Re: Binding to an Active Directory

[Lars Friend <lfriend%mcci.com@localhost>]

Thanks much Chuck,

Here is what I did:

installed the 2008Q1 pkgsrc

cd /usr/pkgsrc/net/samba

export PKG_DEFAULT_OPTIONS='ads cups winbind'
make
(worked okay)
make install

Then I followed the instructions in the Samba guide for configuring 
Kerberos and Samba, and got to the point where I could join to the 
domain, and use the samba commands:

net ads users           and     wbinfo -u
net ads groups          and     wbinfo -g

to see users and groups, but despite setting up nsswitch as 
described, it didn't seem to want to show me domain users via:

getent passwd [username]

I tried everything I could think of, read the logs (seeing no 
errors), and in a fit of frustration I eventually used ktrace to see 
what the heck was going on.
The answer is that getent (and by extension, probably everything 
using nsswitch via libc) was looking for /usr/lib/nss_winbind.so.0 
(and couldn't find it where make install put it under /usr/pkg/lib).

Now, at this point getent works as expected, and I can chown files to 
domain users and groups that don't have local entries (with proper 
UID/GID <---> SID mapping options in smb.conf).

So, it's been a long (and fruitful) day.  I do have a couple more 
questions though...

1)  I was poking around, and I can't find any evidence that 
pam_winbind.so was ever built.  Are there any flags I have to add to 
build the PAM module for authenticating users (incoming ssh sessions, 
console logins, etc...) against Winbind?

2) I noticed a couple of odd things with binding to the AD server:
 a) It binds okay, but only if I supply a username and password of a 
domain admin.  How do I get it to bind at every boot with no manual 
interaction?
 b) The binding seems to time out eventually, such that if I bind 
the machine, then run a "net ads user" for instance to show users, it 
works.  If I leave it alone for (say) an hour, and try another 
identical "net ads user" it times out.  *bleah*.

In the interest of full disclosure, this machine is separated from 
the AD by a [fairly dumb] NAT.  The other upshot of this is that I 
don't see netbios packets, so when I bind, I have to:

kinit username%DOMAIN.COM@localhost
net ads join -U username%DOMAIN.COM@localhost -S dns_name.of.ad_server

I hope that my experiences provide some insight for others, and that 
I may continue to gather insight from others.

        -lars

At 05:16 PM 4/28/2008, Chuck Swiger wrote:
> Lars Friend wrote:
> > Hello All,
> >     I was wondering if anybody knows of a comprehensive document 
> > explaining what steps need to be taken under NetBSD (I'm using 3.1 
> > for the time being) to bind to an Active Directory server.
>
> You want Samba:
>
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member
>   http://wiki.samba.org/index.php/Samba_%26_Active_Directory
>
> Regards,
> --
> -Chuck