Howto: Sled 10 Auth To Windows Server 2003 R2 Ad

I did modify the line, and after that and some other modifications elsewhere i finally was able to "see" the server in the computers list in Win2k3 ( was not working before)..

your step 5 : when i do the simple getent passwd to see domain users and UIS's , i get a long delay of search and i get a result of only local users..

I saw some errors in the "message" file:

getent: nss_ldap: failed to bind to LDAP server ldap:// 192.168.0.10: invalid credentials
getent: nss_ldap: failed to bind to LDAP server ldap:// servername.domain.com/ : Invalid credentials
getent: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds )
...and on and on....until i get this one
getent: nss_ldap: could not search LDAP server - server in unavailable

going deep to search for the bug.
cya in a week or two :lol:

Ghys,

Sounds like you are making progress... I'm familiar with the "invalid credentials" message you are seeing... What's funny is that it turned out to be just that...Invalid(Fat-Fingered) ldap query user credentials entered into my /etc/ldap.conf file.... Double check that you have the correct windows LDAP query username and password entered into your /etc/ldap.conf file. If that's not the problem, see below:

Try replacing (where the windows LDAPQUERYUSER user is expected to be in the "Users" container in AD)
binddn cn=LDAPQUERYUSER,cn=Users,dc=myplace,dc=com
With this (use the same case as with the user you created)
binddn LDAPQUERYUSER@myplace.com


Also try adding these lines to your /etc/ldap.conf in addition to the changes from above
nss_map_attribute cn cn
pam_password md5


At this point it sounds like your SuSE machine is trying to make contact with the server but either has the wrong LDAP-QUERY username and password or the user/pass aren't being delivered in a way that is recognizable to Active Directory. Another thing to recheck would be the /etc/krb5.conf file.. ensure there are no wrapped lines in there.. see below

/etc/krb5.conf
#ensure there is no wrapping of the following lines
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5


Also, try to su to a windows user and then see what it says in the /var/log/messages file... you may
see something like "authentication success" which would indicate that your /etc/krb5.conf file is
sound and that you are truly working with an LDAP query problem instead of a kerberos issue

As always, good luck!
Shannon

so far so good... still in the diggin' process.

I did try su with a domain user and guess what? It worked and even created the user's local folder in /home/.. i was happy !

Fun ended when i did cat messages i get these messages:

Mar 30 17:14:12 poptarts winbindd[7645]: [2007/03/30 17:14:12, 0] nsswitch/winbindd_dual.c:child_read_request(49)
Mar 30 17:14:12 poptarts winbindd[7645]: Got invalid request length: 0
Mar 30 17:14:22 poptarts winbindd[8203]: [2007/03/30 17:14:22, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:22 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:22 poptarts winbindd[8203]: [2007/03/30 17:14:22, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:22 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:23 poptarts winbindd[8203]: [2007/03/30 17:14:23, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:23 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:23 poptarts winbindd[8203]: [2007/03/30 17:14:23, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:23 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:24 poptarts winbindd[8203]: [2007/03/30 17:14:24, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:24 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:24 poptarts winbindd[8203]: [2007/03/30 17:14:24, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:24 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:25 poptarts winbindd[8203]: [2007/03/30 17:14:25, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:25 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:25 poptarts winbindd[8203]: [2007/03/30 17:14:25, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:25 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:26 poptarts winbindd[8203]: [2007/03/30 17:14:26, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:26 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:26 poptarts winbindd[8203]: [2007/03/30 17:14:26, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:26 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:27 poptarts winbindd[8203]: [2007/03/30 17:14:27, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:27 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:27 poptarts winbindd[8203]: [2007/03/30 17:14:27, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:27 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:28 poptarts winbindd[8203]: [2007/03/30 17:14:28, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:28 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:28 poptarts winbindd[8203]: [2007/03/30 17:14:28, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:28 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
Mar 30 17:14:29 poptarts winbindd[8203]: [2007/03/30 17:14:29, 0] passdb/secrets.c:fetch_ldap_pw(629)
Mar 30 17:14:29 poptarts winbindd[8203]: fetch_ldap_pw: neither ldap secret retrieved!
Mar 30 17:14:29 poptarts winbindd[8203]: [2007/03/30 17:14:29, 0] lib/smbldap.c:smbldap_connect_system(872)
Mar 30 17:14:29 poptarts winbindd[8203]: ldap_connect_system: Failed to retrieve password from secrets.tdb
...

don't laugh about my server's name.... internal joke here

Ghys,

Try changing your /etc/smb.conf file as follows:

Change:
ldap admin dn = cn=Administrator,cn=Users,dc=domain,dc=com

To:
ldap admin dn = cn=LDAPQUERYUSER,cn=Users,dc=domain,dc=com

(Where the LDAPQUERYUSER is the Windows user account that you created for making LDAP queries.)

Then issue this command to set the correct password for the ldap query user:

smbpasswd -w <LDAPQUERYUSER's - password>

Then stop /etc/init.d/smb and /etc/init.d/winbind, then restart in same order

Then try su to windows user - (check /var/log/messages)
Then try getent passwd



Shannon

Hello again
new week of troubleshooting

with the modifications it did releave the messages file of error lines.
Now i get these:

Apr 2 11:40:04 poptarts winbindd[16784]: [2007/04/02 11:40:04, 0] nsswitch/winbindd_dual.c:child_read_request(49)
Apr 2 11:40:04 poptarts winbindd[16784]: Got invalid request length: 0
Apr 2 11:40:11 poptarts winbindd[16833]: [2007/04/02 11:40:11, 0] lib/smbldap.c:smbldap_connect_system(911)
Apr 2 11:40:11 poptarts winbindd[16833]: failed to bind to server ldap://server.domain.com with dn="cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc= com" Error: Invalid credentials
Apr 2 11:40:11 poptarts winbindd[16833]: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece


Google time and Samba /LDAP time to read more.

and yes while SU a Win user, i do get the getent passwd list correctly with either coded passwords or the default coded ABCD!efgh12345$67890 . passwd.
.



i am so close i can feel it but can't seem to find the final key to open my freedom door. tired of working on this problem.

Ghys,

did you run the smbpasswd -w <LDAPQUERYPASSWORD> command (replacing the <> with the actual password for your windows ldap user)?

Also did you try changing your ldap.conf file to:

binddn LDAPQUERYUSER@myplace.com

instead of:
dn="cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc= com

Are you able to SU to a Windows user? If not, what's the error message when you run the command.

Also, does the Windows user you are SU'ing to have a gid number set in Active Directory under the Unix attributes tab that should have been enabled by installing the Services For Unix (SFU)?

What happens when you use this command: id <windows-user-with-Unix-Attribs-Enabled> ?

If you want to include your config files I could take a look. Also, double check to ensure all required packages are installed (e.g., nss_ldap).

Shannon

Hello again. I will kill the beast soon!

What i'll do is i'll delete all modified files and start up again from scratch.

When i end session and go back to login ( X windows ) , i see user/pass and domain to connect. After i get enter LDAP password 3 times.

ok here are my files
KRB5.conf, nsswitch, smb.conf, ldap.

if you need more details please ask.
My network is like this:
-Win2k3 advanced server (french)
-15 Win XP stations (fixed and laptops)
-distant sites via VPN access
-some shared printers and a shared workstation for a specific DOS application

SInce it's a french OS, some words may be weird to you
UPPERCASE words are there for a reason you know. Lowercase too.
----------------------------------------------------------
KRB.5.conf file:
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICEAEMON
;default = FILE:/var/log/krb5/libs.log

[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 aes256-cts arcfour-hmac-md5
; dns_lookup_realm = true
; dns_lookup_kdc = true
; clockskew = 300

[realms]
CARTOSHERB.COM = {
kdc = server.domain.com
default_domain = DOMAIN.COM
admin_server = server.domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM


;[kdc]
; profile = /var/kerberos/krb5kdc/kdc.conf

;[appdefaults]
;pam = {
; debug = false
; ticket_lifetime = 1d
; renew_lifetime = 1d
; forwardable = true
; krb4_convert = false
; proxiable = false
; retain_after_close = false
; minimum_uid = 0
; try_first_pass = true
;}
--------------------------------------------------------------------
nsswitch:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

passwd: files ldap
shadow: files ldap
group: files ldap

#passwd: compat winbind
#group: compat winbind

hosts: files dns wins
networks: files dns

services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files

bootparams: files
automount: files nis
aliases: files
----------------------------------------------------------------------
smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2007-02-07
[global]
workgroup = DOMAIN
###PRINTING
printing = cups
security = ads
printcap name = cups
printcap cache time = 750
cups options = raw

map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = no

;add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$

;domain logons = No
domain master = No
netbios name = poptarts
passdb backend = smbpasswd
wins support = Yes
usershare max shares = 100
preferred master = no
max log size = 100
log file = /var/log/samba/%m.log


####LDAP
;ldap group suffix = ou=Groups
;ldap idmap suffix = dc=domain,dc=com
ldap admin dn = cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc=com ; Utilisateurs is the Users group
;ldap machine suffix = ou=Machines
ldap passwd sync = Yes
;ldap ssl = On
ldap suffix = dc=domain,dc=com
ldap user suffix = ou=Users ;I believe i have a bug here.... should it be Utilisateurs?

