[WBEL-users] samba and AD

Rodrigo Cortes rcortes@placevendome.cl
Thu, 13 Jan 2005 17:01:27 -0300 

When winbind enum xxx = no getent passwd and group don't display info
for domain.

-----Mensaje original-----
De: whitebox-users-admin@beau.org [mailto:whitebox-users-admin@beau.org]
En nombre de Toby Bluhm
Enviado el: Jueves, 13 de Enero de 2005 16:12
Para: Whitebox-users@beau.org
Asunto: RE: [WBEL-users] samba and AD

---- Rodrigo Cortes <rcortes@placevendome.cl> wrote: 
> Have you one conf for all ? krb5 ? smb ? 
> 
> Sorry but I have #$#% jejeje
> 
> 

Key elements I used in the those other conf files.

/etc/samba/smb.conf:

[global]
        workgroup = AD
        realm = AD.COMPANY.COM
        server string = Samba Server
        security = ADS
        preferred master = No
        domain master = No
        dns proxy = No
        wins server = 1.1.1.1
        netbios name = WB3
        ldap ssl = no
        idmap uid = 99999-1999999
        idmap gid = 99999-1999999
        template homedir = /home/AD/%U
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = No
        winbind enum groups = No


/etc/krb5.conf:
[logging]
 default = SYSLOG

[libdefaults]
 default_realm = AD.COMPANY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
  AD.COMPANY.COM = {
  kdc = dc001.ad.company.com
  kdc = dc002.ad.compnay.com
 }

[domain_realm]
 .ad.company.com = AD.COMPANY.COM
 . = AD.COMPANY.COM

[pam]
 debug = false
 ticket_lifetime = 36000
 renew_lifetime = 604800
 forwardable = false
 krb4_convert = false

/etc/krb.realms
.ad.company.com AD.COMPANY.COM
. AD.COMPANY.COM


/etc/nsswitch.conf:
passwd:     files nis winbind
shadow:     files nis
group:      files nis winbind


/etc/resolv.conf:
# AD domain
domain ad.company.com
search ad.company.com
nameserver 1.1.1.1

/etc/hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
1.1.1.10                 wb3 wb3.ad.company.com




> 
> -----Mensaje original-----
> De: whitebox-users-admin@beau.org
[mailto:whitebox-users-admin@beau.org]
> En nombre de Toby Bluhm
> Enviado el: Jueves, 13 de Enero de 2005 15:23
> Para: Whitebox-users@beau.org
> Asunto: RE: [WBEL-users] samba and AD
> 
> 
>  
> ---- Rodrigo Cortes <rcortes@placevendome.cl> wrote: 
> > Well. In the doc with winbind and samba and AD is possible auth
telnet
> and ftp. Doc say this, but don't work. 
> > 
> > 
> > 
> 
> 
> I was able to get a stock wb3 box with current updates ( at the time ~
2
> months ago ) to allow AD account login with console,ssh,ftp,telnet.
The
> pam setup was the key. 
> 
> You need to have your smb.conf, krb5.conf, krb.realms, nsswitch.conf
> setup right and you've joined the box to AD, a share works - this all
> needs to be happy before trying the pam edits.
> 
> Note the message about using authconfig - it will mess with your pam
> setup & nsswitch.conf. 
> 
> I first ran authconfig to setup the box to authenticate with nis. If
you
> use only local accounts, I see at least one line in system-auth that
may
> need to be different than what I have here. Then I made the manual
edits
> to the config files. Also, anytime during my testing that I made
domain
> type changes to smb.conf, I deleted *.tdb in /etc/samba,
> /var/cache/samba, /var/cache/samba/printing and rejoined the wb3 box
to
> the domain. 
> 
> YMMV
> 
> in /etc/pam.d
> 
> login:
>  #%PAM-1.0
> auth       required     pam_securetty.so
> auth       sufficient   pam_winbind.so
> auth       sufficient   pam_unix.so use_first_pass
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    sufficient   pam_winbind.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    optional     pam_console.so
> 
> 
> sshd:
> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so
> account    required     pam_stack.so service=system-auth
> account    sufficient   pam_winbind.so
> password   required     pam_stack.so service=system-auth
> password   sufficient   pam_winbind.so
> session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
> 
> system-auth:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_winbind.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
nullok
> use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> account     required      /lib/security/$ISA/pam_unix.so
> password    required      /lib/security/$ISA/pam_cracklib.so retry=3
> type=
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow nis
> password    required      /lib/security/$ISA/pam_deny.so
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_winbind.so
> 
>  

-Toby
_______________________________________________
Whitebox-users mailing list
Whitebox-users@beau.org
http://beau.org/mailman/listinfo/whitebox-users