed to each user's home directory as listed in 
/etc/passwd when a user maps the drive using net use h: /home (or any 
other drive letter, of course).


The other possible scenario I can see is that Windows Explorer isn't 
opening on startup to a user's home directory, but that sounds like the 
less-likely scenario.


On Wed, 12 Jul 2006, Jerry Mersel wrote:


Thanks for answering.

What I meant was , after a user logs in there is another folder
to click to enter the users home directory. I want to go directly
into the home directory.

Regards,
  Jerry


Samba alone will not automatically map a user's home directory to any
specific drive. The best way (that I know of) to implement this is to
create a login script, where you run a command like this:

net use h: /home

That should map the H drive on the user's machine to their home directory
on the Samba server. I'm assuming this is what you mean when you say
Samba will go directly to the users' home directories. Hope it helps.

On Wed, 12 Jul 2006, Jerry Mersel wrote:


I am trying, after login that samba will go directly
to thei users home directory. But it doesn't happen. Please help.

Here is my setup:

logon home = \\%N\%U

[homes]
  comment = %U's Home Directory
  valid users = %S
  read only = Yes
  browseable = no
  ## path = %H
  create mask = 0600
  directory mask = 0700
  guest ok = no
  printable = no

 Regards,
   Jerry








--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
|  Cell: 860.946.9477 |
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
|  Cell: 860.946.9477 |
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] direct descent into home directory

[Sean P. Elble]

Samba alone will not automatically map a user's home directory to any 
specific drive. The best way (that I know of) to implement this is to 
create a login script, where you run a command like this:


net use h: /home

That should map the H drive on the user's machine to their home directory 
on the Samba server. I'm assuming this is what you mean when you say 
Samba will go directly to the users' home directories. Hope it helps.


On Wed, 12 Jul 2006, Jerry Mersel wrote:


I am trying, after login that samba will go directly
to thei users home directory. But it doesn't happen. Please help.

Here is my setup:

logon home = \\%N\%U

[homes]
  comment = %U's Home Directory
  valid users = %S
  read only = Yes
  browseable = no
  ## path = %H
  create mask = 0600
  directory mask = 0700
  guest ok = no
  printable = no

 Regards,
   Jerry








--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
|  Cell: 860.946.9477 |
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3 startup

[Sean P. Elble]

On Mon, 10 Jul 2006, Eric Evans wrote:


Hello,

I'd like to see if I can get some clarification on what is the preferred 
method of starting the Samba daemons (note that we are using Solaris, not 
Linux).  This is something that I'm not able to find any explanation of in 
any of the Samba 3 documentation that I've looked at so far.  In Samba 2 I 
would have the Samba daemons started up by the following in my 
/etc/inetd.conf:


netbios-ssnstream  tcp nowait  root/usr/local/samba/sbin/smbd 
smbd
netbios-ns dgram   udp waitroot/usr/local/samba/sbin/nmbd 
nmbd


but I don't know if this same inetd.conf setup is appropriate for Samba 3. 
And what about windd?




The preferred method for starting/running Samba would be in daemon mode 
(as opposed to starting it up from inetd, as there is a bit of overhead 
involved in running in that mode). IIRC, you are compiling from source, 
and in the Samba source tree, there is a directory packaging/Solaris. 
There is an init file in there that is designed to be used with Solaris, 
obviously, and that is the preferred method of starting Samba, as far as I 
understand it. It will start smbd and nmbd, as well as winbindd, but you 
should not need to run winbindd for your purposes (I am also assuming when 
you refer to windd, you mean winbindd). Hope that helps.



Thanks a lot,
Eric







--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] OK, one more time on the PDC thing

[Sean P. Elble]

On Fri, 7 Jul 2006, Eric Evans wrote:

My apologies, I'm terribly sorry to belabor these PDC issues to the point 
where everyone is undoubtedly tired of hearing about them, but I have become 
absolutely obsessed with trying to solve this PDC problem.  Here is what is 
happening now.  I'm trying to connect to the Samba server which is set up as 
the PDC (domain PLAB) from windows client "venus".  Windows prompts me to 
enter a username and password.  I enter the username and password for root. 
It comes back and says it can't find a network path to that domain.  Here's 
the message that appears in my samba log file:


[2006/07/07 14:40:18, 0] 
nmbd/nmbd_incomingrequests.c:process_name_refresh_request(183)
 process_name_refresh_request: unicast name registration request received 
for name VENUS<20> from IP 128.253.175.150 on subnet UNICAST_SUBNET.
[2006/07/07 14:40:18, 0] 
nmbd/nmbd_incomingrequests.c:process_name_refresh_request(184)

 Error - should be sent to WINS server

Can anybody tell me what this error means?



