Linux Fedora7 Samba Joining ADS on Windows Server 2003

I will try tomorrow
I will send the smb.conf

I adopted the exact configuration mentioned from you but unfortunately result has not changed.

I can join the Domain Successfully and I can test users:
[root@fedora7 samba]# net ads join -U violanted
violanted's password:
Using short domain name -- TECHNOPC
Joined 'FEDORA7' to realm 'TECHNOPC.EU'
[root@fedora7 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@fedora7 samba]# wbinfo -u
guest
violanted
krbtgt
support_388945a0
simonev
antonior
agnesm
nadirm
valentinav
edc72976-d2cf-4e8c-9
iusr_dc-02
iwam_dc-02
bkup-alert
andreac
rdhl
iusr_dc-01
iwam_dc-01
ipmonitor
aspnet
san
ugov
iusr_dc-03
iwam_dc-03
[root@fedora7 samba]#

I try to access the from command line or from physical Fedora Server I get:
login as: agnesm
agnesm@82.169.132.216's password:
Access denied
agnesm@82.169.132.216's password

[global]
#--authconfig--start-line--

# Generated by authconfig on 2009/07/14 10:57:18
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   Here the smb.cong

Pam has been also configured I added a line for the home directory


        workgroup = TECHNOPC
        password server = dc-02.TECHNOPC.EU
        realm = TECHNOPC.EU
        security = ADS
        #winbind section
        idmap backend = rid:DOMAIN=10000-20000
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        allow trusted domains = no
        winbind refresh tickets = yes
        winbind use default domain = yes
        winbind offline logon = false
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        guest account = nobody
        map to guest = bad user

What's wrong?

I believe you will not be able to log on to the Linux box with the AD accounts.

Have you tried to access from a windows workstation to a share, say the home directory of the user?

It looks to me you want to use AD to authenticate against Linux to ssh inside, but the configuration stated here is for samba only.

If the desire is to be able to log into the Linux System with the AD account, they you're going to have to modify PAM -- by default, all of the AD setup HOWTOs are designed to allow AD access via SAMBA, so the Samba winbind utility is what checks the AD authentication.

But the standard login (and xlogin) programs do not know how to use winbind to authenticate...

I don't have time to do the research, but I have to think that there are PAM modules out there that can do this!

Good Luck!

Dan
IT4SOHO

Oh it is perfectly possible to log on to linux using LDAP, and thus also Active Directory

But the question is: it is what you want? is it Samba or is it Login authentication.

Login authentication from ssh and also from linux it self this is what I need to do.

Very well then.

You may then want to follow this for centos:
http://blog.wazollc.com/Lists/Posts/Post.aspx?ID=2

Hi,

I followed that link and I followed step by step all the instructions.

I am not sure about the ldap.conf file I made the changes but not sure if they are fully correct.

In any case using the AD account I am still not able to login from ssh or from the linux it self.

I have some users that needs to work on fedore only fromm ssh so my scope is to let them logon using the AD account.

So far this it has been a mission impossible.
I am not able to find on the internet the proper info and correct steps on how to accomplish this.

I have found an article you might find will help you at
  http://www.occam.com/tools/ad_auth.html

You can find more by simply googleing for "PAM Active Directory login"

NOTE: The article noted above has 3 parts:
 1) linking AD into Samba (and running winbindd) -- which it appears you already have done
 2) linking AD into PAM (for login and ssh) -- be careful not to redo the parts you've already done (like krb5.conf)
 3) mapping AD users & groups to EXISTING *nix users & groups -- which you may or may not want

Good luck!

Dan
IT4SOHO

I tried to follow up all suggestions provided but I can tell that in general there is not a proper internnet guide line that drives you towards the right configuration of AD Authentication in Linux and Samba Authentication. I can succesful join Samba to the Domain in Fedora 7 and can see all users if I run:
# wbinfo -u
# wibinfo -t
# wbinfo -g
but if I run:

[root@fedora7 ~]# wbinfo -a violanted%M@ndelbaum01
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user violanted%M@ndelbaum01 with plaintext password
challenge/response password authentication succeeded
So i am not sure what that means but I cannot logon to linux using an AD account, not matter if I try from putty ssh or from linux it self.

Any other idea?

Let's see if I can make this more clear...

Samba is the ONLY part of your system that has "joined" the AD. Samba is the only part of your Linux system that knows (or cares to know) about Microsoft, and that is because Samba was specifically designed to do so.

The Linux login program knows no more about AD login names than it does e-mail addresses or websites that you are managing.... unless you somehow TELL it to query using some other authority -- and the WAY that you tell it to use some other mechanism is through PAM (Pluggable Authentication Modules).

The same thing goes for SSH. By default, SSH will only authenticate to "local" user accounts. To tell it to do otherwise is NOT a configuration change in SSH, but rather one in PAM.

If you look in the folder /etc/pam.d, you'll find files for virtually any program that might want to authenticate users on your Linux system. Exceptions would include programs that are specifically designed to have an independent user database -- like HTTP & MySQL. But login is there, as is sshd.

A sample entry for login might be:
auth       required     pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Among other things, this says that the ROOT user can only login on a secure TTY. Users can be validated by the system authentication (/etc/passwd), and many other options -- I'm not going to write a whole PAM tutorial here.

Now, the page I sent you to has instructions on how to move a library named pam_winbind.so.1. from the Samba build into the /usr/lib/security folder. The BEST news is that it is probably ALREADY in your libraries... somewhere! (Mine got loaded into /lib64/security, but that's because I'm on Fedora Core 5 x86_64).

So, what you'll want to do is to see if you already have that library lurking around somewhere... try:
  find / -name "pam_winbind.so*"

Again, in my case, it turns out to be /lib64/security/pam_winbind.so"

Now, there is ONE thing that is "off" in the instructions... namely, they are using PAM1.0 nomenclature, and if you're using a 2.6 kernel, you're much more likely to be using PAM2.0. (The difference is that PAM1.0 used one monolithic config file, and PAM2.0 uses individual files for each program that uses it.)

So, where the instructions say to make an entry like:
   other         account sufficient         pam_winbind.so

What you will want to do is to add the line below to both the login and sshd files in /etc/pam.d:
   account     sufficient      pam_winbind.so
ALSO, you'll want to add it at the beginning of the account "section" -- so if you were using MY login file from PAM above, it would look like:

auth       required     pam_securetty.so
auth       include      system-auth
account    sufficient    pam_winbind.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so

Now, once that is done (and I'm skipping the step where you check the AD join's validity -- you say that's already working), use the "id" command, like so:
  id violanted

If that returns the requested info, then logoff and try to login again.

One final note: an option in SSH is required to use some PAM features, so make sure that your /etc/ssh/sshd_config file includes the line that says:
UsePAM    yes

I hope this helps clear things up a bit... I've just tried these settings in a client environment, and was successful at getting SSH logins for AD users. (I don't typically let users login to my Linux systems because they're servers!)

Good Luck!

Dan
IT4SOHO

Hi
I honestly tried the exact configuration proposed from you and we followed once again the guide previously sent we add the lines into pam to be able to login from ssh. We made sure that sshd was configured with UsePam yes but still doesn't work.

As I said I can joined the Domain I can see all Users Groups so Samba is definitely Joined to the Domain but once we try to login from putty ssh using a domain account we get access denied, same if we try from the GUI on the physical Fedora Server. Now to enable Authentication with AD we need to enable ldap?

I mean everythime I configure ldap as well than the system Fedora 7 hangs. I also notice that the GUI interface is gone and cannot login anymore from there as we get black window.

From the ssh when we enable ldap we can login only with the locall account or as root.

Here it's all strange I do not understand the logic behind.

I am more a windows guy but it's about two years I am using Linux and I can do quiet a lot's of things with linux but accomplish the current task seems to be mission impossible

Hello,

We completely mess up all configurations regarding this AD Authenticaion in Fedora7 using ssh.
All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server. That's all!

What's the mandatory configuration to make this happen?

I need full documentation if possible please I am still new in Linux but I need to do so and also I like to learn.

thanks

We installed a fresh copy of Fedora 7

All I want is to have the users in AD to login into the Fedora box using they Domain account, and possibly when they login have an home directory created to the local server.

What's the mandatory configuration to make this happen?
I am confuse between ldap, pam, and winbind

Which one of those we need to configure?

All of them or.....

Thanks