####IDMAP
idmap gid = 1000-59999
idmap uid = 1000-59999
#idmap backend = ad
idmap backend = ldap:ldap://willywallers.domain.com

realm = DOMAIN.COM
# template homedir = /home/%D/%U
template homedir = /home/%U

template shell = /bin/bash

encrypt passwords = Yes
use kerberos keytab = true
password server = willywallers.domain.com

####WINBIND
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
deadtime = 10
winbind cache time = 10
winbind nested groups = yes
winbind refresh tickets = yes

####OTHER
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
dns proxy = no


;[admin]
; comment = Windows admin access
; path = /
; valid users = "@Admins_du_domaine"
; admins users = "@Admins_du_domaine"
; read only = No
; create mask = 0664
; browseable = No
; inherit permissions = Yes


[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
browseable = No
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[data]
comment = Répertoire data
path = /home/data
read only = No
guests = Yes
directory mask = 0775
valid users = "@Utilisa._du_domaine" "@Admins_du_domaine"
--------------------------------------------------------------
ldap.conf:
# Your LDAP server. Must be resolvable without using LDAP.
host 192.168.0.xx

# The distinguished name of the search base.
base dc=domain,dc=com

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

uri ldap://willywallers.domain.com


# Don't try forever if the LDAP server is not reacheable
bind_policy soft

;binddn cn=LDAPQUERYUSER,cn=Utilisateurs,dc=domain,dc=com
binddn LDAPQUERYUSER@domain.com


bindpw ldapqueryuser

scope sub
#scope one
#scope base

timelimit 15

# Bind timelimit
bind_timelimit 15

referals no

pam_password md5

nss_base_passwd dc=domain,dc=com?sub
nss_base_shadow dc=domain,dc=com?sub
nss_base_group dc=domain,dc=com?sub?&(objectCategory=group)(gdinu mber=*)


nss_map_objectclass posixAccount User

nss_map_objectclass posixGroup Group

nss_map_attribute cn cn
nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uniqueMember member

nss_initgroups_ignoreusers root,ldap

ssl start_tls
ssl no



------
again thanks for your time helping out.

Ghys

quick question, do i have to "play" with any firewall on the Windows server?

I am looking at something on the web and they typed this in the KRB5 conf file:
[realms]
XJSIMPLE.FOO = {
kdc = 192.168.0.1:88
admin_server = 192.168.0.1:749
default_domain = xjsimple.foo
}

do i have to enter ports and/or use IP to connect to server?

i can ping it from IP and name.

Ghys,

Please modify your ldap.conf file to be like the example below.
For Testing I suggest that you backup your current file and then
edit your ldap.conf file to ONLY include the lines below.

The example below assumes the following:
Where the "set" command on the windows 2003 dc produces:
USERDNSDOMAIN=COOLCOMPANY.COM
USERDOMAIN=COOL

And
Windows 2003 DC computer
hostname = w2k3-dc
IP Addr = 10.10.10.5

And
Windows special LDAP query user information
username = cool-ldap-user
password = somepassword
member of (primary group) = domain guests
USERDOMAIN = COOL
USERDNSDOMAIN = COOLCOMPANY.COM

################################################## #############
##ldap.conf
################################################## #############
host 10.10.10.5
base dc=coolcompany,dc=com
uri ldap://w2k3-dc.coolcompany.com/
binddn cn=cool-ldap-user,cn=Utilisateurs,dc=coolcompany,dc=com
bindpw somepassword
scope sub
bind_timelimit 15
timelimit 15
ssl no
referrals no
nss_base_passwd dc=coolcompany,dc=com?sub
nss_base_shadow dc=coolcompany,dc=com?sub
nss_base_group dc=coolcompany,dc=com?sub?&(objectCategory=group)( gidnumber=*)
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
nss_initgroups_ignoreusers root,ldap


On a side note, I've configured this to also work with Fedora 6 and Red Hat Server ver 4: see
http://forums.fedoraforum.org/showthread.p...5587#post775587

Good Luck,
Shannon