Re: [Samba] Samba 3 with ADS problem
On Mon, 2006-05-01 at 07:14 -0700, jasmine mary wrote: Thank you for both. Sorry for this lare reply, as i was on vacation. Mike, I added the password server as SE.JASMINE.ORG (Case is ok?) Fabio, That document is realy superb. I coplied and likned the files as u said. Still getent is not working for me. It displays only the local users information. ./net ads testjoin [2006/04/28 10:58:33, 0] utils/net_ads.c:ads_startup(183) ads_connect: No such file or directory Join to domain is not valid ./tesparm gives Load smb config files from /opt/samba/smb.conf Processing section [jasmine] Processing section [opt] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER I commented the winbind separator = / to aviod the ERROR: the 'winbind separator' parameter must be a single character. ./wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret It seems your join is not valid. Did you create an entry for your computer in AD? If you did so, can you obtain a ticket from your kdc? You can test it with the command: kinit [EMAIL PROTECTED] If I want to use Winbind to provide authentication for other services, i need to configure the PAM. For my case (only samba Authentication), I guess i dont need to configure PAm. Please advice me whther i need to configure PAM. Right, you don't need to configure PAM In the document u gave net rpc join is used to join the domain. i used net ads join. Does it make any difference? If i use the net rpc join, it states that samba should be running on the Domain Controller. How samba can be run on Windows machine. I am newbie to this. Sorry for this silly questions. I think net rpc join is only for NT domain, for AD domain you must use net ads join. Thank you in advance for this help. Jasmine -- View this message in context: http://www.nabble.com/Samba-3-with-ADS-problem-t1514307.html#a4172229 Sent from the Samba - General forum at Nabble.com. Fabio -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 with ADS problem
Thank u fabio. Atlast i came to the situation everything is working good except getent and kinit. # ./wbinfo -t checking the trust secret via RPC calls succeeded # ./net ads testjoin Join is OK # ./net ads info LDAP server: 12.120.17.52 LDAP server name: jas03-dev Realm: SE.JASMINE.ORG Bind Path: dc=SE,dc=JASMINE,dc=ORG LDAP port: 389 Server time: Tue, 02 May 2006 17:20:39 EST KDC server: 12.120.17.52 Server time offset: 0 kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: kinit: Cannot find KDC for requested realm while getting initial credentials I thought it will be the DNS problem. I can ping the SE from my samba. SE can ping my samba server.But still the problem exixts. Getent displays the local users informataion only. Please help me out from this. Jasmine -- View this message in context: http://www.nabble.com/Samba-3-with-ADS-problem-t1514307.html#a4200190 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 with ADS problem
Thank you for both. Sorry for this lare reply, as i was on vacation. Mike, I added the password server as SE.JASMINE.ORG (Case is ok?) Fabio, That document is realy superb. I coplied and likned the files as u said. Still getent is not working for me. It displays only the local users information. ./net ads testjoin [2006/04/28 10:58:33, 0] utils/net_ads.c:ads_startup(183) ads_connect: No such file or directory Join to domain is not valid ./tesparm gives Load smb config files from /opt/samba/smb.conf Processing section [jasmine] Processing section [opt] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER I commented the winbind separator = / to aviod the ERROR: the 'winbind separator' parameter must be a single character. ./wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc022) Could not check secret If I want to use Winbind to provide authentication for other services, i need to configure the PAM. For my case (only samba Authentication), I guess i dont need to configure PAm. Please advice me whther i need to configure PAM. In the document u gave net rpc join is used to join the domain. i used net ads join. Does it make any difference? If i use the net rpc join, it states that samba should be running on the Domain Controller. How samba can be run on Windows machine. I am newbie to this. Sorry for this silly questions. Thank you in advance for this help. Jasmine -- View this message in context: http://www.nabble.com/Samba-3-with-ADS-problem-t1514307.html#a4172229 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 with ADS problem
Hi Jasmine. You have to copy the nss library in the /usr/lib directory: root# cp ../samba/source/nsswitch/libnss_winbind.so /usr/lib and, in case of Solaris: root# ln -s /usr/lib/libnss_winbind.so /usr/lib/libnss_winbind.so.1 root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.1 root# ln -s /usr/lib/libnss_winbind.so /usr/lib/nss_winbind.so.2 Then, you have to edit the /etc/nsswitch.conf file: passwd: files winbind shadow: files group: files winbind If you have the nscd (the name service caching) daemon running, shutdown it and then you can try again: root# getent passwd You can find documentation in http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html About the krb5.conf file, I suggest to try with dns_lookup_kdc =false (it is possible your DNS server is not configured to resolve the kdc for your realm), but if you joined to the domain the kerberos configuration should be ok. What if you try: ./net ads testjoin ? Fabio On Wed, 2006-04-26 at 14:24 -0700, jasmine mary wrote: Hi all, I have started my work of Samba authentaication usiing AD with Samba 3.0.7, openldap-2.3.9,kerberos 1.4.3 on Solaris 8. My first question is can i implement it on Solaris box? because where ever i see, i could see the document for Linux and Debian. Let me explain what i did. I compiled the Kerberos and LDAP package first. After that i compiled the samba package. Samba is compiled successfully with the support of ADS, LDAP and Kerberos. I came to know this from these commands smbd -b | grep LDAP smbd -b | grep ADS smbd -b | grep krb smbd -b | grep winbind I edited the kerberos file as follows.. [libdefaults] default_realm = SE.JASMINE.ORG dns_lookup_kdc = true [realms] SE.JASMINE.ORG = { kdc = se.jasmine.org } [domain_realm] .se.jasmine.org = SE.JASMINE.ORG [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } se.jasmine.org is the realm name. Server name is alos the same one. It will 5 servers are there for doing fail over. I joined the samba server with the domain using net ads join. It added successfully. i can able to get the list of AD users and groups using wbcinfo -u and -g respectively. smb.conf file [global] workgroup = SE realm = se.jasmine.org security = ADS idmap uid = 1-2 idmap gid = 1-2 encrypt passwords = yes log level = 3 log file = /var/log/samba/%m [jasmine] path = /home/jselvaraj guest ok = Yes So far everyhitng is good..I am facing the following problems. 1. i couldnt get the getent username/group from AD. It only displays the local user information.What does it mean? whether isnt it added succussfully? 2. ./net ads info displays the Didn't find the ldap server! error 3. kinit gives this error kinit: Cannot contact any KDC for requested realm while getting initial credentials, ebventhough i can ping my samba server from the windows and the reverse. There is no firewall problem too. 4. Did i need to edit the pam configuration files. Each document gives the different type of following. I couldnt find the correct steps to implement it on Solaris.Pls anyone who implemented it give the url u referred. I dont know what steps i am missing and what to do next. FYI..In my company they already imlemented this samba with AD. But they never touched kr5.conf file. Users much be created with AD username to access the share. It doubles the work. So i am starting the enhancement work of it but from scratches (ie, compiling the LDAP, Samba,Kerberos) Please help me out. -- View this message in context: http://www.nabble.com/Samba-3-with-ADS-problem-t1514307.html#a4110019 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 with ADS problem
--- jasmine mary [EMAIL PROTECTED] wrote: I have started my work of Samba authentication using AD with Samba 3.0.7, openldap-2.3.9,kerberos 1.4.3 on Solaris 8. I am using Samba 3.0.22, openldap 2.3.21, MIT kerberos 1.4.3 on Solaris 8. In my environment, I only managed to get security=ADS working with Samba 3.0.21c and 3.0.22. Any version before those didn't work for me. smb.conf file [global] workgroup = SE realm = se.jasmine.org Try realm = SE.JASMINE.ORG I also have password server = * in smb.conf. My krb5.conf is below. My site uses rc4-hmac encryption exclusively but yours may be different. [libdefaults] default_realm = MYDOMAIN.COM default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac permitted_enctypes = rc4-hmac forwardable = false proxiable = false [domain_realms] .mydomain.com = MYDOMAIN.COM mydomain.com = MYDOMAIN.COM L8r, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 with ADS problem
Hi all, I have started my work of Samba authentaication usiing AD with Samba 3.0.7, openldap-2.3.9,kerberos 1.4.3 on Solaris 8. My first question is can i implement it on Solaris box? because where ever i see, i could see the document for Linux and Debian. Let me explain what i did. I compiled the Kerberos and LDAP package first. After that i compiled the samba package. Samba is compiled successfully with the support of ADS, LDAP and Kerberos. I came to know this from these commands smbd -b | grep LDAP smbd -b | grep ADS smbd -b | grep krb smbd -b | grep winbind I edited the kerberos file as follows.. [libdefaults] default_realm = SE.JASMINE.ORG dns_lookup_kdc = true [realms] SE.JASMINE.ORG = { kdc = se.jasmine.org } [domain_realm] .se.jasmine.org = SE.JASMINE.ORG [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } se.jasmine.org is the realm name. Server name is alos the same one. It will 5 servers are there for doing fail over. I joined the samba server with the domain using net ads join. It added successfully. i can able to get the list of AD users and groups using wbcinfo -u and -g respectively. smb.conf file [global] workgroup = SE realm = se.jasmine.org security = ADS idmap uid = 1-2 idmap gid = 1-2 encrypt passwords = yes log level = 3 log file = /var/log/samba/%m [jasmine] path = /home/jselvaraj guest ok = Yes So far everyhitng is good..I am facing the following problems. 