I have some services on Centos5 boxes that use smb authentication against the Windows domain as a low-maintenance way to handle most of our office users for things that don't need home directories (web/file shares, etc.). Running authconfig is all it takes to add it to PAM, then adding mod_auth_pam to apache makes it work with that and local users. This all works without any particular involvement with the Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining' the windows domain?
And is there a way to make samba (C5 or 6) work with Windows7 other than configuring every client to to send NTLM authentication when requested?
On Thu, 17 Nov 2011, Les Mikesell wrote:
I have some services on Centos5 boxes that use smb authentication against the Windows domain as a low-maintenance way to handle most of our office users for things that don't need home directories (web/file shares, etc.). Running authconfig is all it takes to add it to PAM, then adding mod_auth_pam to apache makes it work with that and local users. This all works without any particular involvement with the Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining' the windows domain?
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want. There are advantages if you do though, since a joined machine offering samba shares to windows users on a domain won't prompt for a password, as it'll use their existing kerberos ticket. Joining *is* just a case of a correct smb.conf/krb5.conf and "net ads join" with an account with sufficient privs, so isn't really much pain for servers.
And is there a way to make samba (C5 or 6) work with Windows7 other than configuring every client to to send NTLM authentication when requested?
On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just work. I'm assuming that not the case?
jh
I just installed win 7 pro @home in order to be more compatible with my new @work environment. I am likewise having a problem with samba shares. The samba shares are on a C5.7 server and were readily available from the same machine running XP for the last couple of years.
The new w7pro install is on the same network as the previous XP install on that machine and in fact has the same IP address as the former XP os.
Now with the fresh install of w7pro I cannot see any of the samba shares from the w7pro machine. All of the googled solutions I have found so far have not worked. I have added a couple of entries to the smb.conf that were suggested and restarted smb but no joy.
Anyone have pointers that may get me going again?
Regards,
Ron Young 919-621-9015 http://www.linkedin.com/in/ronhyoung
+++++++++++++++++++ Little tiny dreams require little tiny thoughts and little tiny steps. Great big dreams require great big thoughts and little tiny steps. +++++++++++++++++++ Kosh: The avalanche has already started. It is too late for the pebbles to vote.
On Thu, Nov 17, 2011 at 12:26 PM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
On Thu, 17 Nov 2011, Les Mikesell wrote:
I have some services on Centos5 boxes that use smb authentication against the Windows domain as a low-maintenance way to handle most of our office users for things that don't need home directories (web/file shares, etc.). Running authconfig is all it takes to add it to PAM, then adding mod_auth_pam to apache makes it work with that and local users. This all works without any particular involvement with the Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining' the windows domain?
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want. There are advantages if you do though, since a joined machine offering samba shares to windows users on a domain won't prompt for a password, as it'll use their existing kerberos ticket. Joining *is* just a case of a correct smb.conf/krb5.conf and "net ads join" with an account with sufficient privs, so isn't really much pain for servers.
And is there a way to make samba (C5 or 6) work with Windows7 other than configuring every client to to send NTLM authentication when requested?
On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just work. I'm assuming that not the case?
jh _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ron Young wrote on 11/17/2011 01:11 PM:
I just installed win 7 pro @home in order to be more compatible with my new @work environment. I am likewise having a problem with samba shares. The samba shares are on a C5.7 server and were readily available from the same machine running XP for the last couple of years.
The new w7pro install is on the same network as the previous XP install on that machine and in fact has the same IP address as the former XP os.
Now with the fresh install of w7pro I cannot see any of the samba shares from the w7pro machine. All of the googled solutions I have found so far have not worked. I have added a couple of entries to the smb.conf that were suggested and restarted smb but no joy.
Anyone have pointers that may get me going again?
Have you replaced samba packages with samba3x packages?
Phil
Oops! My apologies for the thread hijacking. Thanks for the reminder Phil.
I was mentally keyed to the samba issues and ignored the C6 and AD issues. In my case there is no AD domain involved and samba is already at the 3x level.
Regards,
Ron Young 919-621-9015 http://www.linkedin.com/in/ronhyoung
+++++++++++++++++++ Little tiny dreams require little tiny thoughts and little tiny steps. Great big dreams require great big thoughts and little tiny steps. +++++++++++++++++++ Kosh: The avalanche has already started. It is too late for the pebbles to vote.
On Thu, Nov 17, 2011 at 1:20 PM, Phil Schaffner Philip.R.Schaffner@nasa.gov wrote:
Phil Schaffner wrote on 11/17/2011 01:18 PM:
Have you replaced samba packages with samba3x packages?
P.S. Just noticed I am an accessory to a thread hijacking. This thread is about CentOS-6. Sorry.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Friday, November 18, 2011 03:53 AM, Ron Young wrote:
Oops! My apologies for the thread hijacking. Thanks for the reminder Phil.
I was mentally keyed to the samba issues and ignored the C6 and AD issues. In my case there is no AD domain involved and samba is already at the 3x level.
Windows 7 not supported by C5 samba unless you rig the Windows 7 to not use SMB2.
samba 3.6.x supports SMB2 but that's not on C5 I believe...
On Thu, 17 Nov 2011, Ron Young wrote:
I just installed win 7 pro @home in order to be more compatible with my new @work environment. I am likewise having a problem with samba shares. The samba shares are on a C5.7 server and were readily available from the same machine running XP for the last couple of years.
The new w7pro install is on the same network as the previous XP install on that machine and in fact has the same IP address as the former XP os.
Now with the fresh install of w7pro I cannot see any of the samba shares from the w7pro machine. All of the googled solutions I have found so far have not worked. I have added a couple of entries to the smb.conf that were suggested and restarted smb but no joy.
Anyone have pointers that may get me going again?
Have you seen this: http://wiki.samba.org/index.php/Windows7
In particular the registry on w7 needs modification in order to join.
I have numerous w7 machines in a couple of smb domains working as advertised.
Hope this helps.
On Thu, Nov 17, 2011 at 12:30 PM, me@tdiehl.org wrote:
I just installed win 7 pro @home in order to be more compatible with my new @work environment. I am likewise having a problem with samba shares. The samba shares are on a C5.7 server and were readily available from the same machine running XP for the last couple of years.
The new w7pro install is on the same network as the previous XP install on that machine and in fact has the same IP address as the former XP os.
Now with the fresh install of w7pro I cannot see any of the samba shares from the w7pro machine. All of the googled solutions I have found so far have not worked. I have added a couple of entries to the smb.conf that were suggested and restarted smb but no joy.
Anyone have pointers that may get me going again?
Have you seen this: http://wiki.samba.org/index.php/Windows7
In particular the registry on w7 needs modification in order to join.
I have numerous w7 machines in a couple of smb domains working as advertised.
I don't think you need that unless you are using samba as a domain controller. If you just want a windows7 (pro...) client to send it's NTLM credentials to samba like XP would, run 'secpol.msc' and under Under Local Policies, Security Options, Network security, change option from ‘not defined’ to ‘Send LM & NTLM use NTLMv2 session security if negotiated.
Otherwise you can only connect to shares with security = share and guests allowed.
On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
I have some services on Centos5 boxes that use smb authentication against the Windows domain as a low-maintenance way to handle most of our office users for things that don't need home directories (web/file shares, etc.). Running authconfig is all it takes to add it to PAM, then adding mod_auth_pam to apache makes it work with that and local users. This all works without any particular involvement with the Windows group or administrative access there.
Is there a better way to do this on C6 that does not involve 'joining' the windows domain?
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want.
I don't see that as an option in authconfig (or smb either now). Are there examples of how to set that up? And does apache have to be configured separately?
There are advantages if you do though, since a joined machine offering samba shares to windows users on a domain won't prompt for a password, as it'll use their existing kerberos ticket. Joining *is* just a case of a correct smb.conf/krb5.conf and "net ads join" with an account with sufficient privs, so isn't really much pain for servers.
I thought 'sufficient privs' was an admin account in AD. I don't have/want that, and I'd prefer for the people running the AD servers to continue to not know which linux servers are bouncing password checks their way.
And is there a way to make samba (C5 or 6) work with Windows7 other than configuring every client to to send NTLM authentication when requested?
On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just work. I'm assuming that not the case?
Maybe, if you have krb stuff passed through to a joined AD. I was hoping NTLM would still work. And I want it to also work transparently with local linux accounts that don't exist in AD.
On Thu, 17 Nov 2011, Les Mikesell wrote:
You don't *have* to join it to the domain, you can use pam_krb5 without joining if you want.
I don't see that as an option in authconfig (or smb either now). Are there examples of how to set that up? And does apache have to be configured separately?
With authconfig it's --enablekrb5 and the related ones for setting the details. Since you're not worried about group membership krb5's all you need. If pam_smb type stuff was enough then you don't need to worry about validation, although it's definitely better if you do.
I thought 'sufficient privs' was an admin account in AD. I don't have/want that, and I'd prefer for the people running the AD servers to continue to not know which linux servers are bouncing password checks their way.
No, you don't need that much. You just need permissions to create a machine object within a specific OU, which is much lower grade. The password checks would end up with the AD controllers, but I doubt it's anything they're likely to notice.
Maybe, if you have krb stuff passed through to a joined AD. I was hoping NTLM would still work. And I want it to also work transparently with local linux accounts that don't exist in AD.
On that side, I pass.
jh
-
Christopher Chan -
John Hodrien -
Les Mikesell -
me@tdiehl.org -
Phil Schaffner -
Ron Young