I don’t know if someone finds it interesting, but I followed v4 of latest Linux-AD integration instructions from Scott, and with minor mods I got my CentOS 5.5 clients authenticate successfully agains an w2k3 R2 DC.

So Scott, for me your instructions worked great! Thanks!

Kind regards,
Onno.

infrasty_at_gmail.com

Short term explanation is because SAMBA is using it-s own kerberos configuration file when issuing requests to AD controllers. It doesnt bother to look if system krb5.conf is available and to use it.
It does so for every request, so even if you-ll create your own in place where samba will put it-s own dynamically made krb5.conf, samba will overwrite your version with it-s own.

Depending on version of linux / unix this file is located somewhere in
(my case FreeBSD 7.X)
/var/db/samba/smb_krb5

One of dirty hacks was to set system immutable flag on file, so samba cannot change file even if there rwxrwxrwx permissions set.

Problem with users and groups typically arise when SAMBA’s kerberos library still using UDP type requests to AD and unable to fetch information as it get replies – “too big to fit in UDP, use TCP instead” – shure, just let me force samba to use my version of krb5.conf

Regards,
Alexander

Thanks

I have 2 symstems on 1 PC. WinXP and CentOS 5.2 both are in a SBS Company domain.

When I boot it up in Win XP once and next booted up in CentOS again I received Access Denied from the server.

Domain Server NETLOGON: event ID: 5722

The session setup from the computer HPXX failed to authenticate. The name(s) of the account(s) referenced in the security database is HPXX$. The following error occurred: Access is denied

Any clue?

Thanks for documenting these solutions. Just an update that running an patched (yum update) CentOS 5.2 server, I was able to use the net ads -J command to create the computer object. All the other LDAP, nss, and kerberos changes in your other post worked fine.

It did require configuring the member server settings in samba and starting it up, but that actually a good thing as now I connect to shares on the Linux server, assume I’m using kerberos for that.

For some reason, getent simply does not return and values for passwd or groups. However, if I create a directory and set the UID/GID to values defined in the AD account UNIX tab, ls -l does show the proper values (principal names from AD). And ssh logins work, so that makes me happy.

Things have changed dramatically since the Redhat 7.3 days… thank goodness!

1. To see whether or not selinux is enforcing, permissive or disabled
$ sudo /usr/sbin/getenforce

2. To temporarily set selinux to permissive (doesn’t enforce any policies but will log alerts to syslog)
$ sudo /usr/sbin/setenforce 0

3. To set selinux back to enforcing
$ sudo /usr/sbin/setenforce 1

4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change:
SELINUX=enforcing
to
SELINUX=permissive

permissive is nice because you can use it to debug selinux policy issues

Someone did it and he is satisfied?

ldap passwd sync = no

For some reason, ldap passwd sync seems to be broken on samba 3.0.25b.”
i have the same issue, i can’t change password using CtrlAltCanc Windows form

This fixed this as well as other issues with my installation…

Albe