Results 1 to 7 of 7
|
Enjoy an ad free experience by logging in. Not a member yet? Register.
|
|
-
04-15-2010 #1
- Join Date
- Apr 2010
- Posts
- 2
AD Authentication problem with OpenSuse11.2
I planned to use Squid on my W2k3 network, because I'm tired of ISA2k6... it's a **** factory in itself. So, I just installed a VM with OpenSuse 11.2 and joined it to my AD W2k3 domain. After correcting the clock problems, everything is running fine except a strange feature that I was not able to solve.
After a reboot, I'm not able to login with a domain account. I enter the username/password, choose the domain then it the input fields become grey for 1-2 seconds then the password field is reset and nothing happens.
The most strange part comes when you logon with the local root account. You login as root, then logoff and login with any domain account : works like a charm...
Kerberos is working fine, systemclock's correct... well, any idea please ? Tell me if you need the conf files and which ones.
Best
-
04-15-2010 #2
-
04-16-2010 #3
- Join Date
- Apr 2010
- Posts
- 2
Hi,
Sure :
Code:# smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2010-03-15 [global] security = ads netbios name = TESTSQUID1 realm = TEST.LOCAL password server = testdc1.isl.local workgroup = TEST idmap uid = 500-10000000 idmap gid = 500-10000000 winbind separator = + winbind enum users = no winbind enum groups = nokinit winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes domain master = no [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 ## Share disabled by YaST # [netlogon]
-
04-16-2010 #4
- Join Date
- Mar 2007
- Posts
- 142
A quick response for this moment.
Normally the security settings are:
share
user
server
domain
It is domain if you have a domain controller active on your network.
Samba can also fullfill this task (the samba server).
Otherwise there is a master browser active on the network.
But samba can also do this by the OS level settings.
When you use a domain you cannot use a workgroup.
It's either one of them.
You use winbind if there is another server active than the samba server.
-
04-16-2010 #5
- Join Date
- Nov 2007
- Posts
- 1,875
Bad info. Set up Samba in the last 5 years? ADS = Active Directory integration using Kerberos. "Domain" = NT4-style NTLM authentication. "ADS" has been in use for *a long time.*
To the OP:
I would review the PAM settings and ensure winbind is enabled correctly - maybe change the order and move winbind up in the list. Jack up the logging in winbind and review it for domain login failures. Another guess would be that there are network settings that are not being enabled until a user logs in - such as the NIC being under the control of Network Manager. If the NIC doesn't get enabled/IP'ed until the user logs in, the machine can't contact network resources for login auth.Last edited by HROAdmin26; 04-16-2010 at 03:43 PM.
-
04-16-2010 #6
- Join Date
- Mar 2007
- Posts
- 142
Thank you HROAdmin26 for your fine comment.
First, it was no bad info that I gave.
Because "normally" one would use the security settings mentioned by me.
If you have understood and mastered the server and domain settings and got them working you are on the bussiness.
In that case you can use the ads settings using kerberos and having installed that.
But that is a bit more complex as the question lets us see.
Using ads is a choice but it's not beter than server or domain.
But true, samba is complex and even some folks don't even get the user settings working.
You have to understand what the master browser is and a domain controller and a primary domain controller.
All these settings you have to do correctly in the samba settings.
And for the rest, I'm only trying to help someone (or others).
-
04-16-2010 #7
- Join Date
- Nov 2007
- Posts
- 1,875
Using ads is a choice but it's not beter than server or domain.
If you have an AD environment where legacy, insecure Windows systems are not allowed to connect, NT4-style authentication will be denied. This will not allow security = domain.
You have to understand what the master browser is and a domain controller and a primary domain controller.
For my own .02, I will take "solid, fact-based information" over "good intentions" that cause misunderstanding/more problems every day of the week and twice on Sunday.