Quantcast

Samba4 AD/LDAP question

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 AD/LDAP question

aly.khimji
Hi guys,

First time poster so I do apologize if this question has been asked before.

In a test set up we are trying to use samba4 to authenticate a small network
with Linux, Win, and OSX clients. I have successfully deployed samba4 in
domain controller mode, can attach windows machines to it, manage the DC via
windows tools.
We can also join Linux servers to the domain, however my problem is as
follows, When attempting to log into a Linux server, excluding local users,
the only directory user that can log in is the Administrator. Any other
directory user that attempts to log in gets a "No Logon Servers", however if
move that same user into the Domain Admins group they can log in with no
issues (yes as UID=0) as reported in /var/log/secure.

Can someone please explain why this happens, and what step have i missed
that would allow regular users to log in?

That being said, my second question is, if it possible to have the samba4
server in domain controller mode, but have Linux clients authenticate via
ldap as appose to winbind?
For example, when configuring an authentication method if it would possible
to use LDAP instead of samba/winbind? I tried to configure LDAP (correct
base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or
getent doesn't work.

Any pointers are greatly appreciated, I am just testing out
the capabilities of 4, i understand its still in Alpha but hope you guys
might have some experience with it.

Thanks

Aly
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 AD/LDAP question

Taylor, Jonn
On 04/03/2011 07:24 PM, Aly Khimji wrote:

> Hi guys,
>
> First time poster so I do apologize if this question has been asked before.
>
> In a test set up we are trying to use samba4 to authenticate a small network
> with Linux, Win, and OSX clients. I have successfully deployed samba4 in
> domain controller mode, can attach windows machines to it, manage the DC via
> windows tools.
> We can also join Linux servers to the domain, however my problem is as
> follows, When attempting to log into a Linux server, excluding local users,
> the only directory user that can log in is the Administrator. Any other
> directory user that attempts to log in gets a "No Logon Servers", however if
> move that same user into the Domain Admins group they can log in with no
> issues (yes as UID=0) as reported in /var/log/secure.
>
> Can someone please explain why this happens, and what step have i missed
> that would allow regular users to log in?
>
In smb.conf set
template shell = /bin/bash
> That being said, my second question is, if it possible to have the samba4
> server in domain controller mode, but have Linux clients authenticate via
> ldap as appose to winbind?
You have to use winbind or you will not get the right id mapping.
[global]
    workgroup =  EXAMPLE
    realm = EXAMPLE.COM
    security = ADS
    password server = 192.168.173.10
    log file = /var/log/samba/samba3.log
    ldap ssl = no
    idmap backend = idmap_rid:EXAMPLE=500-4000000
    idmap uid = 500-4000000
    idmap gid = 500-4000000
    template homedir = /home/%U
    template shell = /bin/bash
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind offline logon = Yes

> For example, when configuring an authentication method if it would possible
> to use LDAP instead of samba/winbind? I tried to configure LDAP (correct
> base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or
> getent doesn't work.
In /etc/nsswitch.conf
passwd:     files winbind
shadow:     files winbind
group:      files winbind

and link 2 modules, these are for a 64 bit system, if yours is not just
remove 64 from the links

ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so

ln -s /usr/local/samba/lib/pam_winbind.so /lib64/security/pam_winbind.so

> Any pointers are greatly appreciated, I am just testing out
> the capabilities of 4, i understand its still in Alpha but hope you guys
> might have some experience with it.
>
> Thanks
>
> Aly
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 AD/LDAP question

aly.khimji
Hi John,
thanks for the feed back, I continued to have issues, then I realized I was
missing the library in question and after a quick google realized I had
samba/samba-winbind installed from repo but it was an older version. Samba3x
in the RHEL/Centos repo contained the proper library and authentication now
works for all users. So thank you very much.

Samba4 in domain controller mode, is the only way for a Linux client to
authenticate against it via winbind? can regular LDAP authentication not be
used? Base DN, URI, etc..?

Please advise

Thanks

Aly

On Sun, Apr 3, 2011 at 9:00 PM, Taylor, Jonn <[hidden email]>wrote:

> On 04/03/2011 07:24 PM, Aly Khimji wrote:
> > Hi guys,
> >
> > First time poster so I do apologize if this question has been asked
> before.
> >
> > In a test set up we are trying to use samba4 to authenticate a small
> network
> > with Linux, Win, and OSX clients. I have successfully deployed samba4 in
> > domain controller mode, can attach windows machines to it, manage the DC
> via
> > windows tools.
> > We can also join Linux servers to the domain, however my problem is as
> > follows, When attempting to log into a Linux server, excluding local
> users,
> > the only directory user that can log in is the Administrator. Any other
> > directory user that attempts to log in gets a "No Logon Servers", however
> if
> > move that same user into the Domain Admins group they can log in with no
> > issues (yes as UID=0) as reported in /var/log/secure.
> >
> > Can someone please explain why this happens, and what step have i missed
> > that would allow regular users to log in?
> >
> In smb.conf set
> template shell = /bin/bash
> > That being said, my second question is, if it possible to have the samba4
> > server in domain controller mode, but have Linux clients authenticate via
> > ldap as appose to winbind?
> You have to use winbind or you will not get the right id mapping.
> [global]
>    workgroup =  EXAMPLE
>    realm = EXAMPLE.COM
>    security = ADS
>    password server = 192.168.173.10
>    log file = /var/log/samba/samba3.log
>    ldap ssl = no
>    idmap backend = idmap_rid:EXAMPLE=500-4000000
>    idmap uid = 500-4000000
>    idmap gid = 500-4000000
>    template homedir = /home/%U
>    template shell = /bin/bash
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind offline logon = Yes
>
> > For example, when configuring an authentication method if it would
> possible
> > to use LDAP instead of samba/winbind? I tried to configure LDAP (correct
> > base, host, uri, etc..) but when it doesn't seem to pull any info? eg id
> or
> > getent doesn't work.
> In /etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> and link 2 modules, these are for a 64 bit system, if yours is not just
> remove 64 from the links
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
>
> ln -s /usr/local/samba/lib/pam_winbind.so /lib64/security/pam_winbind.so
>
> > Any pointers are greatly appreciated, I am just testing out
> > the capabilities of 4, i understand its still in Alpha but hope you guys
> > might have some experience with it.
> >
> > Thanks
> >
> > Aly
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 AD/LDAP question

Daniel Müller
In reply to this post by aly.khimji
Hi,
as far as I know samba4 does not support local users yet. So your linux
boxes must use samba winbind in some kind.
I don't think that a samba ads to ldap sync is working by now. However on
some linux boxes esp. suse I think has the
support to manage ads auth by yast. This should be working against samba 4
ads or windows ads.

Good Luck
Danile

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: [hidden email]
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: [hidden email] [mailto:[hidden email]] Im
Auftrag von Aly Khimji
Gesendet: Montag, 4. April 2011 02:24
An: [hidden email]
Betreff: [Samba] Samba4 AD/LDAP question

Hi guys,

First time poster so I do apologize if this question has been asked before.

In a test set up we are trying to use samba4 to authenticate a small network
with Linux, Win, and OSX clients. I have successfully deployed samba4 in
domain controller mode, can attach windows machines to it, manage the DC via
windows tools.
We can also join Linux servers to the domain, however my problem is as
follows, When attempting to log into a Linux server, excluding local users,
the only directory user that can log in is the Administrator. Any other
directory user that attempts to log in gets a "No Logon Servers", however if
move that same user into the Domain Admins group they can log in with no
issues (yes as UID=0) as reported in /var/log/secure.

Can someone please explain why this happens, and what step have i missed
that would allow regular users to log in?

That being said, my second question is, if it possible to have the samba4
server in domain controller mode, but have Linux clients authenticate via
ldap as appose to winbind?
For example, when configuring an authentication method if it would possible
to use LDAP instead of samba/winbind? I tried to configure LDAP (correct
base, host, uri, etc..) but when it doesn't seem to pull any info? eg id or
getent doesn't work.

Any pointers are greatly appreciated, I am just testing out
the capabilities of 4, i understand its still in Alpha but hope you guys
might have some experience with it.

Thanks

Aly
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...