Re: SAMBA W2K3 ADS
Hallo,
also wie versprochen meine Config-Dateien.
/etc/krb5.conf
------------------------
[libdefaults]
default_realm = SUB.DOMAIN.DE
clockskew = 300
[realms]
SUB.DOMAIN.DE = {
kdc = 141.75.27.148
default_domain = sub.domain.de
admin_server = 141.75.27.148
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
kinit = {
forwardable = true
}
pam = {
ticket_lifetime = 3600
renew_lifetime = 3600
forwardable = true
proxiable = true
retain_after_close = true
krb4_convert = false
minimum_uid = 3000
try_first_pass = true
}
[domain_realm]
.sub.fh-domain.de = SUB.DOMAIN.DE
-------------------------------------------------------------------------
/etc/ldap.conf -> /etc/openldap/ldapconf
host pdc.sub.domain.de
# The distinguished name of the search base.
base DC=sub,DC=domain,DC=de
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The search scope.
scope sub
nss_base_passwd ou=Students,dc=sub,dc=domain,dc=de?sub
nss_base_passwd cn=Users,dc=sub,dc=domain,dc=de?sub
nss_base_group cn=Users,dc=sub,dc=domain,dc=de?one
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup Group
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos displayname
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute cn cn
pam_login_attribute msSFU30Name
pam_filter objectclass=user
pam_member_attribute msSFU30PosixMember
pam_password ad
#SASL
sasl_secprops maxssf=0
use_sasl on
sasl start_tls
#Kerberos Ticket
#krb5_ccname FILE:/etc/.ldapcache
bind_policy soft
----------------------------------------------------------------------------------------------------------------
/etc/nsswitch.conf
-----------------------------------
passwd: files ldap [notfound=continue]
group: files ldap [notfound=continue]
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
----------------------------------------------------------------------------------------------
/etc/samba/smb.conf
---------------------------------
[global]
workgroup = SUB
realm = SUB.DOMAIN.DE
server string = Linux client
interfaces = eth0, lo
bind interfaces only = Yes
password server = pdc.SUB.DOMAIN.DE
encrypt passwords = true
security = ADS
log level = 3
log file = /var/log/samba3/log.%m
max log size = 50
client signing = Yes
printcap name = cups
preferred master = No
domain master = No
wins proxy = no
dns proxy = No
winbind separator = +
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
os level = 20
usershare allow guests = No
------------------------------------------------------------------------------------------
Wenn nun kinit nssldap/TUX aufgerufen wird erhählt root das allgemeine Ticket.
Bei der anmaledung mit dem <ADUser> bekommt der User alle benötigten Tickets.
Mit klist <ADUser> werden ldap und und verschiedene andere Tickets angezeigt.
getent passwd als root zeigt alle AD User, getent passwd als <ADUser> zeigt
nur den eigenen Eintrag.
root darf mit dem nssldap/TUX Ticket die gesamte LDAP DB lesen, <ADuser> nur
benötigte Dinge.
Hoffe da shilft dir weiter
MFG
Sascha
--
BOFH excuse #204:
Just pick up the phone and give modem connect sounds. "Well you said we should
get more lines so we don't have voice lines."
Reply to: