CentOS 5.6 VM Joined To Windows Sub-Domain, Authenticate Against Domain?

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
genuinejd
Posts: 2
Joined: 2011/06/09 22:12:13

CentOS 5.6 VM Joined To Windows Sub-Domain, Authenticate Against Domain?

Post by genuinejd » 2011/06/10 16:13:44

First off - here's the standard "I'm not an expert" disclaimer - I apologize in advance if this is an elementary question, I'm a developer who has picked up some basic Linux/sysadmin knowledge over the years. I know enough to get by, but do NOT claim to be an expert by any means. Hence my post here...

[b]Goal:[/b] Have a Linux VM joined to a sub-domain, but have our developers log in to the Linux VM with their domain credentials. An added bonus would be to create shares on the Linux VM that we could connect to via Windows.

[b]Background:[/b] We've got a several Windows and Linux VMs for web application development testing. Our Windows VMs are joined to a sub-domain and can authenticate domain users. We are domain admins on the sub-domain, but NOT on the domain. I have been able to successfully add a Linux VM to the sub-domain, and can authenticate a sub-domain user against the sub-domain, but I'd like to be able to authenticate a domain user on this VM as well. I feel like I'm just missing a simple step somewhere, but I cannot determine where the issue is (cross-realm authentication, maybe??).

I can authenticate successfully with a subdomain user using:
[code]
[root@hostname ~]# wbinfo -K SUBDOMAIN+user%passwd
plaintext kerberos password authentication for [DEV1+subdomainuser%passwd] succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
[/code]
But cannot authenticate a domain user
[code]
[root@hostname ~]# wbinfo -K DOMAIN+user%passwd
plaintext kerberos password authentication for [DOMAIN+user%passwd] failed (requesting cctype: FILE)
error code was NT code 0x00000721 (0x721)
error messsage was: NT code 0x00000721
Could not authenticate user [DOMAIN+user%passwd] with Kerberos (ccache: FILE)
[/code]
Subsequent attempts result in
[code]
[root@hostname ~]# wbinfo -K DOMAIN+user%passwd
plaintext kerberos password authentication for [DOMAIN+user%passwd] failed (requesting cctype: FILE)
error code was NT_STATUS_PIPE_DISCONNECTED (0xc00000b0)
error messsage was: Named pipe dicconnected
Could not authenticate user [DOMAIN+user%passwd] with Kerberos (ccache: FILE)
[/code]

[b]Details:[/b] (I've tried to include everything I think is relevant)

Host
[code]
[root@hostname ~]# uname -a
Linux hostname.subdomain 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 i386 GNU/Linux
[root@hostname ~]# cat /etc/issue
CentOS release 5.6 (Final)
Kernel \r on an \m
[/code]

Software
[code]
[root@hostname ~]# rpm -qa | grep smb
libsmbclient-3.0.33-3.29.el5_6.2
pam_smb-1.1.7-7.2.1
[root@hostname ~]# rpm -qa | grep samba
samba-swat-3.0.33-3.29.el5_6.2
samba-common-3.0.33-3.29.el5_6.2
samba-3.0.33-3.29.el5_6.2
samba-client-3.0.33-3.29.el5_6.2
[root@hostname ~]# rpm -qa | grep krb
krb5-workstation-1.6.1-55.el5_6.1
krb5-libs-1.6.1-55.el5_6.1
pam_krb5-2.2.14-18.el5
[root@hostname ~]# rpm -qa | grep pam
pam_smb-1.1.7-7.2.1
pam_passwdqc-1.0.2-1.2.2
pam_pkcs11-0.5.3-23
pam-0.99.6.2-6.el5_5.2
spamassassin-3.2.5-1.el5.art
pam_ccreds-3-5
pam_krb5-2.2.14-18.el5
[/code]

/etc/krb5.conf
[code]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SUBDOMAIN.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
SUBDOMAIN.DOMAIN.COM = {
kdc = dc.subdomain.domain.com
admin_server = dc.subdomain.domain.com
}

[domain_realm]
.subdomain.domain.com = SUBDOMAIN.DOMAIN.COM
subdomain.domain.com = SUBDOMAIN.DOMAIN.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

[/code]

/etc/samba/smb.conf
[code]
[global]
#--authconfig--start-line--

# Generated by authconfig on 2011/06/02 10:16:46
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = SUBDOMAIN
netbios name = HOSTNAME
server string = Interactive Developers Linux Server
log file = /var/log/samba/%m.log
log level = 10
max log size = 50
password server = dc.subdomain.domain.com
realm = SUBDOMAIN.DOMAIN.COM
security = ADS
encrypt passwords = yes
idmap uid = 10000-1000000 #16777216-33554431
idmap gid = 10000-1000000 #16777216-33554431
idmap backend = idmap_rid:AT=10000-1000000
allow trusted domains = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
pam password change = yes
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = true
winbind separator = +
# winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes

#--authconfig--end-line--
[/code]

/etc/pam.d/system-auth
[code]
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so

password requisite pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
[/code]

/etc/pam_smb.conf
[code]
DEV1
dc.subdomain.domain.com
dc.domain.com
[/code]

/etc/nsswitch.conf
[code]
passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns

bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
[/code]

As I said, I'm hoping this is something simple that I'm just overlooking, but I've been through forums, wikis, man pages, blogs....I have searched high and low and I can't seem to find an answer anywhere else! And yes, I have been sure to restart winbind and smb services with each configuration change.

Ejant
Posts: 6
Joined: 2007/09/07 00:05:40
Contact:

CentOS 5.6 VM Joined To Windows Sub-Domain, Authenticate Aga

Post by Ejant » 2011/06/16 05:22:30

are "domain" and "sub-domain" the same windows server version? If "domain" is windows 2008 you may have some issues... https://bugzilla.redhat.com/show_bug.cgi?id=561325

why not doing trust relationship between domain and sub-domain?

However winbind can't do that

http://samba.2283325.n4.nabble.com/NTLM-Authentication-against-multiple-domain-comtrollers-td3024825.html

I hope that helps

genuinejd
Posts: 2
Joined: 2011/06/09 22:12:13

Re: CentOS 5.6 VM Joined To Windows Sub-Domain, Authenticate Against Domain?

Post by genuinejd » 2011/07/20 14:48:36

So it seems as if winbind can't do what I'm trying to do. This can't be impossible can it? I want to join a Centos 5.6 VM to a SUB-DOMAIN, then allow users to authenticate with their DOMAIN credentials. Can anyone help?

paradigm
Posts: 12
Joined: 2011/07/17 20:32:55

Re: CentOS 5.6 VM Joined To Windows Sub-Domain, Authenticate Against Domain?

Post by paradigm » 2011/07/20 20:10:25

you can put the linux servers in a diffrent OU inside the domain and then control every aspect about them...

Post Reply

Return to “CentOS 5 - Server Support”