Re: Binding to an Active Directory

To: "Lars Friend" <lfriend%mcci.com@localhost>
Subject: Re: Binding to an Active Directory
From: "Chavdar Ivanov" <ci4ic4%gmail.com@localhost>
Date: Thu, 8 May 2008 14:27:44 +0100

Hi,


2008/4/30 Lars Friend <lfriend%mcci.com@localhost>:
>
>  Thanks much Chuck,
>
>  Here is what I did:

I eventually managed to sit down and configure one of my NetBSD
machines in a similar manner...

>
>  installed the 2008Q1 pkgsrc

I use HEAD

>
>  cd /usr/pkgsrc/net/samba
>
>  export PKG_DEFAULT_OPTIONS='ads cups winbind'

I've got "PKG_OPTIONS.samba+=cups pam winbind ads"

in my /etc/mk.conf

>  make
>  (worked okay)

same ...

>  make install
>
>  Then I followed the instructions in the Samba guide for configuring
> Kerberos and Samba, and got to the point where I could join to the domain,
> and use the samba commands:
>
>  net ads users           and     wbinfo -u
>  net ads groups          and     wbinfo -g
>
>  to see users and groups, but despite setting up nsswitch as described, it
> didn't seem to want to show me domain users via:
>
>  getent passwd [username]
>
>  I tried everything I could think of, read the logs (seeing no errors), and
> in a fit of frustration I eventually used ktrace to see what the heck was
> going on.
>  The answer is that getent (and by extension, probably everything using
> nsswitch via libc) was looking for /usr/lib/nss_winbind.so.0 (and couldn't
> find it where make install put it under /usr/pkg/lib).

I had it initially linked, which didn't work; it sprang to life when I
copied it to /usr/lib.

>
>  Now, at this point getent works as expected, and I can chown files to
> domain users and groups that don't have local entries (with proper UID/GID
> <---> SID mapping options in smb.conf).

I've got only mapping for myself in the smbusers file - the rest get
automatic UID/GIDs, but right now this is not a problem, as I turned
off NIS usage on this machine in advance - it has caused me problems
before.

>
>  So, it's been a long (and fruitful) day.

Night, in my case - over the VPN . . .

>  I do have a couple more questions
> though...
>
>  1)  I was poking around, and I can't find any evidence that pam_winbind.so
> was ever built.  Are there any flags I have to add to build the PAM module
> for authenticating users (incoming ssh sessions, console logins, etc...)
> against Winbind?

It has been built for me in samba - see the pam option above. I copied
it from it's default place to /usr/lib/security, now I can login as my
account is in the passwd file (nsswitch.conf passwd is 'file
winbind'), but the AD accounts still can't - it just silently
terminates the login and I could not find any log so far. If I try to
su to an AD user from a root window, I get:

% su - ci-test
su: pam_acct_mgmt: error in service module
zsh: exit 1     su - ci-test

Non-root su also returns
% su - ci-test
Password:
su: Sorry: authentication error

My guess is some magic will have to be applied to the files in
/etc/pam.d to make them use that module.

It's not too bad this way - allowing domain users only share access
may be considered even a security feature... like by default not
allowing standard users to log on a W2Kx server. It would be better to
know how to solve it, though.

The next step is to install Unix identity management on the AD DCs and
synchronize NIS with them, automounting the home directories.


>
>  2) I noticed a couple of odd things with binding to the AD server:
>   a) It binds okay, but only if I supply a username and password of a domain
> admin.  How do I get it to bind at every boot with no manual interaction?
>   b) The binding seems to time out eventually, such that if I bind the
> machine, then run a "net ads user" for instance to show users, it works.  If
> I leave it alone for (say) an hour, and try another identical "net ads user"
> it times out.  *bleah*.

Mine seems to stay on all the time - I haven't seen anything like
this, although I haven't rebooted this box for over a week (it is
still building release).

>
>  In the interest of full disclosure, this machine is separated from the AD
> by a [fairly dumb] NAT.

On the same network, just a bunch of switches in between.

>   The other upshot of this is that I don't see
> netbios packets, so when I bind, I have to:
>
>  kinit username%DOMAIN.COM@localhost
>  net ads join -U username%DOMAIN.COM@localhost -S dns_name.of.ad_server
>
>  I hope that my experiences provide some insight for others, and that I may
> continue to gather insight from others.

It certainly helped me, together with the link from Chuck.

>
>         -lars
>
>
>
>  At 05:16 PM 4/28/2008, Chuck Swiger wrote:
>
> > Lars Friend wrote:
> >
> > > Hello All,
> > >    I was wondering if anybody knows of a comprehensive document
> explaining what steps need to be taken under NetBSD (I'm using 3.1 for the
> time being) to bind to an Active Directory server.
> > >
> >
> > You want Samba:
> >
> >
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member
> >  http://wiki.samba.org/index.php/Samba_%26_Active_Directory
> >
> > Regards,
> > --
> > -Chuck
> >
>
>



-- 
----------------------------------------------------------------
/dev/random says:
        People say I'm apathetic, but I don't care.
----------------------------------------------------------------
Chavdar Ivanov | Talbot Way, Small Heath Business Park
Delcam UK | Birmingham B10 0HJ, United Kingdom
Customer Support | (+44)121-6831014
----------------------------------------------------------------

References:
- Binding to an Active Directory
  - From: Lars Friend
- Re: Binding to an Active Directory
  - From: Chuck Swiger
- Re: Binding to an Active Directory
  - From: Lars Friend

Prev by Date: wi(4) goes crazy, jumps off cliff
Next by Date: Re: SATA II and PCI-X vs PCI for Areca ARC-1110 RAID Adapter
Previous by Thread: Re: Binding to an Active Directory
Next by Thread: BSD Magazine Electronic and Printed versions Subscription
Indexes:

Home | Main Index | Thread Index | Old Index