CentOS 5 Server :: Using Winbind With Win2003 R2 AD And Microsoft Identity Management For UNIX For UID/GID Mappings?
Nov 10, 2009
following situation and configuring authentication for Windows users on my CentOS clients please:IHAC WIN2003 R2 Domaincontroller with ALL my users and groups maintained there. For Usermapping (SID to UID/GID) I want to use IMU which is included with WIN2003 R2 srv and extends my Active Directory schema for UID, GID, NIS Domain etc. I want now authenticate my Windows users on my CentOS clients via their "domainnameusername" and passwords on the CentOS clients.
I also have a NAS server which has usermapping integrated and resolves the Windows SID's to the UID/GID's configured within the IMU schema extensions. Now I have no idea to setup my CentOS clients to use winbind, PAM and LDAP (IMU supports LDAP queries for UID/GID resolving) WITHOUT needing any Samaba Server or functionality.
* Do I need to configure the smb.conf file because my usermapping is done on the NAS Server and I want to resolve my Windows Users/Groups UID/GID's from IMU via LDAP?
* Do I (just) need to Join the AD (2003 native) or even using Kerberos with generating ktpass.exe keytab files (what is needed/recommended and what is the difference?) Can I authenticate the users without using Kerberos?
For e.g. my username is "domainuser_a" and within the IMU the UID is set to "12345", I don't want Samba/winbind to do usermapping again based on the configured values in the smb.conf file. Some hints would be really nice for me to understand how exactly it works and what is needed...
View 1 Replies
ADVERTISEMENT
Sep 11, 2010
I have setup a Centos5.5 VMWare guest with Samba and Winbind for Active Directory integration, using GUI tools. Authentication works flawlessly, with automatic home directory creation. What I want to achieve now is using local UNIX groups to controll access to shared folders, to avoid bothering AD administrators with groups management. This is my smb.conf global section:
workgroup = COGITANS
password server = domainserver.hq.cogitans.it
realm = HQ.COGITANS.IT
security = ads
[code]....
'finance' is a local UNIX group where I added user 'COGITANSalberto' (I also tried with 'alberto') as a secondary group (primary group is 'domain users' and it cannot be changed). I am sure the user is added, because it is listed in 'getent group'. If I specify user COGITANSalberto in valid users it works, i.e. only that use can access the share, the others get a NT_STATUS_ACCESS_DENIED error. But if I use +finance, access is denied to everybody, and this is the log:
[2010/09/11 14:12:37, 10] smbd/share_access.c:user_ok_token(211)
User COGITANSalberto not in 'valid users'
[2010/09/11 14:12:37, 2] smbd/service.c:make_connection_snum(617)
user 'COGITANSalberto' (from session setup) not permitted to access this share (finance)
[code]....
It seems like winbind cannot recognize finance as a local group. For the same reason, I guess, 'force group = finance' does not work either (files are created with 'domain users' group ownership). My /etc/nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
Grants and ownership on the '/repositories/shared/finance' folder are
root:domain users with permissions 775
View 2 Replies
View Related
Apr 13, 2010
Recently i configured Postfix with Cyrus-Imap and it all worked fine unless i wanted to allow also AD users to use Squirrelmail.Currently AD users are able to logon to ssh server without any problems.
- wbinfo -u & -g is fine
- testsaslauth - passed
- telnet to localhost 143 + a LOGIN user password - passed
- cyradm shows active mailbox for particular user
imap i pam.d:
#%PAM-1.0
auth include system-auth
account include system-auth
View 1 Replies
View Related
May 25, 2011
How do I turn winbind authentication off or vsftpd. I keep getting these error messages in the /var/log/ secure:vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER.I already tried remarking out different things in the config files. Is it safe to remark out the winbind stuff in /etc/pam.d/system-auth if we are using the smbclient to connect to a Windows share?Why would you want to to use AD to authenticate users for something simple like FTP is beyond me.I merely want it to authenticate against local system users.
View 3 Replies
View Related
Apr 8, 2010
Centos 5.4 64bit fully updated. What I am doing is vsftpd is setup and nfs shares are mounted to a NAS server which is running openfiler 2.3 fully updated. openfiler is winbind to AD and pulling users and groups over.
I have it confirmed working when a ftp users connects the username/password is authenticated against AD which works. User can login and is directed to the users folder on the nfs share.
Openfiler shows me UID and GID numbers for users and groups, centos also shows me UID and GID but they are different which is causing permissions/quota's to not work right.
Both servers are setup with krb and winbind, openfiler has a more recent version of winbind.
Here is an example...
AD Users are
user UID of 160010 as an example
user1 UID 160011
When user logs into the vsftp server it works and chrooted into the directory for that user. When user uploads files I can upload but the UID in the ftp client shows 1600011 which is user1 UID
logging into windows to that share shows in the security tab that user1 uploaded the files.
Centos is mapping user as 160011
openfiler is mapping user as 160010
windows is showing the user1 in the security tab.
So it appears that centos is not mapping the right numbers to the right users and groups.
If you need details please ask for it and I will provide.
Both configs are nearly a match and I have made small changes to the config files smb.conf but it failed resolve these issues to work so I reverted back. kinit works with authentication, getent works, wbinfo -a and -u works. wbinfo -u user shows different results on both servers, but authentication works user/password and I tried a different password to test.
Is this a known bug or a silly misconfiguration? I had authentication GUI tool configure the winbind stuff so its all fairly standard on the centos machine and the openfiler gui configure winbind configs.
View 2 Replies
View Related
Mar 20, 2010
I know that with SAMBA tools we can connect fedora and windows.I also know how to connect fedora7 with win xp.But my problem is,i am using win2003 server.And in this os,i am not able to find the option to share my root directory.I think it is not available in server2003.
So how can i connect fedora with server2003.My fedora pc shows the icon of windows network,but at my windows PC the LAN connection shows disconnected.
I have also tried to share one folder from windows pc.But when i try to open it at fedora pc with open location it says "cant show the content of this folder."
View 2 Replies
View Related
Sep 27, 2010
I want to Migrate Win2003 Domain Controller to Samba with All Settings Current Setup: Working Win2003 Domain Controller (DC)with home directories, group policies, shared printer, disk quotas. how to migrate all these settings to Samba Domain Controller. I have tried to search but didn't get detailed information.
View 14 Replies
View Related
Jan 12, 2010
how to install CentOS VPN Server that can be connect from Microsoft Windows?
View 6 Replies
View Related
Feb 10, 2010
I maintain a samba PDC for a small business, our current setup does not work very well; on a hardware upgrade I directled imported the old ldap database and attempting to add machines to the domain causes all sorts of trouble.
I'm 95% sure the original database (which predates my employment) was created using the idealx smb-ldap tools, unfortunately on our current platform (debian lenny) these tools seem to be broken; the only things hey seem to do reliably are set passwords and add posix users, asking them to do anything involving samba/windows causes errors. The idealx tools seem to be abandoned, and I don't know enough perl to try and fix them.
Since the idealx scripts seem to be abandoned, and most of the good samba+ldap how-tos references the idealx tools, I was wondering what people use nowadays to manage there ldap directories; surely they aren't importing .ldif files to add new users/machines like I've been doing. Are people just writing thier own management scripts/web-apps? Or are the smb=ldap tools just broke on debian?how to generate the NT/LM password hashes and proper SIDs, does anybody have anything they could point me to about this?
View 1 Replies
View Related
Aug 26, 2010
Many software available for patch managment like OCSinventry, cfengine,puppet,redhat satellite server for linux. I want to perform patch management for my Linux server (centOS, debian) My question is how to find out which patches available for Linux and which patches i need to apply. Is there any way to find out require patches?
View 6 Replies
View Related
Aug 5, 2010
how to setup sendmail ( Centos 5.2 ) as mail relay for Microsoft exchange. I will put the mail relay in DMZ and Mail server in Local Network.
View 3 Replies
View Related
Nov 7, 2010
Its 2 weeks i'm trying to configure freeradius2 on centos5 64bit after installed it from yum.all seems working, but i cant authenticate unix users.after digging in many sites its simply cant find user name and password ( ++[unix] returns notfound )Also how can i paste here all the radiusd -X log lines? i can't find any
radius.log file.
View 10 Replies
View Related
Apr 29, 2010
In short we are booting Centos 5.4 over PXE to a bunch of diskless clients. Once they are booted - we can login (as local root account) and RDP to windows machines using rdesktop as we require.
The next step of the project is to get user authentication to the Windows Domain controller working for the PXE image.
To do so - we continued with our physical install of Centos 5.4 (used to create the pxe image with rsync as per the wiki page for diskless clients) by following through this page. AD auth works perfect on this box (it has a local HDD install of centos obviously).
Once we rsync'd the changes over to the pxeboot location - and rebooted one of the diskless pxe clients - we get issues.
The issue is that winbind seems to start - however the file "/etc/samba/secrets.tdb" cant be read. We tried removing this file that the PXE clients use and recreating it using
touch /etc/samba/secrets.tdb
View 3 Replies
View Related
Jul 14, 2009
I have a Samba File Server that can authenticate users in my Windows AD to log into the server. Anyways, I have a good amount of Windows Admins on staff but our org wants to cut budget so our first "slash" as it were is cutting down the actual Windows based File Servers.So my question is, now that I have this test server up and authenticating for logins using Windbind....is there a way I can get system-config-samba to "see" winbind users and groups so that file servers can still be "point and click" for my Windows Admins?
View 3 Replies
View Related
Aug 20, 2010
I am in the process of creating a kickstart configuration file for some RedHat 5.5 and Centos 5.5 servers (Production and test respectively).I have googled about a bit but I cannot find a good list of the bare minimum packages required for a command-line system.If anyone knows how I can trim this list down anymore it would be much appreciated. The aim of this kickstart.cfg is to get the system booted to a bare minimum required to install Chef (Server management software). Chef will then setup Apache, Ruby on rails environment etc.
All this server will need to do is, from a static IP, Host a Ruby on rails app, send emails, send data to a server on the web, accept ssh and occasionally and connect to a SMB/CIFS share This list was taken from the anaconda-ks.cfg file after a RedHat install of what I thought was a pretty minimal system onto a VM but I noticed that cups, the avahi daemonsand gam_server are installed and running which I do not believe are needed for a pure web server.I know that these types of questions are hard to answer without a complete knowledge of the operating environment and what "minimum" is in this case ("@core only? but I wanted yum damnit!")
@admin-tools
@base
@core
[code]....
View 1 Replies
View Related
Jul 13, 2010
I've a webserver with a lot of documentary to serve. Some of the users have problems with the new microsoft documents like docx. Internet explorer 7 want to open the file like a zip-file not as word document. I've googelt around and found a solution that didn't work for me: [URL] I've added at /etc/mime.types
[Code]....
After a restart of httpd , nothing chance, always the same failure with internet explorer 7.
View 4 Replies
View Related
Jul 3, 2010
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
View 2 Replies
View Related
Sep 13, 2010
I have a couple of servers which runs CentOS 5.5 and CentOS 5.4. We have decided to buy a UPS and we choose Eaton EX RT 11 plus eaton network management card minislot. I have read on the site of Eaton that they have two applications which could gracefully shutdown my servers - LanSafe and NetWatch. My experience with UPS and those applications is zero so I`m here for some advises? Do you prefer NetWatch over LanSafe?
View 2 Replies
View Related
Jul 19, 2010
I have a problem - "ssh - debug3: no such identity:"
I tried to connect copssh at 192.168.0.2 and centos 5.4. x86 ssh at 192.168.0.4.
At 192.168.0.2,
Code:
ssh-keygen -t rsa (for ddisk-net_pc_p without password)
At 192.168.0.4,
Code:
mkdir -p ddisk-net_pc
mkdir /home/ddisk-net_pc/.ssh
chown -R ddisk-net_pc:users ddisk-net_pc
[code].....
View 3 Replies
View Related
Jul 22, 2009
I have some problem installing ASM Software (LANDesk) a BMC module on server ACER ALTOS G330MK2 with centos 5.3 totally updated. Could someone help me to understand wich is the problem ?
INFO:Installation is being performed on the RedHat Linux distribution.
DEBUG:distro:RedHat
DEBUG:Import of rpm-python code successful
INFO:bash is installed with version 3.2
[Code]...
View 4 Replies
View Related
Aug 26, 2010
I would like to know if it is possible to have a key mapping (using loadkeys) that will directly execute a command. I want to have a key to change volume with amixer that works when top, vi, etc.. is open.
View 2 Replies
View Related
Aug 11, 2011
I am trying to rautossh.sh but getting Identity error. it worked one time and then stoped.
View 1 Replies
View Related
Aug 12, 2010
I've added the following to my .vimrc:
Code:
function CommentLines()
:'<,'>s/^///
[code]....
View 1 Replies
View Related
Feb 27, 2011
I am trying to integrate Openldap with Tivoli Identity Manager. I am using the LDAP adaptor for that. I have imported LdapProfile.jar file in Tivoli Identity Manager.When I try to create a Ldap service on Tivoli Identity Manager console I get the errors attached.
Credentials of OpenLDAP:
rootdn= cn=root,o=ibm,dc=com
password= secret
View 1 Replies
View Related
Dec 25, 2010
I recently had the need to relay SMTP mail through our organizations hosted MS Exchange server. I had to do a little troubleshooting, so I wrote a concise summary of the procedure I followed.
View 1 Replies
View Related
May 17, 2011
We are using Linux as our database server and Microsoft Sever 2008 as our file server. Both are on independent servers. We would like to be able to mirror each server on the other for disaster recovery purposes. I am completely new to Linux.
View 3 Replies
View Related
Oct 12, 2009
I installed centos 5.3 with last update in Virtualbox 3.06. Everything looks quite good except the unix time. It's very fast than normal. I even couldn't make ntpd work.
[Code]...
I also modified the menu.lst files as following: kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/vg00/lv00 rhgb quiet divider=10 But it still dosen't work. how to sync the local time in the virtualbox? It looks like a bug in current kernel as other linux with newer kernel don't have such problem.
View 7 Replies
View Related
Jun 28, 2009
Did a netstat -an got this
Active UNIX domain sockets (servers and established)
View 1 Replies
View Related
Aug 22, 2010
i am a project student and i am purposing an enterprise to change all client OS's to ubuntu, but problem is that enterprise want to stay with server 2008R2(They Dont want to change it). so my job is to make a ubuntu image which can integrate microsoft server 2008 R2. the enterprise want Ubuntu to work with
1. MS Domain/AD
2. MS Proxy Server
3. Radius Server
4. Exchange Server
etc.
i am looking forward to distribute Ubuntu. if said above is possible then how?? which version of ubuntu i have to use?
View 1 Replies
View Related
Jan 9, 2009
Is there a way to run queries against a Microsoft sql server from linux? Here is what I would like to do. When I create apps that us db back end I would like to quickly check results of my queries. so if I could do something like "select * form Orders" from the terminal or another app that would be great.
View 6 Replies
View Related