I do not have your original smb.conf file available, as I am at work and 
only have shell access to this e-mail account, but just as a shot in the 
dark, are you running WINS on your Samba server? IIRC, a PDC is always 
expected to be running WINS, so it looks like it's having problems 
registering "venus" in the Windows/Samba domain. So, I would check to see 
if you are running that . . . if you aren't, I'd give that a shot, and 
I'll try to verify a few more things when I get home for you.




Thank you very much,
Eric





--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] clarification needed: $ in machine name?

[Sean P. Elble]

On Fri, 7 Jul 2006, Eric Evans wrote:


Hello,

Sorry to be a pest, but I need to try to get some clarification of how the 
machine name works when setting up a machine account on the Samba server. 
The Samba How-To page 
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html#id2536400 
talks about the "common error" of including the $ in the machine name on the 
server machine.  However, all of the examples of PDC setup that I've seen 
show machine accounts in the passwd file that DO have a $ at the end of the 
machine name.  So, $ or no $?  The explanation on the How-To page is 
confusing, when it says "The problem is only in the program used to make the 
entryCreate a user without the "$".  Then use vipw to edit the entry, 
adding the "$"".  This is perplexing.  Why would it make any difference 
whether you put in the $ with vipw or some other editor?  And why does the 
heading of this section say ""$" Cannot Be Included in Machine Name?"  I 
don't quite get what the real technical issue is here.  I think some more 
explanation is needed.


The technical issue there was/is actually specific to old(er) versions of 
FreeBSD/NetBSD/OpenBSD where the standard set of commands would not let 
you add a user with the "$" character in it, at least per my 
understanding. You definitely do need the $ appended to the end of the 
machine name for the machine accounts though, and assuming you run a newer 
release of *BSDs, Linux, et cetra, you should be OK in that aspect.


Also, to clarify on a matter you mentioned earlier regarding machine 
accounts and "blank" passwords, that should not be an issue, as long as 
you disable their ability to login to the system via modifying the GECOS 
field in /etc/passwd so that their shell is something like /bin/false. 
Someone else had mentioned it, I believe, but another confirmation should 
help to put your mind more at ease. :-) Well, at least as at ease as a 
mind can be when running Sun systems . . . :-P




Eric




--
--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] W2K Domain Users in Samba

[Sean P. Elble]

Jim,

My comments are within your original post to the mailing list.

--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+

On Wed, 19 Apr 2006, [EMAIL PROTECTED] wrote:


Looking for a poniter in the right direction

My current configuration is
NT4 PDC (Solaris PCnetlink)
Samba Member server (Solaris 9 Samba ver 3.0.20b)for file and print
sharing
WinXp Pro Clients SP2

My problem is with the Domain Users. I am able to share out file systems
to the XP clients from my Samba server OK. I am also able to modify the
permissions for the files in the share in Solaris using the chmod, chgrp
and chown. This seems to work OK. When I am on the WinXp client and I look
at the security permissions tab on the folder properties that I own, I
cannot see the NT4 Domain Users, all I see are the \\localmachine\user
when what I want is the  \\domain\user. When I try to add a domain user in
the secrutiy properties page I see the domain and the list of users but
when I select a user or group and select add it does not add it to the
folder properties. I am new to Samba -- am I missing some simple
configuration parameter or is this how it is suppose to work.


My first question to you is how have you setup the users on this Solaris 
file server? For file sharing to work properly,I'd imagine you either are 
running Winbind for the user database on the server, OR you are using 
username mapping, with local users on the file server as well. If you are 
not, well, that is your problem right there. Samba needs to know which 
UNIX user owns the files, and has the various permissions: Knowing which 
user in the Windows domain would not do Samba any good, as it doesn't 
maintain a permissions database for files separate of the UNIX file 
permissions scheme (someone please correct me if I am wrong here).


This is quite unlike Sun's PC Netlink, which, IIRC, is a product developed 
under a source code license from Microsoft, allowing for full Windows NT 
4.0 PDC functionality from a Solaris server (versions were produced for 
other versions of UNIX as well). However, it maintains its own database 
for file permissions, and it does not require local UNIX users for every 
Windows user in the domain.


As such, my recommendation would be to run Winbind on the file server, 
which will allow you to authenticate local UNIX users via the PC Netlink 
PDC, and allow you to do file permissions and other such things on the 
UNIX level quite easily. I cannot say for sure that this is where your 
problem lies, but I'd put some money on it (if I were not a poor college 
student, that is :-)).




alb-smb(test)# ./testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[R]"
Processing section "[logs]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
   workgroup = TESTDOM
   server string = %h - Samba Server %v
   security = DOMAIN
   password server = test-net
   log level = 4
   log file = /var/log/samba/log.%m
   max log size = 50
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   printcap name = /etc/printcap
   dns proxy = No
   wins server = 10.0.0.1

[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = Yes
   browseable = No

[R]
   comment = R Drive
   path = /share/R
   public = yes
   writable = yes
   create mask = 0755
   guest ok = Yes
   nt acl support = true

[logs]
   comment = Testing logs
   path = /share/logs
   public = yes
   writable = yes
   create mask = 0755
   guest ok = Yes



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Using NAS as PDC Shares?

[Sean P. Elble]

On Wed, 15 Mar 2006, Paul Henry wrote:


Dear List,

We have just bought:

* Dual AMD CPU, 8TB NAS, 4GB RAM (DNUK.COM) - SUSE 9.3
* Two Dell 2850, 3GB RAM, Dual Xeon 3.2GHz, 300GB Raid 5 - Fedora Core 4

Now obviously we want to use the Storage ;-)


First off, jealousy has set in. If you need anyone to "test" that 
equipment out, I don't think you'd find any shortage on this list. :-)




How would you guys recommend we proceed?

Samba PDC on one 2850, LDAP Directory on second, and somehow mount the
storage for the shares?

Or run the PDC on the NAS, and keep the LDAP Directory on a 2850?

Any advice would be greatly appreciated.

Oh, its for about 20-30 users ;-)


Honestly, for that many users, PDC/LDAP performance probably will not 
matter much. It sounds as though transferring files will be your 
bottleneck, and even that will almost certainly be limited by your 
network, even if you are entirely gigabit based. Depending on your 
hardware requirements, and how "available" those Dell machines are, my 
ideal recommendation would be to mirror the two Dell systems, and run 
something like Heartbeat  across the two. To use 
the storage from the AMD system on each of the Dell's, I'd mount the large 
file system via NFS on each of the Dell machines, with each of the Dells 
connected to the AMD system via "private" gigabit Ethernet (and by 
private, I mean on a switch dedicated to those 3 servers, basically).


If that's not an option, I don't see any real reason why you couldn't just 
run the PDC on the AMD box, and LDAP on one of the Dell machines. 
Honestly, other than for reducing points of failure, that single AMD box 
could almost definitely do everything you want to do without issue. And 
regardless, I'd just love to be able to have that hardware. :-) Hope my 
$0.02 helps . . .


 > > Many thanks,


Paul.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



--
+-+
|  Sean Elble |
|  Virginia Tech  |
|  Computer Engineering, Class of 2008|
|  Vice President, VTLUUG |
|  E-Mail:   [EMAIL PROTECTED]|
+-+
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Sharing a Secondary Hard Drive

[Sean P. Elble]

On Fri, 3 Feb 2006, Justin McCullough wrote:

I installed a second hard drive on my Samba server box with the hopes of 
creating a share for the rest of my home network. It doesn't seem like Samba 
is able to read the drive for some reason, however. The new drive is mounted 
on /media/public. When I create a share directly to the drive and try to 
connect through the smbclient, I get an NT_STATUS_BAD_NETWORK_NAME error. 
Moving the share up a level to /media allows smbclient to connect, but the 
public folder does not even appear and trying to cd into it returns an 
NT_STATUS_ACCESS_DENIED message. The drive itself seems fine as I'm able to 
write to it using any of my accounts directly and I can ftp and scp into it, 
so I am completely stumped. Does any one else have any experience with this 
or know what may be the cause? I'm running Fedora Core 4 by the way, if that 
helps.


Justin,

You might want to look into what the permissions are on the UNIX side of 
things. You say that you can use any of your accounts directly using UNIX 
tools, but are the same users used for Samba, or is there a forced user in 
the smb.conf file? Just something to look into . . .




Thanks in advance,
Justin McCullough

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


-Sean Elble
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba