Re: [Samba] AD Authentication help please?

Strange, I guess that is my misunderstanding of the how it aquires the
list of users when running a wbinfo -u command.

Yep, here is the output:

jason@odin-newb:~> sudo net ads join -U Admin@domain.com
Admin@domain.com's password: xxxxxx
Using short domain name -- DOMAIN.COM
Joined 'ODIN-NEWB' to realm 'DOMAIN.COM'

And when I check to see if it is avialable within Active Directory
(member server of Win2k domain) I can clearly see the
CN=odin-newb,cn=computers,dc=domain,dc=com listed in the appropriate
container.

My problem at this point is the only users I can view are in a different
container. You say you can view all users for all containers right?

Well after joining the domain the first time I followed the samba3-howto
and attempted to point to a container of users and now those are the
only ones I can view.

http://www.samba.org/samba/docs/man/...achine-account

I am sorry about any confusion.

Edward Brookhouse wrote:

>I still do not understand what you mean by map ?
>
>In my setup wbinfo -u shows me 'everything' regardless of the container
>it's in.
>
>It sounds like you think there should be some kind of authentication
>mapping but there does not need to be one -
>
>By adding the computer to the domain - and setting up the kerb conf -
>when an auth request hits samba he will hand it to the domain and the
>domain should do a recursive search for user objects under
>dc=your,dc=toplevel,dc=com
>
>The only reason you see the ou=Users in your trace is because Admin
>lives in ou=Users by default.
>
>Can you authenticate ? Have you tried?
>
>
>
>
>
>-----Original Message-----
>From: Jason Gerfen [mailto:jason.gerfen@scl.utah.edu]
>Sent: Wednesday, September 21, 2005 1:46 PM
>To: Edward Brookhouse
>Subject: Re: [Samba] AD Authentication help please?
>
>Sorry, I suppose I am leaving things out.
>
>I am able to see the machine in the computers container after I
>successfully joined the domain using the net ads join command. However
>while trying (multiple times) to map to the CN=users container in Active
>
>directory I mapped to an OU=otherUsers which is now what I see when I do
>
>a wbinfo -u command.
>
>If what you are saying is correct about the default mapping to the
>cn=users I need to revert back to this somehow.
>
>Edward Brookhouse wrote:
>
>
>
>>Try to forget about where the users live for a sec - get the computer
>>
>>
>in
>
>
>>the domain first. Your net ads join command should return a welcome to
>>the domain if it does not - use a net rpc join command in the same
>>fashion -=
>>
>>Then go look in AD to see if that computer showed up in your Computers
>>container -
>>
>>If It did great .. you should be golden
>>
>>If not - go back to the net join until it works :)
>>
>>
>>
>>-----Original Message-----
>>From: Jason Gerfen [mailto:jason.gerfen@scl.utah.edu]
>>Sent: Wednesday, September 21, 2005 1:22 PM
>>To: Edward Brookhouse
>>Subject: Re: [Samba] AD Authentication help please?
>>
>>Hmm, that might be my problem. I am using the HOWTO and running the
>>commands in this order:
>>
>>%> net ads join -U <username>
>>%> kinit <username>
>>%> net ads join -U <username> "users" as the container which is not
>>found.
>>
>>Do I need to do a net ads leave command? In order to attempt a new
>>mapping for the users container?
>>
>>Edward Brookhouse wrote:
>>
>>
>>
>>
>>
>>>I'm still confused on what you are saying - here is why:
>>>
>>># net ads join
>>>
>>>Should join the 'computer' to the domain - the user should already be
>>>
>>>
>>>
>>>
>>in
>>
>>
>>
>>
>>>there -the ou=users is the default implied container where users live,
>>>but it should not matter where the users is in the directory -
>>>
>>>For example -
>>>
>>>My domain is laid out like:
>>>
>>>dc=corp,dc=example,dc=com
>>>
>>>with ou=users being where admin lives
>>>but all my other users live in ou=HD,ou=7811
>>>
>>>once you do net ads join the computer should show up in the Computers
>>>container.
>>>
>>>
>>>
>>>
>>>
>>>-----Original Message-----
>>>From: Jason Gerfen [mailto:jason.gerfen@scl.utah.edu]
>>>Sent: Tuesday, September 20, 2005 3:35 PM
>>>To: Edward Brookhouse; samba@lists.samba.org
>>>Subject: Re: [Samba] AD Authentication help please?
>>>
>>>When joining the samba box to a domain:
>>>
>>>%> net ads join -U <username>
>>>%> kinit Admin@DOMAIN.COM
>>>%> net ads join -U <username> <LDAP/AD Container of users>
>>>
>>>The last command fails and when doing an strace you can clearly see
>>>
>>>
>>>
>>>
>>that
>>
>>
>>
>>
>>>it is expecting an Organizational Unit (OU) vs. a Common Name (CN)
>>>
>>>
>>>
>>>
>>which
>>
>>
>>
>>
>>>is where the users I need to authenticate are currently residing.
>>>
>>>Do I need to move these to an OU vs. a CN? Here is the strace output
>>>
>>>
>I
>
>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>am refering to:
>>>
>>>%> strace -o tmp net ads join -U "Admin" "users"
>>>
>>>(only inclusing pertinant lines with searching for container to map
>>>
>>>
>to)
>
>
>>>write(6, "0C\2\1\5c>\4\36ou=users,dc=DOMAIN,dc=COM"..., 69) = 69 <--
>>>here is the hard coded ou, I am not 100% familiar with the LDAP RFC
>>>
>>>
>but
>
>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>on a windows Active Directory there are CN and OU containers
>>>
>>>See how it is appending the OU=USERS?
>>>
>>>
>>>Edward Brookhouse wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Not sure I understand your question. What are you trying to map?
>>>>
>>>>-----Original Message-----
>>>>From: samba-bounces+ebroo=healthydirections.com@lists.samba.or g
>>>>[mailto:samba-bounces+ebroo=healthydirections.com@lists.samba.or g] On
>>>>Behalf Of Jason Gerfen
>>>>Sent: Tuesday, September 20, 2005 11:25 AM
>>>>To: samba@lists.samba.org
>>>>Subject: [Samba] AD Authentication help please?
>>>>
>>>>I am having a problem which with much help from this list I have
>>>>
>>>>
>>>>
>>>>
>>gotten
>>
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>90% complete. I am attempting to create a samba server which will
>>>>authenticate users as a Domain member server using active directory.
>>>>
>>>>The question I have is how can I map a specific container which is
>>>>
>>>>
>not
>
>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>an OU but a CN in the active directory?
>>>>
>>>>Any help is appreciated.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
>
>


--
Jason Gerfen
Student Computing Labs, University Of Utah
jason.gerfen@scl.utah.edu

J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810

"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba