Find the answer to your Linux question:
Results 1 to 7 of 7
Hi there, I planned to use Squid on my W2k3 network, because I'm tired of ISA2k6... it's a **** factory in itself. So, I just installed a VM with OpenSuse ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2010
    Posts
    2

    AD Authentication problem with OpenSuse11.2


    Hi there,

    I planned to use Squid on my W2k3 network, because I'm tired of ISA2k6... it's a **** factory in itself. So, I just installed a VM with OpenSuse 11.2 and joined it to my AD W2k3 domain. After correcting the clock problems, everything is running fine except a strange feature that I was not able to solve.

    After a reboot, I'm not able to login with a domain account. I enter the username/password, choose the domain then it the input fields become grey for 1-2 seconds then the password field is reset and nothing happens.
    The most strange part comes when you logon with the local root account. You login as root, then logoff and login with any domain account : works like a charm...

    Kerberos is working fine, systemclock's correct... well, any idea please ? Tell me if you need the conf files and which ones.

    Best

  2. #2
    Linux Guru gogalthorp's Avatar
    Join Date
    Oct 2006
    Location
    West (by God) Virginia
    Posts
    3,104
    You have samba setup?

  3. #3
    Just Joined!
    Join Date
    Apr 2010
    Posts
    2
    Hi,

    Sure :

    Code:
    # smb.conf is the main Samba configuration file. You find a full commented
    # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
    # samba-doc package is installed.
    # Date: 2010-03-15
    [global]
    	security = ads
    	netbios name = TESTSQUID1
    	realm = TEST.LOCAL
    	password server = testdc1.isl.local
    	workgroup = TEST
    	idmap uid = 500-10000000
    	idmap gid = 500-10000000
    	winbind separator = +
    	winbind enum users = no
    	winbind enum groups = nokinit
    	winbind use default domain = yes
    	template homedir = /home/%D/%U
    	template shell = /bin/bash
    	client use spnego = yes
    	domain master = no
    [homes]
    	comment = Home Directories
    	valid users = %S, %D%w%S
    	browseable = No
    	read only = No
    	inherit acls = Yes
    [profiles]
    	comment = Network Profiles Service
    	path = %H
    	read only = No
    	store dos attributes = Yes
    	create mask = 0600
    	directory mask = 0700
    [users]
    	comment = All users
    	path = /home
    	read only = No
    	inherit acls = Yes
    	veto files = /aquota.user/groups/shares/
    [groups]
    	comment = All groups
    	path = /home/groups
    	read only = No
    	inherit acls = Yes
    [printers]
    	comment = All Printers
    	path = /var/tmp
    	printable = Yes
    	create mask = 0600
    	browseable = No
    [print$]
    	comment = Printer Drivers
    	path = /var/lib/samba/drivers
    	write list = @ntadmin root
    	force group = ntadmin
    	create mask = 0664
    	directory mask = 0775
    
    ## Share disabled by YaST
    # [netlogon]
    Thank you or spending a few minutes with this

  4. #4
    Linux Newbie
    Join Date
    Mar 2007
    Posts
    142
    A quick response for this moment.

    Normally the security settings are:
    share
    user
    server
    domain

    It is domain if you have a domain controller active on your network.
    Samba can also fullfill this task (the samba server).
    Otherwise there is a master browser active on the network.
    But samba can also do this by the OS level settings.

    When you use a domain you cannot use a workgroup.
    It's either one of them.
    You use winbind if there is another server active than the samba server.

  5. #5
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,755
    Quote Originally Posted by linuxforever View Post
    A quick response for this moment.

    Normally the security settings are:
    share
    user
    server
    domain
    Bad info. Set up Samba in the last 5 years? ADS = Active Directory integration using Kerberos. "Domain" = NT4-style NTLM authentication. "ADS" has been in use for *a long time.*

    To the OP:

    I would review the PAM settings and ensure winbind is enabled correctly - maybe change the order and move winbind up in the list. Jack up the logging in winbind and review it for domain login failures. Another guess would be that there are network settings that are not being enabled until a user logs in - such as the NIC being under the control of Network Manager. If the NIC doesn't get enabled/IP'ed until the user logs in, the machine can't contact network resources for login auth.
    Last edited by HROAdmin26; 04-16-2010 at 03:43 PM.

  6. #6
    Linux Newbie
    Join Date
    Mar 2007
    Posts
    142
    Thank you HROAdmin26 for your fine comment.

    First, it was no bad info that I gave.
    Because "normally" one would use the security settings mentioned by me.
    If you have understood and mastered the server and domain settings and got them working you are on the bussiness.
    In that case you can use the ads settings using kerberos and having installed that.
    But that is a bit more complex as the question lets us see.
    Using ads is a choice but it's not beter than server or domain.

    But true, samba is complex and even some folks don't even get the user settings working.
    You have to understand what the master browser is and a domain controller and a primary domain controller.
    All these settings you have to do correctly in the samba settings.

    And for the rest, I'm only trying to help someone (or others).

  7. #7
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,755
    Using ads is a choice but it's not beter than server or domain.
    ADS would be the recommended method (from the Samba Dev's) since the advent of Active Directory (Win2000) and its inclusion in Samba. Using "security = server" is NOT recommended by Samba. In a Samba Dev's words it is an "ugly man-in-the-middle hack...that should not be used any longer."

    If you have an AD environment where legacy, insecure Windows systems are not allowed to connect, NT4-style authentication will be denied. This will not allow security = domain.

    You have to understand what the master browser is and a domain controller and a primary domain controller.
    While AD has a FSMO role called "PDC Emulator," there is no primary DC in an AD environment. This is important, since AD has been in use since the introduction of Windows 2000. This is not new - while security = ADS started out rocky, it has been in majority use for many years.

    For my own .02, I will take "solid, fact-based information" over "good intentions" that cause misunderstanding/more problems every day of the week and twice on Sunday.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •