[Samba] A conceptual question - a special samba-soluion in a cluster
Hi SambaGurus!! I have a question regarding samba+winbind in a cluster - but it is a bit tricky - any pointers would be very much appreciated: Got a two-node cluster, using pacemaker/corosync/openais/whatever, with a resource-group which includes an IP and a shared disk, which is only active on one node at the time (failover, no ocfs2, as I don't have that much faith in it - sorry). I have smb+winbind running on both nodes, for normal Linux-login user-integration to a Windows AD. What I need in the cluster-resource-group is a samba-share (local users, not AD integrated), which can move with the IP and shared disk (aka the resource group). How do I get there? What concepts should I thing lf? Thanks in advance. Greetings from Danny Petterson Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy. __ www.accenture.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Disable the Windows default user when connecting to a share (if possible)
Hi Gurus! Default, when a Windows-client tries to connect to a Samba-share, it sends the user-credentials used on the PC/Windows-client itself - is it possible to disable these defaults in smb.conf, making it possible for the client to always use other credentials than those used on the Windows-client? If the above doesn't make sense, let me clarify with an example: On my Windows-PC Im logged on as Danny - when I try to reach a Samba-share, as a default it tries with the user Danny before using/asking for other credentials. I would like to disable this default behavior. Any ideas? Thanks in advance. Greetings from Danny Petterson Shadows and Dust Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy. __ www.accenture.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] Winbind/PAM/SLES 8-problem
Hi! Yeah, I have, but thanx. Greetings from Danny Petterson Shadows and Dust -Original Message- From: John H Terpstra [mailto:j...@samba.org] Sent: 24. februar 2009 14:42 To: samba@lists.samba.org Subject: Re: [Samba] Winbind/PAM/SLES 8-problem On Tuesday 24 February 2009 07:23:41 danny.petter...@accenture.com wrote: I'm working on getting some old SLES 8-serveres to use winbind, letting users authenticate to our Windows AD. All the setup of samba, winbind, adding the server to the AD etc. is working fine, and all kinds of wbinfo returns what it is supposed to. BUT - when I try to login (using ssh), it utterly ignores winbind, and only tries to validate local users. Not one entry in messages or samba-logs about winbind when a users tries to logon to the system... I suppose its related to PAM-configuration, but Im not sure. This is what Im dealing with: UnitedLinux-1.0-i386-SP4 (from SPident) Linux 2.4.21-251-smp #1 SMP Thu Sep 23 17:22:54 UTC 2004 i686 unknown samba3-client-3.0.33-36 samba3-winbind-3.0.33-36 samba3-3.0.33-36 This is where I try to use winbind in /etc/pam.d: common-account: account sufficient /lib/security/pam_winbind.so account requiredpam_unix2.so common-auth: authsufficient /lib/security/pam_winbind.so authrequiredpam_unix2.so nullok_secure use_first_pass Can't get anything to work with winbind, not sudo, not su, not ssh - nothing. But again, all wbinfo, getent passwd, etc works fine. Have you specified winbind in your nsswitch file? /etc/nsswitch.conf: passwd: files winbind shadow: files winbind group: file winbind - John T. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind/PAM/SLES 8-problem
Hi Gurus! I'm working on getting some old SLES 8-serveres to use winbind, letting users authenticate to our Windows AD. All the setup of samba, winbind, adding the server to the AD etc. is working fine, and all kinds of wbinfo returns what it is supposed to. BUT - when I try to login (using ssh), it utterly ignores winbind, and only tries to validate local users. Not one entry in messages or samba-logs about winbind when a users tries to logon to the system... I suppose its related to PAM-configuration, but Im not sure. This is what Im dealing with: UnitedLinux-1.0-i386-SP4 (from SPident) Linux 2.4.21-251-smp #1 SMP Thu Sep 23 17:22:54 UTC 2004 i686 unknown samba3-client-3.0.33-36 samba3-winbind-3.0.33-36 samba3-3.0.33-36 This is where I try to use winbind in /etc/pam.d: common-account: account sufficient /lib/security/pam_winbind.so account requiredpam_unix2.so common-auth: authsufficient /lib/security/pam_winbind.so authrequiredpam_unix2.so nullok_secure use_first_pass Can't get anything to work with winbind, not sudo, not su, not ssh - nothing. But again, all wbinfo, getent passwd, etc works fine. Thanx for your help. Greetings from Danny Petterson Shadows and Dust This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SLES 10 - Winbind-problem
Hi Gurus!
Hope you can help me - I'm trying to get my SLES 10 SP2-box to
authenticate users against Windows AD using Winbind, but I can't get it
to work as I want. I have configured smb, winbind and Kerberos, and
kinit, list, net ads join, wbinfo etc. works fine - but when I try to
login, user xx.xx.admin, it fails. This is what I got in my
/var/log/warn:
eb 6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
request failed: Access denied, PAM error was System error (4), NT error
was NT_STATUS_ACCESS_DENIED
Feb 6 12:15:09 045gev-rcms-001 sshd[16209]: pam_winbind(sshd:auth):
internal module error (retval = 4, user = xx.xx.admin')
...which is kind of weird, as the password is fine, works on Windows,
and on some HP-UX-boxes where I use LDAP/Kerberos to authenticate
through Windows AD.
Also, at various points, it puts this in the warn-file:
Feb 6 13:16:01 045gev-rcms-001 winbindd[1421]: [2009/02/06 13:16:01, 0]
libads/kerberos.c:ads_kinit_password(228)
Feb 6 13:16:01 045gev-rcms-001 winbindd[1421]:
kerberos_kinit_password 045gev-rcms-0...@velux.org failed:
Preauthentication failed
Any hint, help etc. will be appreciated - configuration is stated below.
Thanx in advance.
Here is my conf-files:
cat /etc/samba/smb.conf
[global]
workgroup = DOMAIN
security = ads
netbios name = 045gefvsora003
realm = DOMAIN.ORG
password server = 045geveladdc001.velux.org
workgroup = DOMAIN.ORG
idmap uid = 1000-2
idmap gid = 1000-2
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
server string =
cat /etc/krb5.conf
[libdefaults]
default_realm = VELUX.ORG
[realms]
VELUX.ORG = {
kdc = 045geveladdc001.velux.org
kdc = 045geveladdc002.velux.org
kdc = 045geveladdc003.velux.org
}
[domain_realm]
.velux.org = VELUX.ORG
velux.org = VELUX.ORG
cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc:db files
netgroup: nis
cat /etc/pam.d/common-account
account sufficient pam_winbind.so
account requiredpam_unix2.so
cat /etc/pam.d/common-auth
authsufficient pam_winbind.so
authrequiredpam_env.so
authrequiredpam_unix2.so
cat /etc/pam.d/common-password
assword required pam_pwcheck.so nullok
password required pam_unix2.sonullok_secure use_first_pass
cat /etc/pam.d/common-session
session requiredpam_limits.so
session requiredpam_unix2.so
session requiredpam_mkhomedir.so umask=0022 skel=/etc/skel
cat /etc/security/pam_winbind.conf
[global]
# turn on debugging
;debug = yes
# request a cached login if possible
# (needs winbind offline logon = yes in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = yes
# when using kerberos, request a FILE krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
Lots of greetings
Danny Petterson
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
