Am 18. Apr, 2007 schwätzte Bryan O'Neal so:
> Since I am chiming in three days late I suppose I should ask; have you
> got it working yet?
No, I do not :(.
> I can tell you how I do it and why.
>
> 0) I use Red Hat derivatives (FC5, FC6, RHEL4, and CentOS4) because they
> do this much easier for me then any other flavor.
That's what I've got in this instance.
Red Hat Enterprise Linux WS release 3 (Taroon Update 8)
$ rpm -qa | grep samba
samba-client-3.0.9-1.3E.10
samba-common-3.0.9-1.3E.10
samba-3.0.9-1.3E.10
redhat-config-samba-1.0.16-5
$ rpm -qa | grep krb
krbafs-1.1.1-11
pam_krb5-1.77-1
krb5-workstation-1.2.7-56
krb5-libs-1.2.7-56
krb5-devel-1.2.7-56
krbafs-utils-1.1.1-11
krbafs-devel-1.1.1-11
Do I have everything I need? Am I missing some kerberos stuff?
If I am where do I get it? This box doesn't have apt or yum and I've
successfully avoided RedHat long enough to not remember vanilla RH.
> 1) I do join my nix boxes to the AD because I want single sign on and
> have need for basic user group permission sets. However if you want read
> or write to the world or if you don't mind managing multiple
> authentication schemes or if you get you AD to be subservient to you
> nix's then you do not need to do this.
The client would like the GNU/Linux box to be available in the same way as
the m$ shares from the desktop user perspective.
> a. I use straight up Kerberos and the account you use to proxy
> the tickets must have administrative rights or you must set up an
> account with access to authenticate to and read all accounts in the AD
> node in question. I personally use the default Admin account because I
> deal with the Windows SBS server and it is just to funky to mess with.
> Also, as we all know, I am incredibly cavalier.
How do I determine what rights my machine's account has?
Do I need to remind the account about its responsibilities as well? :)
Do I have to have kerberos running to authenticate to the AD? How do I
test to see if I have kerberos setup properly?
> b. You must change the password of the account on the windows
> server at least once or else AD will not issue you a ticket via krb. It
> is a security "feature" that is only reasonably well documented by MS.
> c. I use winbind to get all of my user and group listings from
> Windows. I have seen it work with LDAP but never were and AD server was
> not the primary LDAP server. Even then you have to have pretty open
AD will be the primary LDAP server for now.
danke,
der.hans
> trust relationships pushed through the forest or else it chokes up on
> you. This is just my experience, your mileage may very.
> d. If you are using winbind and samba, do not use any of the
> GUI's to join the server to the domain (I am sure this is not a problem
> for you ;) as you must issue a clean ADS join command or else it will
> join like some legacy win98 system and your domain permissions will not
> work correctly
>
> 2) Once you join correctly there is a matter of permissions. I use
> stander out of the box ACL's as I don't need much more then standard
> RWX, the 169 different permission combinations available to each
> user/group for ever file/folder in windows is just over kill for my
> small business. However I do need the ability for someone to have
> permission to /some/folder/that/lives/here/example.mpg without having
> permission to anything else in /some/.
> a. Mount partition with ACL support
> b. Set ACL's on the files
> c. Realize you just get just RWX
> d. Understand that you must trust your krb and acl and not smb
> to handle permissions.
> e. Know that RWX gives the windows user the right to give any
> one else in your domain RWX.
> f. mount smb shares and browse to them from windows network
> neighborhood.
>
> And yes I let my users handle their own permission settings from windows
> If some one is making six figures and is in charge of an entire
> department it is not my job to baby sit what permissions they give their
> people in their folders.
>
>
>
>
>
> -----Original Message-----
> From: plug-discuss-bounces@lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of
> Jeremy C. Reed
> Sent: Wednesday, April 18, 2007 6:28 AM
> To: Main PLUG discussion list
> Subject: Re: samba help
>
>> I'm trying to advertise shares from a RHEL3 box to an m$ domain.
>>
>> I gather one must first get the box to join the domain. The account
> that
>> joins the domain has to have administrator rights?
>>
>> I have been given a userid and password for the domain, but they're
> not
>> working.
>>
>>
>> $ smbclient -L $pdcname -U $username
>> Password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>
> What type of Microsoft server?
>
> Maybe in your smb.conf use:
>
> client ntlmv2 auth = yes
>
> Check your smb.conf(5) man page about what that breaks too.
>
> Or make changes on your Windows system for LMCompatibility. See
> http://www.microsoft.com/technet/community/columns/profwin/pw0203.mspx
> or
> http://support.microsoft.com/default.aspx?scid=KB;en-us;239869
>
>
> Jeremy C. Reed
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
# https://www.LuftHans.com/ http://www.CiscoLearning.org/
# "We are better than we think, not quite what we want to be."
# -- Nikki Giovanni, 17Apr2007
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)