It turns out that the line:
In the "global" section of smb/conf is actually important - users can't open a shell otherwise, and if they can't open a shell they can't log in via SSH, and if they can't log in via SSH they can't log on to an LTSP client...Code:template shell = /bin/bash
--
David Hicks
Last edited by dhicks; 11th June 2010 at 12:59 PM.
Just to add a quick update: it turns out the above all allows for file server access via Samba, but doesn't let users actually log in via a shell. It turns out you have to configure PAM to allow users to do this. The easiest thing seems to be to add the following line to the top of /etc/pam.d/common-auth:
And the following to the top of /etc/pam.d/common-account:Code:auth sufficient /lib/security/pam_winbind.so
These two files are included by the login and sshd PAM configs, letting users log in with their domain usernames and passwords either direct to a console or via SSH. It also gets included by whatever it is that SquirrelMail uses for authentication, letting users log in to check SquirrelMail, which was what I was aiming for...Code:account sufficient /lib/security/pam_winbind.so
--
David Hicks
Right, so now I've got to join a Debian Squeeze machine to a Windows Server 2008 R2 Domain Controller. I have to turn on compatability for older forms of authentication:
The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default
That works fine, but does anyone have any idea how I get Debian to support authentication that works with Windows Server 2008 R2's default authentication settings?
Before we introduced 2008R2 we needed to upgrade the samba servers. I don't remember which version, but the version on rhel6.x worked without change to windows.
dhicks (5th March 2012)
I was testing this setup last week. This was purely a test environment rather than a live system, a brand new test domain on a 2008R2 DC, and two test Samba servers with the default packages in Debian Squeeze. I tested a server with security = domain, and the other with security = ads and I seemed to get single sign-on with both approaches (tested from a Windows 7 client).Originally Posted by dhicks
I had this set at the top of the OU structure (alongside the default domain policy):
Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies/Security Options / Network Security / Network Security: LAN Manager authentication level - Send LM & NTLM - use NTLMv2 session security if negotiated.
Is this the same as what you had done to make it work?
dhicks (3rd March 2012)
Actually I've just found that if I tried it without the above settings it was still working. I've also just tried forcing NTLMv2 on the Windows client and client ntlmv2 = yes (I think this only allows NTLMv2 auth and nothing else) on the server, and everything is still working.
I installed Samba on Debian Squeeze (the current release version) with:
apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config
That should be up-to-date, Debian should simply go and get the latest version of everything, unless of course Debian's Samba packages are simply not as up-to-date as RedHat's or I'm meant to be installing a different version of Kerberos?
The problem we had was with a version prior to 3.4.3 which has a fix for 2008 trust relationships:
Samba - Release Notes Archive
at least I think that was the problem. everything worked fin after the upgrade
dhicks (5th March 2012)
No, I haven't got as far as NTLM single sign-on yet, I'm simply trying to get a Linux server to authenticate user logins against a Windows Server, tested by simply typing "wbinfo -u" at the command prompt on the Debian server and (hopefully) getting back a list of Windows domain users sintead of just local account names. From the Microsoft document above, I had to do the following to allow the Debian server to authenticate with the Windows Server 2008 R2 server:
Click Start, click Run, type gpmc.msc, and then click OK.
In the Group Policy Management console, expand Forest: DomainName, expand DomainName, expand Domain Controllers, right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, click Net Logon, and then double-click Allow cryptography algorithms compatible with Windows NT 4.0.
In the Properties dialog box, click the Enabled option, and then click OK.
But if you've got single sign-on working that rather implies the Linux server must be able to authenticate against your Windows server - I must have missed something, somewhere along the way.
smbd -V reports that we are running Version 3.5.6. Drat.
I've turned the above option off, rebooted the DC and the Debian machine trying to authenticate against it and things now seem to work - running "wbinfo -t" to test the trust secret returns success. I don't remember changing anything to actually achive this - maybe you just need to glare at the computer long enough and it'll just kind of feel embarresed and start working? The things I were about to double-check were clock skew (Windows Server 2008 R2 seemingly allows a clock skew of 5 minutes by default, and I could have sworn there was a discrepancy before I rebooted everything, so maybe that was it?) and firewall permissions for Kerberos authentication.
How can you actually tell if Kerberos authentication is being used? I've got a valid krb5.conf (tested with kinit on the server) and I've joined the domain using the ads option, but I haven't configured a keytab for Samba. So am I right in thinking that even though the system itself can use Kerberos correctly, when I'm connecting from a client I'm actually using some other auth type like lanman or ntlm? I've only found one guide which referenced the keytab and that says to use the option "kerberos method = system keytab" in smb.conf. All the other guides I've found seem to just get the realm details into krb5.conf and then just use any old auth method when connecting. To test I've tried putting bad configuration data into krb5.conf and everything keeps working (except the kinit test).
dhicks (5th March 2012)
Turns out that you stopped neading the "valid" part about 10 years ago, and if you have a Windows 7/8 machine you'll get an "Access Denied" on trying to access the share. This should now be a single line:
Code:users = @"CONVENT+Domain Users"
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks