+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
*nix Thread, Configuring Samba in Technical; It turns out that the line: Code: template shell = /bin/bash In the "global" section of smb/conf is actually important ...
  1. #16

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    It turns out that the line:

    Code:
    template shell = /bin/bash
    In the "global" section of smb/conf is actually important - users can't open a shell otherwise, and if they can't open a shell they can't log in via SSH, and if they can't log in via SSH they can't log on to an LTSP client...

    --
    David Hicks
    Last edited by dhicks; 11th June 2010 at 12:59 PM.

  2. #17

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Just to add a quick update: it turns out the above all allows for file server access via Samba, but doesn't let users actually log in via a shell. It turns out you have to configure PAM to allow users to do this. The easiest thing seems to be to add the following line to the top of /etc/pam.d/common-auth:

    Code:
    auth    sufficient      /lib/security/pam_winbind.so
    And the following to the top of /etc/pam.d/common-account:

    Code:
    account sufficient      /lib/security/pam_winbind.so
    These two files are included by the login and sshd PAM configs, letting users log in with their domain usernames and passwords either direct to a console or via SSH. It also gets included by whatever it is that SquirrelMail uses for authentication, letting users log in to check SquirrelMail, which was what I was aiming for...

    --
    David Hicks

  3. #18

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Right, so now I've got to join a Debian Squeeze machine to a Windows Server 2008 R2 Domain Controller. I have to turn on compatability for older forms of authentication:

    The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default

    That works fine, but does anyone have any idea how I get Debian to support authentication that works with Windows Server 2008 R2's default authentication settings?

  4. #19


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Before we introduced 2008R2 we needed to upgrade the samba servers. I don't remember which version, but the version on rhel6.x worked without change to windows.

  5. Thanks to CyberNerd from:

    dhicks (5th March 2012)

  6. #20
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Quote Originally Posted by dhicks View Post
    Right, so now I've got to join a Debian Squeeze machine to a Windows Server 2008 R2 Domain Controller. I have to turn on compatability for older forms of authentication:

    The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default

    That works fine, but does anyone have any idea how I get Debian to support authentication that works with Windows Server 2008 R2's default authentication settings?
    I was testing this setup last week. This was purely a test environment rather than a live system, a brand new test domain on a 2008R2 DC, and two test Samba servers with the default packages in Debian Squeeze. I tested a server with security = domain, and the other with security = ads and I seemed to get single sign-on with both approaches (tested from a Windows 7 client).

    I had this set at the top of the OU structure (alongside the default domain policy):
    Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies/Security Options / Network Security / Network Security: LAN Manager authentication level - Send LM & NTLM - use NTLMv2 session security if negotiated.

    Is this the same as what you had done to make it work?

  7. Thanks to morganw from:

    dhicks (3rd March 2012)

  8. #21
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    Actually I've just found that if I tried it without the above settings it was still working. I've also just tried forcing NTLMv2 on the Windows client and client ntlmv2 = yes (I think this only allows NTLMv2 auth and nothing else) on the server, and everything is still working.

  9. #22

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by CyberNerd View Post
    Before we introduced 2008R2 we needed to upgrade the samba servers. I don't remember which version, but the version on rhel6.x worked without change to windows.
    I installed Samba on Debian Squeeze (the current release version) with:

    apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

    That should be up-to-date, Debian should simply go and get the latest version of everything, unless of course Debian's Samba packages are simply not as up-to-date as RedHat's or I'm meant to be installing a different version of Kerberos?

  10. #23


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by dhicks View Post
    I installed Samba on Debian Squeeze (the current release version) with:

    apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

    That should be up-to-date, Debian should simply go and get the latest version of everything, unless of course Debian's Samba packages are simply not as up-to-date as RedHat's or I'm meant to be installing a different version of Kerberos?
    The problem we had was with a version prior to 3.4.3 which has a fix for 2008 trust relationships:
    Samba - Release Notes Archive

    at least I think that was the problem. everything worked fin after the upgrade

  11. Thanks to CyberNerd from:

    dhicks (5th March 2012)

  12. #24

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by morganw View Post
    Is this the same as what you had done to make it work?
    No, I haven't got as far as NTLM single sign-on yet, I'm simply trying to get a Linux server to authenticate user logins against a Windows Server, tested by simply typing "wbinfo -u" at the command prompt on the Debian server and (hopefully) getting back a list of Windows domain users sintead of just local account names. From the Microsoft document above, I had to do the following to allow the Debian server to authenticate with the Windows Server 2008 R2 server:

    Click Start, click Run, type gpmc.msc, and then click OK.
    In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
    In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
    In the Properties dialog box, click the Enabled option, and then click OK.

    But if you've got single sign-on working that rather implies the Linux server must be able to authenticate against your Windows server - I must have missed something, somewhere along the way.

  13. #25

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by CyberNerd View Post
    The problem we had was with a version prior to 3.4.3 which has a fix for 2008 trust relationships
    smbd -V reports that we are running Version 3.5.6. Drat.

  14. #26

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by dhicks View Post
    In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
    I've turned the above option off, rebooted the DC and the Debian machine trying to authenticate against it and things now seem to work - running "wbinfo -t" to test the trust secret returns success. I don't remember changing anything to actually achive this - maybe you just need to glare at the computer long enough and it'll just kind of feel embarresed and start working? The things I were about to double-check were clock skew (Windows Server 2008 R2 seemingly allows a clock skew of 5 minutes by default, and I could have sworn there was a discrepancy before I rebooted everything, so maybe that was it?) and firewall permissions for Kerberos authentication.

  15. #27
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    39
    How can you actually tell if Kerberos authentication is being used? I've got a valid krb5.conf (tested with kinit on the server) and I've joined the domain using the ads option, but I haven't configured a keytab for Samba. So am I right in thinking that even though the system itself can use Kerberos correctly, when I'm connecting from a client I'm actually using some other auth type like lanman or ntlm? I've only found one guide which referenced the keytab and that says to use the option "kerberos method = system keytab" in smb.conf. All the other guides I've found seem to just get the realm details into krb5.conf and then just use any old auth method when connecting. To test I've tried putting bad configuration data into krb5.conf and everything keeps working (except the kinit test).

  16. Thanks to morganw from:

    dhicks (5th March 2012)

  17. #28

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,621
    Thank Post
    1,239
    Thanked 777 Times in 674 Posts
    Rep Power
    235
    Quote Originally Posted by dhicks View Post
    Code:
       valid users = @"CONVENT+Domain Users"
       admin users = @"CONVENT+Domain Admins"
    Turns out that you stopped neading the "valid" part about 10 years ago, and if you have a Windows 7/8 machine you'll get an "Access Denied" on trying to access the share. This should now be a single line:

    Code:
       users = @"CONVENT+Domain Users"

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Help with configuring new W2K3 server
    By bmittleider in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 9th March 2009, 02:09 PM
  2. Configuring Blackberry email
    By Netware in forum Windows
    Replies: 5
    Last Post: 16th August 2008, 04:59 PM
  3. Configuring trunking on HP Switches
    By Gibbo in forum Wireless Networks
    Replies: 3
    Last Post: 3rd June 2008, 10:39 AM
  4. Configuring Openfire - Asterisk IM
    By Khanduri in forum How do you do....it?
    Replies: 0
    Last Post: 2nd May 2008, 03:44 AM
  5. Replies: 7
    Last Post: 30th November 2007, 03:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •