Am 18. Apr, 2007 schwätzte Bryan O'Neal so: > Since I am chiming in three days late I suppose I should ask; have you > got it working yet? No, I do not :(. > I can tell you how I do it and why. > > 0) I use Red Hat derivatives (FC5, FC6, RHEL4, and CentOS4) because they > do this much easier for me then any other flavor. That's what I've got in this instance. Red Hat Enterprise Linux WS release 3 (Taroon Update 8) $ rpm -qa | grep samba samba-client-3.0.9-1.3E.10 samba-common-3.0.9-1.3E.10 samba-3.0.9-1.3E.10 redhat-config-samba-1.0.16-5 $ rpm -qa | grep krb krbafs-1.1.1-11 pam_krb5-1.77-1 krb5-workstation-1.2.7-56 krb5-libs-1.2.7-56 krb5-devel-1.2.7-56 krbafs-utils-1.1.1-11 krbafs-devel-1.1.1-11 Do I have everything I need? Am I missing some kerberos stuff? If I am where do I get it? This box doesn't have apt or yum and I've successfully avoided RedHat long enough to not remember vanilla RH. > 1) I do join my nix boxes to the AD because I want single sign on and > have need for basic user group permission sets. However if you want read > or write to the world or if you don't mind managing multiple > authentication schemes or if you get you AD to be subservient to you > nix's then you do not need to do this. The client would like the GNU/Linux box to be available in the same way as the m$ shares from the desktop user perspective. > a. I use straight up Kerberos and the account you use to proxy > the tickets must have administrative rights or you must set up an > account with access to authenticate to and read all accounts in the AD > node in question. I personally use the default Admin account because I > deal with the Windows SBS server and it is just to funky to mess with. > Also, as we all know, I am incredibly cavalier. How do I determine what rights my machine's account has? Do I need to remind the account about its responsibilities as well? :) Do I have to have kerberos running to authenticate to the AD? How do I test to see if I have kerberos setup properly? > b. You must change the password of the account on the windows > server at least once or else AD will not issue you a ticket via krb. It > is a security "feature" that is only reasonably well documented by MS. > c. I use winbind to get all of my user and group listings from > Windows. I have seen it work with LDAP but never were and AD server was > not the primary LDAP server. Even then you have to have pretty open AD will be the primary LDAP server for now. danke, der.hans > trust relationships pushed through the forest or else it chokes up on > you. This is just my experience, your mileage may very. > d. If you are using winbind and samba, do not use any of the > GUI's to join the server to the domain (I am sure this is not a problem > for you ;) as you must issue a clean ADS join command or else it will > join like some legacy win98 system and your domain permissions will not > work correctly > > 2) Once you join correctly there is a matter of permissions. I use > stander out of the box ACL's as I don't need much more then standard > RWX, the 169 different permission combinations available to each > user/group for ever file/folder in windows is just over kill for my > small business. However I do need the ability for someone to have > permission to /some/folder/that/lives/here/example.mpg without having > permission to anything else in /some/. > a. Mount partition with ACL support > b. Set ACL's on the files > c. Realize you just get just RWX > d. Understand that you must trust your krb and acl and not smb > to handle permissions. > e. Know that RWX gives the windows user the right to give any > one else in your domain RWX. > f. mount smb shares and browse to them from windows network > neighborhood. > > And yes I let my users handle their own permission settings from windows > If some one is making six figures and is in charge of an entire > department it is not my job to baby sit what permissions they give their > people in their folders. > > > > > > -----Original Message----- > From: plug-discuss-bounces@lists.plug.phoenix.az.us > [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of > Jeremy C. Reed > Sent: Wednesday, April 18, 2007 6:28 AM > To: Main PLUG discussion list > Subject: Re: samba help > >> I'm trying to advertise shares from a RHEL3 box to an m$ domain. >> >> I gather one must first get the box to join the domain. The account > that >> joins the domain has to have administrator rights? >> >> I have been given a userid and password for the domain, but they're > not >> working. >> >> >> $ smbclient -L $pdcname -U $username >> Password: >> session setup failed: NT_STATUS_LOGON_FAILURE > > What type of Microsoft server? > > Maybe in your smb.conf use: > > client ntlmv2 auth = yes > > Check your smb.conf(5) man page about what that breaks too. > > Or make changes on your Windows system for LMCompatibility. See > http://www.microsoft.com/technet/community/columns/profwin/pw0203.mspx > or > http://support.microsoft.com/default.aspx?scid=KB;en-us;239869 > > > Jeremy C. Reed > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- # https://www.LuftHans.com/ http://www.CiscoLearning.org/ # "We are better than we think, not quite what we want to be." # -- Nikki Giovanni, 17Apr2007