Subject: Samba, Active Directory, Kerberos, etc
To: NetBSD, Users <netbsd-users@netbsd.org>
From: Justin Newcomer <liquidice5@gmail.com>
List: netbsd-users
Date: 11/03/2005 01:42:36
------=_Part_7260_31278611.1131000156258
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi
I am trying to join my NetBSD 3.99.8 (GENERIC) box to my win 2k3 active
directory domain
I have samba, compiled with ads, pam, and ldap support from pkgsrc, it work=
s
fine doing its own authentication
I have kerberos installed (i guess? it comes with the ~current userland?) a=
s
well as openldap-2.3.11 from pkgsrc
I can join it to the domain, and get kerberos tickets and all of that
but what I cannot do is get user accounts from the domain to be dynamically
created when they connect to my netBSD boxes. It basically comes down to
PAM/openpam.
I can make it all work on a linux box, and have many times; but there the
pam support is different.
has anyone reading gotten this to work before?
(basically i am trying to get single sign on from a windows domain to work)
any suggestions on PAM/ openpam, and or how to configure them?
my /etc/krb5.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[logging]
default =3D FILE:/var/log/krb5libs.log
kdc =3D FILE:/var/log/krb5kdc.log
admin_server =3D FILE:/var/log/kadmind.log
[libdefaults]
default_realm =3D NERV.TINFOILSOLDIER.COM <http://NERV.TINFOILSOLDIER.COM>
dns_lookup_realm =3D false
dns_lookup_kdc =3D false
krb4_get_tickets =3D false
[realms]
NERV.TINFOILSOLDIER.COM <http://NERV.TINFOILSOLDIER.COM> =3D {
kdc =3D balthasar.nerv.tinfoilsoldier.com:88<http://balthasar.nerv.tinfoils=
oldier.com:88>
admin_server =3D balthasar.nerv.tinfoilsoldier.com:749
<http://balthasar.nerv.tinfoilsoldier.com:749>
default_domain =3D nerv.tinfoilsoldier.com <http://nerv.tinfoilsoldier.com>
}
[domain_realm]
.nerv.tinfoilsoldier.com =3D
NERV.TINFOILSOLDIER.COM<http://NERV.TINFOILSOLDIER.COM>
nerv.tinfoilsoldier.com <http://nerv.tinfoilsoldier.com> =3D
NERV.TINFOILSOLDIER.COM <http://NERV.TINFOILSOLDIER.COM>
[kadmin]
default_keys =3D v5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
my /usr/pkg/etc/samba/smb.conf
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[global]
workgroup =3D NERV
realm =3D NERV.TINFOILSOLDIER.COM <http://NERV.TINFOILSOLDIER.COM>
security =3D ADS
password server =3D
balthasar.nerv.tinfoilsoldier.com<http://balthasar.nerv.tinfoilsoldier.com>
algorithmic rid base =3D 10000
announce version =3D 5
load printers =3D No
preferred master =3D No
domain master =3D No
wins server =3D 129.21.144.211 <http://129.21.144.211>
wins support =3D yes
ldap admin dn =3D dc=3DNERV,dc=3DTINFOILSOLDIER,dc=3DCOM
ldap ssl =3D start tls
idmap uid =3D 10000-20000
idmap gid =3D 10000-20000
template homedir =3D /home/%U
template shell =3D /usr/pkg/bin/bash
winbind use default domain =3D Yes
winbind trusted domains only =3D Yes
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
net ads info
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
net ads info
LDAP server: 129.21.144.211 <http://129.21.144.211>
LDAP server name: balthasar
Realm: NERV.TINFOILSOLDIER.COM <http://NERV.TINFOILSOLDIER.COM>
Bind Path: dc=3DNERV,dc=3DTINFOILSOLDIER,dc=3DCOM
LDAP port: 389
Server time: Thu, 03 Nov 2005 01:35:21 EST
KDC server: 129.21.144.211 <http://129.21.144.211>
Server time offset: 0
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------=_Part_7260_31278611.1131000156258
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi<br><br>I am trying to join my NetBSD 3.99.8 (GENERIC) box to my win 2k3 =
active directory domain<br><br>I have samba, compiled with ads, pam, and ld=
ap support from pkgsrc, it works fine doing its own authentication<br><br>
I have kerberos installed (i guess? it comes with the ~current userland?) a=
s well as=20
openldap-2.3.11 from pkgsrc<br><br>
I can join it to the domain, and get kerberos tickets and all of that<br>
but what I cannot do is get user accounts from the domain to be
dynamically created when they connect to my netBSD boxes. It
basically comes down to PAM/openpam.<br>
<br>
I can make it all work on a linux box, and have many times; but there the p=
am support is different.<br>
has anyone reading gotten this to work before?<br>
(basically i am trying to get single sign on from a windows domain to work)=
<br>
<br>
any suggestions on PAM/ openpam, and or how to configure them?<br>
<br>my /etc/krb5.conf<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>[l=
ogging]<br> default =3D FILE:/var/log/krb5libs.log<br> kdc =3D FILE:/var/lo=
g/krb5kdc.log<br> admin_server =3D FILE:/var/log/kadmind.log<br><br>[libdef=
aults]<br> default_realm =3D=20
<a href=3D"http://NERV.TINFOILSOLDIER.COM" target=3D"_blank" onclick=3D"ret=
urn top.js.OpenExtLink(window,event,this)">NERV.TINFOILSOLDIER.COM</a><br> =
dns_lookup_realm =3D false<br> dns_lookup_kdc =3D false<br> krb4_get_ticket=
s =3D false
<br><br>[realms]<br> <a href=3D"http://NERV.TINFOILSOLDIER.COM" target=3D"_=
blank" onclick=3D"return top.js.OpenExtLink(window,event,this)">NERV.TINFOI=
LSOLDIER.COM
</a> =3D {<br> kdc =3D <a href=3D"http://balthasar.nerv.tinfoils=
oldier.com:88" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(windo=
w,event,this)">balthasar.nerv.tinfoilsoldier.com:88</a><br> admi=
n_server =3D <a href=3D"http://balthasar.nerv.tinfoilsoldier.com:749" targe=
t=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,this)">
balthasar.nerv.tinfoilsoldier.com:749
</a><br> default_domain =3D <a href=3D"http://nerv.tinfoilsoldie=
r.com" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(window,event,=
this)">nerv.tinfoilsoldier.com</a><br> }<br><br>[domain_realm]<br> .nerv.ti=
nfoilsoldier.com =3D=20
<a href=3D"http://NERV.TINFOILSOLDIER.COM" target=3D"_blank" onclick=3D"ret=
urn top.js.OpenExtLink(window,event,this)">NERV.TINFOILSOLDIER.COM</a>
<br><a href=3D"http://nerv.tinfoilsoldier.com" target=3D"_blank" onclick=3D=
"return top.js.OpenExtLink(window,event,this)">nerv.tinfoilsoldier.com</a> =
=3D <a href=3D"http://NERV.TINFOILSOLDIER.COM" target=3D"_blank" onclick=3D=
"return top.js.OpenExtLink(window,event,this)">
NERV.TINFOILSOLDIER.COM</a><br><br>[kadmin]<br> &nbs=
p; default_keys =3D v5<br><br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
my /usr/pkg/etc/samba/smb.conf<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
[global]<br>
workgroup =3D NERV<br>
realm =3D <a href=3D"http://NERV=
.TINFOILSOLDIER.COM" target=3D"_blank" onclick=3D"return top.js.OpenExtLink=
(window,event,this)">NERV.TINFOILSOLDIER.COM</a><br>
security =3D ADS<br>
password server =3D <a href=3D"h=
ttp://balthasar.nerv.tinfoilsoldier.com" target=3D"_blank" onclick=3D"retur=
n top.js.OpenExtLink(window,event,this)">balthasar.nerv.tinfoilsoldier.com<=
/a><br>
algorithmic rid base =3D 10000<b=
r>
announce version =3D 5<br>
load printers =3D No<br>
preferred master =3D No<br>
domain master =3D No<br>
wins server =3D <a href=3D"http:=
//129.21.144.211" target=3D"_blank" onclick=3D"return top.js.OpenExtLink(wi=
ndow,event,this)">129.21.144.211</a><br>
wins support =3D yes<br>
ldap admin dn =3D dc=3DNERV,dc=
=3DTINFOILSOLDIER,dc=3DCOM<br>
ldap ssl =3D start tls<br>
idmap uid =3D 10000-20000<br>
idmap gid =3D 10000-20000<br>
template homedir =3D /home/%U<br=
>
template shell =3D /usr/pkg/bin/=
bash<br>
winbind use default domain =3D Y=
es<br>
winbind trusted domains only =3D=
Yes<br>
<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>ne=
t ads info<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
net ads info<br>
LDAP server: <a href=3D"http://129.21.144.211" target=3D"_blank" onclick=3D=
"return top.js.OpenExtLink(window,event,this)">129.21.144.211</a><br>
LDAP server name: balthasar<br>
Realm: <a href=3D"http://NERV.TINFOILSOLDIER.COM" target=3D"_blank" onclick=
=3D"return top.js.OpenExtLink(window,event,this)">NERV.TINFOILSOLDIER.COM</=
a><br>
Bind Path: dc=3DNERV,dc=3DTINFOILSOLDIER,dc=3DCOM<br>
LDAP port: 389<br>
Server time: Thu, 03 Nov 2005 01:35:21 EST<br>
KDC server: <a href=3D"http://129.21.144.211" target=3D"_blank" onclick=3D"=
return top.js.OpenExtLink(window,event,this)">129.21.144.211</a><br>
Server time offset: 0<br>
<br>
<br>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>
------=_Part_7260_31278611.1131000156258--