1. i couldnt get the getent username/group from AD. It only displays the local user information.What does it mean? whether isnt it added succussfully? 2. ./net ads info displays the Didn't find the ldap server! error 3. kinit gives this error kinit: Cannot contact any KDC for requested realm while getting initial credentials, ebventhough i can ping my samba server from the windows and the reverse. There is no firewall problem too. 4. Did i need to edit the pam configuration files. Each document gives the different type of following. I couldnt find the correct steps to implement it on Solaris.Pls anyone who implemented it give the url u referred. I dont know what steps i am missing and what to do next. FYI..In my company they already imlemented this samba with AD. But they never touched kr5.conf file. Users much be created with AD username to access the share. It doubles the work. So i am starting the enhancement work of it but from scratches (ie, compiling the LDAP, Samba,Kerberos) Please help me out. -- View this message in context: http://www.nabble.com/Samba-3-with-ADS-problem-t1514307.html#a4110019 Sent from the Samba - General forum at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 and ads
Hey you guys, has anyone an idea about how to pretend an samba openldap server being something like an ADS? I mean, problem is the DsGetDcName query during the WinLogon Process while trying to retrieve the ADS distinguishedName for resolving the client's domain. We're trying to code up an group policy implementation that should be run as an GP Extension to WinLogon's interface, like Nitrobit or others. Anyone an idea? Cheerio, Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 in ADS
Hi list -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3 and ADS
Hi list. I'm trying to set up samba 3 on Solaris 8, AIX 4.3 and 5, HP-UX11.0 and 11i to authenticate mount requests from Win2k clients against their Active Directory credentials. In other words, users sitting at a win2k workstation want to be able to log on once, to the domain using their AD credentials and be able to mount the unix servers without having to re-authenticate. Is this poossible? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3 and ADS
Of courese, thats the whole point of having a samba box part of a win2k domain. Heck if you wanted you could also replace your pdc with with a samba pdc. Check out the samba 3 howto, they have good instructions on doing this. You just have to make sure that what ever OS you use has support for NSS, or you'll also have to create the accounts localy before they can use it. I know that AIX supports this for sure. as well as Solaris, I'm not positive about HP-UX though. -Aaron C. - Original Message - From: E Hunter [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 19, 2004 9:59 AM Subject: [Samba] samba 3 and ADS Hi list. I'm trying to set up samba 3 on Solaris 8, AIX 4.3 and 5, HP-UX11.0 and 11i to authenticate mount requests from Win2k clients against their Active Directory credentials. In other words, users sitting at a win2k workstation want to be able to log on once, to the domain using their AD credentials and be able to mount the unix servers without having to re-authenticate. Is this poossible? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 3 and ADS
On Thu, 19 Feb 2004, Aaron Collins wrote: Of courese, thats the whole point of having a samba box part of a win2k domain. Heck if you wanted you could also replace your pdc with with a samba pdc. Check out the samba 3 howto, they have good instructions on doing this. You can replace a NT4-style PDC with a samba PDC. You _can't_ replace an Active Directory controller. See 'Samba ADS Domain Control' in section 5 of the documentation. -- Michael D. Jurney [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3 net ads join to a w2k server error
On Sat, 2004-01-17 at 01:31, Martin Locas wrote: i try to join active directory but i got this error, i cant find doc on this. please help!! #net ads join -U admin net: relocation error: net: undefined symbol: krb5_cc_initialize You have installed Samba binaries on a system without kerberos libraries. Rebuild Samba from source, or find binaries that are compatible with your system. You will need the kerberos libraries and development headers to rebuild from source, if you want to use 'net ads join'. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 net ads join to a w2k server error
i try to join active directory but i got this error, i cant find doc on this. please help!! #net ads join -U admin net: relocation error: net: undefined symbol: krb5_cc_initialize big thx for help! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba