[Samba] Groups authentication?
Hi, Is it possible to use group authentication instead of user/share authentication? I did create a very basic share on a test server and it allows everyone. I would like to create a samba group on the server and only give access to the users in that group. Can I do that? I'm using Samba 3.0.25b on a CentOS 5 server. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Don Meyer Sent: Friday, December 08, 2006 2:12 PM Don't forget the necessary modifications to nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Cheers, -Don That's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
Now if I run net ads user, I see the following error messages and then I see the list of users: [2006/12/11 13:36:24, 0] param/loadparm.c:map_parameter(2443) Unknown parameter encountered: dmap uid [2006/12/11 13:36:24, 0] param/loadparm.c:lp_do_parameter(3131) Ignoring unknown parameter dmap uid ? Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Renshaw Sent: 11 décembre, 2006 12:48 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist I modified nsswitch.conf and I restarted winbind. Still cannot authenticate. Wbinfo -u does return the list of my domain users. I can also see the groups. I do not have a /etc/pam.d/samba file. Any idea what I need to check next? Thanks! Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 16:24 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Don Meyer Sent: Friday, December 08, 2006 2:12 PM Don't forget the necessary modifications to nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind Cheers, -Don That's right. Although, I do not have winbind after the shadow directive, and I've never seen any documentation saying you need it, just after passwd and group. Also, I believe this is also required in /etc/pam.d/samba: auth required pam_winbind.so account required pam_winbind.so but I've never tried it without this. James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD integration checklist
Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. So far so good. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? Content of smb.conf: [global] workgroup = BENCHCAN server string = Virtual Linux wins server = 192.168.64.20 netbios name = BACKUP realm = BENCHMARKCANADA.COM password server = castor-srvr1.benchmarkcanada.com security = ADS [share] path = / guest ok = no read only = no Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] AD integration checklist
Thanks for the reply. You are correct, I'm testing on a virtual machine. I modified smb.conf with the lines you said but when I try to access the share, I keep getting prompted for my user/pass. Any idea? Simon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James A. Dinkel Sent: 8 décembre, 2006 13:05 To: samba@lists.samba.org Subject: RE: [Samba] AD integration checklist -Original Message- From: Simon Renshaw Sent: Friday, December 08, 2006 10:13 AM Hi, I compiled Samba 3.0.23d on a CentOS 4.4 machine. Then I configured /etc/krb5.conf for my domain. Was able to successfully run kinit and join my Windows 2003 domain with a net ads join. Net ads user and net ads group returns the users and the groups of the domain. So far so good. I'm kinda stuck on the next step. I would like to grant access to the share defined in smb.conf to anybody in the domain. How do I make it authenticate users on the domain instead of using the server? Content of smb.conf: [global] workgroup = BENCHCAN server string = Virtual Linux wins server = 192.168.64.20 netbios name = BACKUP realm = BENCHMARKCANADA.COM password server = castor-srvr1.benchmarkcanada.com security = ADS [share] path = / guest ok = no read only = no Thanks! Simon You need this in your global section: idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes encrypt passwords = yes And this in your share section: valid users = @BENCHCAN\domain users Although this will give all your users access to / which doesn't seem like a good idea, but I assume this is just for testing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Trying to find why it is not working
Hi, First, sorry if this is a bit long. I'm having problems finding what is wrong with my setup. Running Samba 3.0.10-1.4E.6 on CentOS 4.3. PDC is AD on windows 2003. Samba and winbind are running. My smb.conf file: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/05/30 10:52:16 # Global parameters [global] workgroup = MONTREAL realm = CASTORTECH.COM interfaces = eth0 security = ADS password server = castor-srvr1 wins server = 192.168.64.20 [Main] comment = Test path = / guest ok = yes writeable = yes I was able to join the domain with net ads join. I see the Linux box in AD. I also see it in my Network Places on Windows and the share called Main but it asks for a user/password when I try to access it and it doesn't work. If I run net ads testjoin: Join is OK If I run net ads info: LDAP server: 192.168.64.20 LDAP server name: castor-srvr1 Realm: CASTORTECH.COM Bind Path: dc=CASTORTECH,dc=COM LDAP port: 389 Server time: Fri, 02 Jun 2006 14:04:26 GMT KDC server: 192.168.64.20 Server time offset: -947 If I run net ads lookup: Information for Domain Controller: castor-srvr1 Response Type: SAMLOGON GUID: e7508a6a-4561-4440-b45c-9fd246d4c93c Flags: Is a PDC: yes Is a GC of the forest: yes Is an LDAP server: yes Supports DS:yes Is running a KDC: yes Is running time services: yes Is the closest DC: yes Is writable:yes Has a hardware clock: no Is a non-domain NC serviced by LDAP server: no Forest: castortech.com Domain: castortech.com Domain Controller: castor-srvr1.castortech.com Pre-Win2k Domain: MONTREAL Pre-Win2k Hostname: CASTOR-SRVR1 Site Name: Default-First-Site-Name Site Name (2): Default-First-Site-Name NT Version: 5 LMNT Token: LM20 Token: Net ads user also return a list of the domain's users. Wbinfo -u and -g return a list of the domain's users and groups. But if I run wbinfo -a simon%bvhdohgo I get: plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user simon%bvhdohgo with plaintext password challenge/response password authentication succeeded I also tried with administrator but I got the same result. But I ran wbinfo --set-auth-user=administrator%pass and get MONTREAL\administrator%pass if I run wbinfo --get-auth-user. So it is able to get the domain info. I don't get it. And of course, getent passwd returns the local users, not the one from the domain. Passwd, shadow and group are set as files winbind in /etc/nsswitch.conf. I think that I am pretty close to a solution but I don't know what to do next. Any idea what is wrong and what should I check next? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windbind auth
Hi, I was able to get my server in the domain. I can see it from ADUC and Network Places. But I can't get it to use AD to authenticate the users that want to access the server/share. Wbinfo -u and -g return the users and group of my MONTREAL domain. Net ads info also returns the correct information about my domain. I then tried to run getent passwd but that only returned the list of the local account. Content of /etc/nsswitch.conf: passwd: files windbind shadow: files windbind group: files windbind hosts: files dns wins The rest are set as files. I tried to remove files in passwd, shadow and group but when I ran getent passwd it returned nothing. I then replaced windbind with compat and got the same result. What should I do about that? And what else should I check? Found this in the doc: -- Do not forget to specify also the ldap admin dn and to make certain to set the LDAP administrative password into the secrets.tdb using: root# smbpasswd -w ldap-admin-password In place of ldap-admin-password, substitute the LDAP administration password for your system. -- I assume that this is the password of Administrator? I did that with the password of Administrator. And if I got this right, to allow users to access a share from a group I need to put a @ first? For example: valid users = @MONTREAL\Domain Users I'm running Samba 3.0.10-1.4E.6 on CentOS 4.3. The clients would be Windows machines. I'm about to give up and just create a bunch of local users :/ If you need to know more details, just let me know. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] New Samba installation
Hi, Samba was restarted (actually, the server was restarted a few times since...) but Winbind wasn't running. Now it is. [EMAIL PROTECTED] ~]# wbinfo -t checking the trust secret via RPC calls succeeded And wbinfo -u returned a list of the domain users and the name of the computers in the domain. Still can't access \\vlb2. Thanks! Simon -Original Message- From: James Zuelow [mailto:[EMAIL PROTECTED] Sent: 25 mai, 2006 19:11 To: Simon Renshaw Subject: RE: [Samba] New Samba installation You didn't specify restarting Samba and Winbind after joining the domain. What does the output of `wbinfo -t` and `wbinfo -u` look like? James ZuelowCBJ MIS (907)586-0236 Network Specialist...Registered Linux User No. 186591 -Original Message- --8 If I try to access \\vlb2, it asks for a username and then gives me an access denied message is I use MONTREAL\user. Thanks for the help, Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] New Samba installation
Hi, I'm using Samba 3.0.10-1.4E.6 that came with CentOS 4.3 (fresh install) and Active Directory is running on windows 2003 SP1. I've been following instructions of the chapter 6 of the HOWTO and would like to validate the work I did. First I modified smb.conf: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2006/05/24 23:51:58 # Global parameters [global] workgroup = MONTREAL realm = CASTORTECH.COM interfaces = eth0 security = ADS wins server = 192.168.64.20 password server = castor-srvr1 encrypt passwords = yes [Main] comment = Test path = / read only = No I didn't modify the krb5.conf file since what was inside was OK. Then I ran kinit [EMAIL PROTECTED] and entered the password. No error message, it just returned to the prompt. I assume that it worked. The first time I did get a clock skew error, but I corrected it. Then I ran net ads join -U Administrator%password. It told me: Using short domain name -- MONTREAL Joined 'VLB2' to realm 'CASTORTECH.COM' So far so good. I can see it in ADUC\Computers. I think that I'm pretty close but I'm not sure what to do next. I want that share to be available to anyone on their Windows machine using their Windows login. If I try to access \\vlb2, it asks for a username and then gives me an access denied message is I use MONTREAL\user. Thanks for the help, Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Managed to make some progress, stuck again.
What packages should I look for? All those I listed or a few specifics? As long as they are for Redhat EL 4, I'll be ok. I started to look for them but I'm not sure what I need. (Sorry about that, I'm a Windows guy.) Simon -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: 18 avril, 2006 19:38 To: Simon Renshaw Cc: Jeremy Allison; samba@lists.samba.org Subject: Re: [Samba] Managed to make some progress, stuck again. On Tue, Apr 18, 2006 at 04:25:50PM -0400, Simon Renshaw wrote: OK, I'll try to upgrade it. I just downloaded MIT Kerberos 1.4.3. I ran rpm -qa|grep krb and got: krb5-server-1.3.4-27 krb5-auth-dialog-0.2-1 krb5-libs-1.3.4-27 krbafs-1.2.2-6 krb5-devel-1.3.4-27 krbafs-devel-1.2.2-6 krbafs-utils-1.2.2-6 krb5-workstation-1.3.4-27 pam_krb5-2.1.8-1 Should I uninstall everything krb related before compiling 1.4.3? Look for updated kerberos rpms rather than compiling it yourself. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Managed to make some progress, stuck again.
Hi, An update on my work to integrate my Linux server (CentOS 4.3) in AD 2003. Sorry about the long post :) Found this page (http://www.enterprisenetworkingplanet.com/netos/article.php/3487081) and followed the instructions on it. First, I made sure that the Samba installation is supporting Kerberos, LDAP, AD and Windbind. That was OK. I made sure that /etc/hosts contain the name of the AD server (castor-srvr1). Then I edited /etc/krb5.conf to include the following: [libdefaults] default_realm = CASTORTECH.COM [realms] CASTORTECH.COM = { kdc = castor-srvr1.castortech.com } [domain_realm] .kerberos.server = CASTORTECH.COM I got the default realm name when I ran ksetup on the AD server. I then tried to connect using kinit [EMAIL PROTECTED] It asks for a password and it return an error (krb_error 14 KDC has no support for encryption type). If I use another user (simon, my account with domain admin rights), it connects and create a new ticket. To be sure, I tested with a user that don't exist and got a krb_error 24 Pre-authentication information was invalid. Any idea why administrator won't connect? I modified /etc/samba/smb.conf with the info in chapter 13 on the Samba book. The pre-Windows 2000 name of the domain is MONTREAL. [global] workgroup = MONTREAL realm = CASTORTECH.COM preferred master = no security = ADS template shell = /bin/bash idmap uid = 500-1000 idmap gid = 500-1000 winbind use default domain = yes winbind nested groups = yes encrypt passwords = yes log level = 3 server string = Linux wins server = 192.168.64.20 dns proxy = no password server = None username map = /etc/samba/smbusers [homes] comment = Home Directories browseable = no writeable = yes [root] path = / writeable = yes guest ok = yes Password server was at none by default. Do I need to put the AD server there? Not sure if the workgroup needs to be the NetBIOS name of the domain (MONTREAL) or the AD server name. [root] is the share I created on my Linux box. Missing anything for that? If I run testparm with that config: Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [printers] Processing section [root] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER To join the domain, the site says to run net ads join -U Administrator. Of course, that didn't work (ads_connect: No such file or directory). I ran net ads join -U administrator --server=castor-srvr1. And got: [2006/04/18 13:52:13, 0] libads/ldap.c:ads_add_machine_acct(1368) ads_add_machine_acct: Host account for castor-srvr4 already exists - modifying old account Using short domain name -- MONTREAL Joined 'CASTOR-SRVR4' to realm 'CASTORTECH.COM' If I open ADUC I can see the server under Computers. So far so good. I think. Now I need to configure Winbind. I edited /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins Then I restarted the services. I ran a few wbinfo commands to test it. Wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Look like BUILTIN is on the Linux box instead of AD. But wbinfo --domain=MONTREAL -g Error looking up domain groups Same thing with -u. I tried net ads info --server=castor-srvr1 LDAP server: 192.168.64.20 LDAP server name: castor-srvr1 Realm: CASTORTECH.COM Bind Path: dc=CASTORTECH,dc=COM LDAP port: 389 Server time: Tue, 18 Apr 2006 14:35:24 GMT KDC server: 192.168.64.20 Server time offset: 187 Net ads testjoin --server=castor-srvr1 Join is OK So according to this, the Linux box is in the domain but there is a problem with Windbind. Or something. I can't access the Linux box from Windows. This is where I'm stuck and would appreciate some help. Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Managed to make some progress, stuck again.
OK, I'll try to upgrade it. I just downloaded MIT Kerberos 1.4.3. I ran rpm -qa|grep krb and got: krb5-server-1.3.4-27 krb5-auth-dialog-0.2-1 krb5-libs-1.3.4-27 krbafs-1.2.2-6 krb5-devel-1.3.4-27 krbafs-devel-1.2.2-6 krbafs-utils-1.2.2-6 krb5-workstation-1.3.4-27 pam_krb5-2.1.8-1 Should I uninstall everything krb related before compiling 1.4.3? -Original Message- From: Jeremy Allison [mailto:[EMAIL PROTECTED] Sent: 18 avril, 2006 15:19 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Managed to make some progress, stuck again. It looks like the version of kerberos you're using doesn't have support for the AD enctypes. Update it. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Active directory authentification with Samba
I went in the Samba settings and went in the security tab. I selected ADS, added the IP of my AD server and added my Kerberos realm (found it by running ksetup on my AD server). But since I've done that, I can't even access the server. The message tells me that the server is not accessible or that I might not have permission. It also mentions that configuration information can't be read from the domain controller. What am I missing? (Yes, I'm trying to read the doc... 943 pages, ugh) Simon -Original Message- From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 11 avril, 2006 20:23 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba Use security = ADS or security = DOMAIN On 04/11/2006 01:17 PM, Simon Renshaw wrote: Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Active directory authentification with Samba
You mean this? http://us4.samba.org/samba/docs/man/Samba-Guide/kerberos.html Or do you mean something the HOWTO section? While there are indeed a lot of examples in it, it seems to deal with Windows shares under a Samba domain. No my situation. Or there is too much fluff and I just missed it. I will rephrase what I want to do. I want to share / (read and write) and make it available to everybody that is in the Domain Users group of AD. Simple, no? So in my smb.conf file, the share will look like that? [root] path = / writeable = yes guest ok = yes valid users = @MONTREAL\Domain Users But the Domain Users group is in the Users OU. Should I put Montreal\Users\Domain Users instead? I have only 1 Linux server and 5-6 users so security (or the lack of it) is not a problem. Oh, and I never used SWAT. Thanks! Simon From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 13 avril, 2006 12:59 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba The samba home page (in SWAT) has a section at the bottom called Books. Click on Samba 3 by Example. Then click on Active Directory, Kerberos ans Security. Go through that material and make sure you've set everything up correctly. It has a lot of step by step info. -- Rob Simon Renshaw said the following on 04/13/2006 08:44 AM: I went in the Samba settings and went in the security tab. I selected ADS, added the IP of my AD server and added my Kerberos realm (found it by running ksetup on my AD server). But since I've done that, I can't even access the server. The message tells me that the server is not accessible or that I might not have permission. It also mentions that configuration information can't be read from the domain controller. What am I missing? (Yes, I'm trying to read the doc... 943 pages, ugh) Simon -Original Message- From: Rob Tanner [mailto:[EMAIL PROTECTED] Sent: 11 avril, 2006 20:23 To: Simon Renshaw Cc: samba@lists.samba.org Subject: Re: [Samba] Active directory authentification with Samba Use security = ADS or security = DOMAIN On 04/11/2006 01:17 PM, Simon Renshaw wrote: Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Active directory authentification with Samba
Hi, I looked at the doc but I can't find what I'm looking for. I have 1 Linux server (CentOS 4.3) running Samba 3.0.10 in a Windows 2003 AD domain. I modified Samba's conf file to point it to our WINS server. We can access the share using \\servername. So far so good. Is there a way to use AD to authenticate the users instead of the Samba users that are on the server? Thanks! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba