Linux on a w2k AD Domain

[Crusty]

So i've got a G4 400mhz machine running a 2.6.7 PPC kernel here with sid.

I have gotten this machine to join the domain, but I am having problems with using winbindd to authenticate the users and create a home directory if needed.

Parts of smb.conf

workgroup = midcape
realm = midcape.net
server string = %h server (Samba %v)
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U

security = domain
password server = *
encrypt passwords = true
passdb backend = tdbsam guest
obey pam restrictions = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash


/etc/nsswitch.conf

passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis


/etc/pam.d/login

auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth sufficient pam_winbind.so
auth required pam_pwdb.so user_first_pass shadow nullok
@include common-auth
@include common-account
@include common-session
account required pam_winbind.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
@include common-password


I am not sure on the settings in this file...very confusing to me.


Do you see anything that is blatenly obvious that is wrong? Anything else you need me to post so you can help?

 

[Crusty]

bump?

anyone??

 

[drag]

Sorry don't know much about SMB and even less about SMB running with AD....

What version of SAMBA are you using?

 

[Crusty]

Version: 3.0.4-5

 

[Crusty]

Okay, my logins are now authenticated by my DC, but I first have to create the account locally on the unix box.

Is there anyway to have winbindd look at the DC for valid logins instead of having them have to local logins first?

 

[groovin]

u might get more help on www.justlinux.com or another linux help forum if u havent already tried them.

 

[Kilrsat]

Try this:

http://info.ccone.at/INFO/Samba/pam.html

 

[Nothinman]

Or just try looking in the logs, 9 times out of 10 Samba will tell you why/why not it's doing something if the log level is high enough.

 

[Crusty]

Well I made the log level higher..i'll see what happens tommorow when I have more time to play around with it.

 

[drag]

I don't know if this is your problem or not, but if you want to create users on W2k and have them automaticly be athenticated as a Linux user you may need to install something like SFU, or something similar on you Windows server.

Windows AD itself is just a bunch of tools combined under one roof. The major part of it is that it's a LDAP server, mostly compliant.. It just keeps all the users and stuff in a database that's kept in the bowels of the server itself. then you have all the support programs and configuration programs that go with that. That's what makes up "Active Directory". (the trouble with that is that LDAP itself isn't well known by most people and the documentation is pretty sparse mostly) see here for some stuff

Now it's possible to make OpenLDAP and other LDAP services like Novell's stuff to work with AD. But maybe what your running into is that Windows doesn't support Posix-style user stuff. Like UID numbers.


But I don't know much about the details of all this crap, unfortunately. And it may or may not be related to your problems with SAMBA. All I know is that you may have to set up Window's AD to add posix-style user and group id numbers to the user information stored in the AD database if you want use Windows-created users directing on Linux.

That is if you want to be able to create users in AD and then have them authenticate thru Samba then thru PAM then thru the normal Linux login stuff.

 

[stash]

I don't profess to be a Linux expert, but I do know Active Directory. And to authenticate to AD, you are going to need Kerberos.

I don't see why you shouldn't be able to authenticate against the AD. I found some articles that talk about it

http://acd.ucar.edu/~fredrick/linux/samba3/

google thread

Winbind sounds promising.

 

[Crusty]

Drag:

I know that this box is communicating with my DC.

getent passwd returns everyone in my domain formatted like this
linuxuser:x:10163:10000:Linux User:/home/linuxuser:/bin/bash

Also, we have a SCO document imaging server that is part of the domain and does user authentication with it...but unfortunately because of legal reasons I do not have access to it 🙁

So I am fairly positive my DC is setup correctly.



STaSH:
I had read about Kerberos, but then I read about Winbind...and after reading about Winbind it seemed to be able to do everything I needed it to do, but I will give Kerberos a shot this morning.
edit: After reading more about Kerberos, I still think that Winbind is the way to go here.

Winbind will allow me to Authenticate with my DC using AD and allow me to create home directories on the fly.

 

[Crusty]

Now that I bumped up my logging level,

Samba+winbind are finding my domain as an NT4 domain, which makes sense (kind of) since we still have some NT4 machines on our domain.

[2004/07/16 08:45:42, 3] nsswitch/winbindd_util.c:add_trusted_domain(173)
add_trusted_domain: MIDCAPE is an NT4 domain

[2004/07/16 08:45:42, 3] libads/ldap.c:ads_server_info(2029)
got ldap server name pdc@MIDCAPE.NET, using bind path: dc=MIDCAPE,dc=NET

Does this shed any light on my problems?

 

[Crusty]

Okay, with a little more tweaking, I can now mount a share from a W2k box onto my linux box.

I can only do this with an account that has been created locally on my Linux box that has the same username as an account on my domain....