Hello all,
I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins.
I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id.
Is anyone else doing this?
My smb.conf and nsswitch.conf files are below.
TIA
What I did was create the users in /etc/passwd with the same username as you would find in the AD.
Then, its just a matter of enabling Kerberos authentication, and using the Domain Controllers as KDC's.
Maybe not what you're looking for, but its simple and effective. No samba involved.
On Jan 31, 2008 3:51 PM, Milton Calnek milton@calnek.com wrote:
Hello all,
I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins.
I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id.
Is anyone else doing this?
My smb.conf and nsswitch.conf files are below.
TIA
-- Milton Calnek BSc, A/Slt(Ret.) milton@calnek.com 306-717-8737
smb.conf [global] workgroup = example_com realm = example.COM server string = %h server (Samba %v) security = ADS map to guest = Bad Password passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No wins server = ldap ldap ssl = no panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 idmap backend = ldap:ldap://ldap.example.com:3268 ldap admin dn = cn=Manager,dc=example,dc=COM ldap idmap suffix = ou=Idmap ldap suffix = dc=example,dc=COM template homedir = /home/%U template shell = /bin/bash winbind separator = + winbind use default domain = Yes winbind nested groups = Yes invalid users = root
nsswitch.confpasswd: files compat winbind shadow: files compat group: files compat winbind
#hosts: db files nisplus nis dns hosts: files dns
# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus aliases: files nisplus
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Jan 31, 2008 2:51 PM, Milton Calnek milton@calnek.com wrote:
Hello all,
I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins.
I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id.
Don't use Samba.
Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid.
On the CentOS side use nss_ldap.
This is a true single sign-on configuration with no /etc/passwd monkey business. We use it for database application auth and limited shell access. It just works, failures are rare.
Configuration details are left as an exercise for the OP as I have had a long day and a couple glasses of wine....
-- Jeff
On Thu, 31 Jan 2008 20:29:07 -0600 "Jeff Larsen" jlar310@gmail.com wrote:
Don't use Samba.
Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid.
1. I have the same problem, but the admin does not want to install Microsoft Services For UNIX.
2. You mention 2003R2, does something needs to installed, deployed? I don't see the Unix attributes.
On Feb 1, 2008 9:38 AM, centos@911networks.com wrote:
On Thu, 31 Jan 2008 20:29:07 -0600 "Jeff Larsen" jlar310@gmail.com wrote:
Don't use Samba.
Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid.
- I have the same problem, but the admin does not want to install
Microsoft Services For UNIX.
That's unfortunate. It's really quite non-invasive
- You mention 2003R2, does something needs to installed,
deployed? I don't see the Unix attributes.
- Add/Remove Programs - - Add/Remove Windows Components - - - Active Directory Services - - - - Identity Management for UNIX
On Fri, 1 Feb 2008 09:49:47 -0600 "Jeff Larsen" jlar310@gmail.com wrote:
- I have the same problem, but the admin does not want to
install Microsoft Services For UNIX.
That's unfortunate. It's really quite non-invasive
The admin does not want to do any change to deal with only 1 user [me]
- You mention 2003R2, does something needs to installed,
deployed? I don't see the Unix attributes.
- Add/Remove Programs
- Add/Remove Windows Components
- Active Directory Services
- Identity Management for UNIX
The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware?
On Feb 1, 2008 10:20 AM, centos@911networks.com wrote:
On Fri, 1 Feb 2008 09:49:47 -0600 "Jeff Larsen" jlar310@gmail.com wrote:
- I have the same problem, but the admin does not want to
install Microsoft Services For UNIX.
That's unfortunate. It's really quite non-invasive
The admin does not want to do any change to deal with only 1 user [me]
- You mention 2003R2, does something needs to installed,
deployed? I don't see the Unix attributes.
- Add/Remove Programs
- Add/Remove Windows Components
- Active Directory Services
- Identity Management for UNIX
The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware?
I'm not sure what problem you are trying to solve with that. Samba might be an option for you if your domain admin will let you join a linux machine to the domain. But I am not a Samba expert, so you'll have to seek advice from someone else. My advocating for nss_ldap is for the purpose of full-scale single sign-on.
-- Jeff
centos@911networks.com wrote:
The admin does not want to do any change to deal with only 1 user [me], so there is no other way than XP within vmware?
if you're the only one using this linux system, well, I guess I can see his POV. OTOH, if this Linux system is providing a business function, who's in charge of this administrator? sounds to me like he needs a slapdown.
On Jan 31, 2008 9:29 PM, Jeff Larsen jlar310@gmail.com wrote:
Microsoft Services For UNIX or 2003R2 support UNIX attributes in Active Directory. It adds a new tab in the user account properties where you can specify login shell, home directory, uid, gid.
On the CentOS side use nss_ldap.
This is a true single sign-on configuration with no /etc/passwd monkey business. We use it for database application auth and limited shell access. It just works, failures are rare.
So is it possible to use nss_ldap with MS-AD if the Services for Unix are not installed? Or do you still have to resort to "/etc/password monkey business"? (I'm all for eliminating the monkey business, but I don't think my AD is going to get SFU.
Mike
On Feb 1, 2008 9:38 AM, Michael Semcheski mhsemcheski@gmail.com wrote:
So is it possible to use nss_ldap with MS-AD if the Services for Unix are not installed? Or do you still have to resort to "/etc/password monkey business"? (I'm all for eliminating the monkey business, but I don't think my AD is going to get SFU.
You can use nss_ldap with 2003R2 DC when the additional software component (built-in to R2, see my other post) is installed. You can not use nss_ldap with pre-R2 DC without SFU. SFU modifies the AD schema to create new fields for UNIX attributes, most important of which is a password field compatible with UNIX crypt. In the case of R2, your schema will be modified in a similar fashion.
WARNING: If you have multiple DCs, R2 and SFU are not compatible out of the box. They use different AD schema modifications. We had to track down hotfixes and DLLs to get our mixed environment working. It was not fun, but we eventually got it all squared away.
-- Jeff
Milton Calnek wrote:
Hello all,
I'm trying to authenticate shell login's against an MS-ADS. I don't have admin access to the ADS, but I can talk to the admins.
I have gotten as far as getting authentication working, but the uid's depend on the order of login. ie: the first guy to login gets 10000, the next gets 10001, etc. The problem I have with this is that I want to share the home directories via nfs, which means everyone has to have the same id.
Is anyone else doing this?
My smb.conf and nsswitch.conf files are below.
TIA
You can get samba to be a single sign on using MS AD & issue predictable uids in linux. The smb.conf option:
idmap backend = idmap_rid:DOMAIN=100000-3000000
will take the users' RID in AD, add 100000 to it, use that for the uid in Linux.
This smb.conf worked for me a couple years ago at my former employer, on RH4 type machines. Note I did not have an ldap server defined. This is the entire global section I used in all linux boxes that I joined to the domain.
[global] workgroup = DOMAIN realm = DOMAIN.EXAMPLE.COM server string = Samba Server security = ads # log level = 0 vfs:2 log file = /var/log/samba/ALL.log max log size = 500 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 load printers = No preferred master = No domain master = No dns proxy = No wins server = 192.168.1.1 netbios name = LINUX999 netbios aliases = host999 ldap ssl = no idmap uid = 10000-3000000 idmap gid = 10000-3000000 template homedir = /users/%U template shell = /bin/bash winbind enum users = No winbind enum groups = No idmap backend = idmap_rid:DOMAIN=100000-3000000 allow trusted domains = no username map = /etc/samba/smbusers name resolve order = wins bcast cups options = raw disable spoolss = Yes show add printer wizard = No os level = 1 winbind use default domain = yes host msdfs = Yes admin users = DOMAIN\admin20 DOMAIN\admin22