Date: Mon, 26 Jan 2004 19:29:07 -0500 From: "Will Saxon" <WillS@housing.ufl.edu> To: "Tim Aslat" <tim@spyderweb.com.au> Cc: current@freebsd.org Subject: RE: nss_winbind support Message-ID: <0E972CEE334BFE4291CD07E056C76ED8CBBE22@bragi.housing.ufl.edu>
next in thread | raw e-mail | index | archive | help
Note: long.=20 > -----Original Message----- > From: Tim Aslat [mailto:tim@spyderweb.com.au] > Sent: Monday, January 26, 2004 4:38 PM > To: Will Saxon > Cc: current@freebsd.org > Subject: Re: nss_winbind support >=20 > I'm glad someone has. Did you use the ports or install from source? I used the port, although it does not install the PAM or=20 nss_winbind modules at all, I did that by hand. >=20 > I've spent several weeks (on and off) trying to get ADS=20 > support in samba > 3 and it's driving me up the wall. Well I have been fighting with this for about the same amount of time. = My main=20 resource is a paper copy of the Official Samba-2 HOWTO and Reference = Guide, but=20 it does not seem to consider FreeBSD 5.x at all. The only FreeBSD = information I=20 saw was lumped in with Linux and was not applicable to 5.x (pam stuff). >=20 > have installed heimdal from ports, and build samba with > KRB5_HOME=3D/usr/local but any reference to net ads gives me=20 > "ADS support > not compiled in" >=20 Do you have an LDAP library installed? You must have LDAP for ADS = support to be=20 compiled in. I chose the openldap21-server port and compiled it with = -DWITH_SASL for kicks. I don't think the -DWITH_SASL ends up making any difference. I have tried the base distro of Heimdal as well as the Heimdal from = ports. I am currently using the Heimdal from ports because I wanted to try compiling = in LDAP=20 support. Samba compiled against the included Heimdal vs. the ports = Heimdal with=20 LDAP support seems to operate the same. Despite what the HOWTO indicates, I am not able to join the domain = without an /etc/krb.conf. It looks like the ldap server is detected right and it = tries to authenticate, but I get errors like this when I turn debug mode on: [2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269) krb5_cc_get_principal failed (No such file or directory) [2004/01/26 18:52:36, 1] libsmb/clikrb5.c:ads_krb5_mk_req(276) krb5_get_credentials failed for machine_account$@REALM_NAME (Unknown = error -1765328343) [2004/01/26 18:52:36, 1] utils/net_ads.c:ads_startup(181) ads_connect: Operations error [2004/01/26 18:52:36, 2] utils/net.c:main(758) return code =3D -1 The 'use if you have a pre-0.6 Heimdal' skeleton krb5.conf settings they = put in the book work for me. They list it in section 6.4.2 of the HOWTO, = which is also available online I think. I also had to use the 'password server =3D <ip>' entry in my smb.conf = file since=20 it was resolving a non-GC domain controller first and seemed to not work = when not using a GC Domain Controller. At this point, with OpenLDAP, Heimdal and Samba installed I am able to: net ads join -U <username> and I can then join the domain. After starting nmd, smbd and winbindd I am then able to do the wbinfo = stuff as suggested by the docs.=20 > > I may have just missed it but there doesn't seem to be a lot of > > information available on how to set Samba 3 up under FreeBSD 5.x to > > use nss_winbind and pam_winbind. What information I have=20 > found doesn't > > seem to work, maybe because it focuses on joining the domain as an > > NT-style domain member vs. Active Directory-style membership. >=20 > Sorry I can't help with this one, still working it out myself.=20 Well so far I have copied the libnss_winbind.so and libnss_wins.so files = from the samba-3.0.0/source/nsswitch dir to /usr/local/lib and updated the = library=20 cache. It finds the libraries. I have edited /etc/nsswitch.conf to = include winbind as a source but it doesn't seem to work. The utility the HOWTO = suggests, getent, is not available. I tried 'pw <user/group> show = <username/groupname>'=20 instead without success.=20 When I initially started working on this, my user account name on the = samba server was the same as my account name on the domain. This was causing me to = not be able to enumerate users/groups with wbinfo no matter what I tried. However, I = WAS able to at least access the shares I had set up on the server. I changed my = user name and was then able to use wbinfo, but now I am no longer able to access = any shares. I am presented with a 'please enter username and password' dialog and = nothing I enter seems to work. I tried adding a password via smbpasswd but that did not = work either. So this is where I am: stumped. -Will
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0E972CEE334BFE4291CD07E056C76ED8CBBE22>