Grokbase Groups CentOS centos November 2011
FAQ
I have some services on Centos5 boxes that use smb authentication
against the Windows domain as a low-maintenance way to handle most of
our office users for things that don't need home directories (web/file
shares, etc.). Running authconfig is all it takes to add it to PAM,
then adding mod_auth_pam to apache makes it work with that and local
users. This all works without any particular involvement with the
Windows group or administrative access there.

Is there a better way to do this on C6 that does not involve 'joining'
the windows domain?

And is there a way to make samba (C5 or 6) work with Windows7 other
than configuring every client to to send NTLM authentication when
requested?

--
Les Mikesell
lesmikesell at gmail.com

Search Discussions

  • John Hodrien at Nov 17, 2011 at 12:26 pm

    On Thu, 17 Nov 2011, Les Mikesell wrote:

    I have some services on Centos5 boxes that use smb authentication
    against the Windows domain as a low-maintenance way to handle most of
    our office users for things that don't need home directories (web/file
    shares, etc.). Running authconfig is all it takes to add it to PAM,
    then adding mod_auth_pam to apache makes it work with that and local
    users. This all works without any particular involvement with the
    Windows group or administrative access there.

    Is there a better way to do this on C6 that does not involve 'joining'
    the windows domain?
    You don't *have* to join it to the domain, you can use pam_krb5 without
    joining if you want. There are advantages if you do though, since a joined
    machine offering samba shares to windows users on a domain won't prompt for a
    password, as it'll use their existing kerberos ticket. Joining *is* just a
    case of a correct smb.conf/krb5.conf and "net ads join" with an account with
    sufficient privs, so isn't really much pain for servers.
    And is there a way to make samba (C5 or 6) work with Windows7 other
    than configuring every client to to send NTLM authentication when
    requested?
    On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just
    work. I'm assuming that not the case?

    jh
  • Ron Young at Nov 17, 2011 at 1:11 pm
    I just installed win 7 pro @home in order to be more compatible with
    my new @work environment. I am likewise having a problem with samba
    shares. The samba shares are on a C5.7 server and were readily
    available from the same machine running XP for the last couple of
    years.

    The new w7pro install is on the same network as the previous XP
    install on that machine and in fact has the same IP address as the
    former XP os.

    Now with the fresh install of w7pro I cannot see any of the samba
    shares from the w7pro machine. All of the googled solutions I have
    found so far have not worked. I have added a couple of entries to the
    smb.conf that were suggested and restarted smb but no joy.

    Anyone have pointers that may get me going again?


    Regards,

    Ron Young
    919-621-9015
    http://www.linkedin.com/in/ronhyoung

    +++++++++++++++++++
    Little tiny dreams require little tiny thoughts and little tiny steps.
    Great big dreams require great big thoughts and little tiny steps.
    +++++++++++++++++++
    Kosh: The avalanche has already started. It is too late for the pebbles to vote.



    On Thu, Nov 17, 2011 at 12:26 PM, John Hodrien wrote:
    On Thu, 17 Nov 2011, Les Mikesell wrote:

    I have some services on Centos5 boxes that use smb authentication
    against the Windows domain as a low-maintenance way to handle most of
    our office users for things that don't need home directories (web/file
    shares, etc.). ?Running authconfig is all it takes to add it to PAM,
    then adding mod_auth_pam to apache makes it work with that and local
    users. ?This all works without any particular involvement with the
    Windows group or administrative access there.

    Is there a better way to do this on C6 that does not involve 'joining'
    the windows domain?
    You don't *have* to join it to the domain, you can use pam_krb5 without
    joining if you want. ?There are advantages if you do though, since a joined
    machine offering samba shares to windows users on a domain won't prompt for a
    password, as it'll use their existing kerberos ticket. ?Joining *is* just a
    case of a correct smb.conf/krb5.conf and "net ads join" with an account with
    sufficient privs, so isn't really much pain for servers.
    And is there a way to make samba (C5 or 6) work with Windows7 other
    than configuring every client to to send NTLM authentication when
    requested?
    On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just
    work. ?I'm assuming that not the case?

    jh
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Phil Schaffner at Nov 17, 2011 at 1:18 pm

    Ron Young wrote on 11/17/2011 01:11 PM:
    I just installed win 7 pro @home in order to be more compatible with
    my new @work environment. I am likewise having a problem with samba
    shares. The samba shares are on a C5.7 server and were readily
    available from the same machine running XP for the last couple of
    years.

    The new w7pro install is on the same network as the previous XP
    install on that machine and in fact has the same IP address as the
    former XP os.

    Now with the fresh install of w7pro I cannot see any of the samba
    shares from the w7pro machine. All of the googled solutions I have
    found so far have not worked. I have added a couple of entries to the
    smb.conf that were suggested and restarted smb but no joy.

    Anyone have pointers that may get me going again?
    Have you replaced samba packages with samba3x packages?

    Phil
  • Phil Schaffner at Nov 17, 2011 at 1:20 pm

    Phil Schaffner wrote on 11/17/2011 01:18 PM:
    Have you replaced samba packages with samba3x packages?
    P.S.
    Just noticed I am an accessory to a thread hijacking. This thread is
    about CentOS-6. Sorry.
  • Ron Young at Nov 17, 2011 at 2:53 pm
    Oops! My apologies for the thread hijacking. Thanks for the reminder Phil.

    I was mentally keyed to the samba issues and ignored the C6 and AD
    issues. In my case there is no AD domain involved and samba is
    already at the 3x level.


    Regards,

    Ron Young
    919-621-9015
    http://www.linkedin.com/in/ronhyoung

    +++++++++++++++++++
    Little tiny dreams require little tiny thoughts and little tiny steps.
    Great big dreams require great big thoughts and little tiny steps.
    +++++++++++++++++++
    Kosh: The avalanche has already started. It is too late for the pebbles to vote.




    On Thu, Nov 17, 2011 at 1:20 PM, Phil Schaffner
    wrote:
    Phil Schaffner wrote on 11/17/2011 01:18 PM:
    Have you replaced samba packages with samba3x packages?
    P.S.
    Just noticed I am an accessory to a thread hijacking. ?This thread is
    about CentOS-6. ?Sorry.

    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
  • Christopher Chan at Nov 17, 2011 at 8:11 pm

    On Friday, November 18, 2011 03:53 AM, Ron Young wrote:
    Oops! My apologies for the thread hijacking. Thanks for the reminder Phil.

    I was mentally keyed to the samba issues and ignored the C6 and AD
    issues. In my case there is no AD domain involved and samba is
    already at the 3x level.
    Windows 7 not supported by C5 samba unless you rig the Windows 7 to not
    use SMB2.

    samba 3.6.x supports SMB2 but that's not on C5 I believe...
  • Me at Nov 17, 2011 at 1:30 pm

    On Thu, 17 Nov 2011, Ron Young wrote:

    I just installed win 7 pro @home in order to be more compatible with
    my new @work environment. I am likewise having a problem with samba
    shares. The samba shares are on a C5.7 server and were readily
    available from the same machine running XP for the last couple of
    years.

    The new w7pro install is on the same network as the previous XP
    install on that machine and in fact has the same IP address as the
    former XP os.

    Now with the fresh install of w7pro I cannot see any of the samba
    shares from the w7pro machine. All of the googled solutions I have
    found so far have not worked. I have added a couple of entries to the
    smb.conf that were suggested and restarted smb but no joy.

    Anyone have pointers that may get me going again?
    Have you seen this: http://wiki.samba.org/index.php/Windows7

    In particular the registry on w7 needs modification in order to join.

    I have numerous w7 machines in a couple of smb domains working as advertised.

    Hope this helps.

    --
    Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org
  • Les Mikesell at Nov 17, 2011 at 1:41 pm

    On Thu, Nov 17, 2011 at 12:30 PM, wrote:
    I just installed win 7 pro @home in order to be more compatible with
    my new @work environment. ?I am likewise having a problem with samba
    shares. ?The samba shares are on a C5.7 server and were readily
    available from the same machine running XP for the last couple of
    years.

    The new w7pro install is on the same network as the previous XP
    install on that machine and in fact has the same IP address as the
    former XP os.

    Now with the fresh install of w7pro I cannot see any of the samba
    shares from the w7pro machine. ?All of the googled solutions I have
    found so far have not worked. ?I have added a couple of entries to the
    smb.conf that were suggested and restarted smb but no joy.

    Anyone have pointers that may get me going again?
    Have you seen this: http://wiki.samba.org/index.php/Windows7

    In particular the registry on w7 needs modification in order to join.

    I have numerous w7 machines in a couple of smb domains working as advertised.
    I don't think you need that unless you are using samba as a domain
    controller. If you just want a windows7 (pro...) client to send it's
    NTLM credentials to samba like XP would, run 'secpol.msc' and under
    Under Local Policies, Security Options, Network security, change
    option from ?not defined? to ?Send LM & NTLM use NTLMv2 session
    security if negotiated.

    Otherwise you can only connect to shares with
    security = share and guests allowed.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Les Mikesell at Nov 17, 2011 at 2:10 pm

    On Thu, Nov 17, 2011 at 11:26 AM, John Hodrien wrote:
    I have some services on Centos5 boxes that use smb authentication
    against the Windows domain as a low-maintenance way to handle most of
    our office users for things that don't need home directories (web/file
    shares, etc.). ?Running authconfig is all it takes to add it to PAM,
    then adding mod_auth_pam to apache makes it work with that and local
    users. ?This all works without any particular involvement with the
    Windows group or administrative access there.

    Is there a better way to do this on C6 that does not involve 'joining'
    the windows domain?
    You don't *have* to join it to the domain, you can use pam_krb5 without
    joining if you want.
    I don't see that as an option in authconfig (or smb either now). Are
    there examples of how to set that up? And does apache have to be
    configured separately?
    ?There are advantages if you do though, since a joined
    machine offering samba shares to windows users on a domain won't prompt for a
    password, as it'll use their existing kerberos ticket. ?Joining *is* just a
    case of a correct smb.conf/krb5.conf and "net ads join" with an account with
    sufficient privs, so isn't really much pain for servers.
    I thought 'sufficient privs' was an admin account in AD. I don't
    have/want that, and I'd prefer for the people running the AD servers
    to continue to not know which linux servers are bouncing password
    checks their way.
    And is there a way to make samba (C5 or 6) work with Windows7 other
    than configuring every client to to send NTLM authentication when
    requested?
    On C5 I thought upgrading to samb3x was sufficient, and that C6 it should just
    work. ?I'm assuming that not the case?
    Maybe, if you have krb stuff passed through to a joined AD. I was
    hoping NTLM would still work. And I want it to also work
    transparently with local linux accounts that don't exist in AD.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • John Hodrien at Nov 17, 2011 at 2:37 pm

    On Thu, 17 Nov 2011, Les Mikesell wrote:

    You don't *have* to join it to the domain, you can use pam_krb5 without
    joining if you want.
    I don't see that as an option in authconfig (or smb either now). Are
    there examples of how to set that up? And does apache have to be
    configured separately?
    With authconfig it's --enablekrb5 and the related ones for setting the
    details. Since you're not worried about group membership krb5's all you need.
    If pam_smb type stuff was enough then you don't need to worry about
    validation, although it's definitely better if you do.
    I thought 'sufficient privs' was an admin account in AD. I don't
    have/want that, and I'd prefer for the people running the AD servers
    to continue to not know which linux servers are bouncing password
    checks their way.
    No, you don't need that much. You just need permissions to create a machine
    object within a specific OU, which is much lower grade. The password checks
    would end up with the AD controllers, but I doubt it's anything they're likely
    to notice.
    Maybe, if you have krb stuff passed through to a joined AD. I was
    hoping NTLM would still work. And I want it to also work
    transparently with local linux accounts that don't exist in AD.
    On that side, I pass.

    jh

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedNov 17, '11 at 12:17p
activeNov 17, '11 at 8:11p
posts11
users6
websitecentos.org
irc#centos

6 users in discussion

Les Mikesell: 3 posts Ron Young: 2 posts John Hodrien: 2 posts Phil Schaffner: 2 posts Me: 1 post Christopher Chan: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase