[Discuss] Help with samba3x and libwbclient.so.0

[tmclaugh at gmail.com (Tom McLaughlin)]

Sorry, didn't see a response in my inbox...

On 2/11/12 2:03 PM, Scott Ehrlich wrote:
> On Sat, Feb 11, 2012 at 1:51 PM, Tom McLaughlin <tmclaugh at gmail.com> wrote:
>>
>>
>> On 2/7/12 6:05 AM, Scott Ehrlich wrote:
>>> Revisiting a recent posting of mine -
>>>
>>> So I have an isolated network consisting of a Win 2008 R2 w/SP1 domain
>>> controller and an unpatched (i.e. out of box) 64-bit RHEL 5.7
>>> workstation.
>>>
>>> The goal is to get the RHEL workstation to join the domain controller
>>> for authentication.
>>>
>>> I was recently reminded, when doing this before, that the stock samba
>>> on the RHEL box does not work, that, on my CentOS box, and other
>>> CentOS systems I've recently built, I've had to remove the native
>>> samba packages and replace them with samba3x.
>>>
>>
>> Our CentOS 5.7 builds at work work just fine against our Windows 2008
>> DCs.  What exactly are you trying to achieve?  I take it you want user
>> info from AD via nss_ldap?  How do you want to do authentication?
>> pam_krb5 or pam_ldap?
>>
>> You do not need to join a host to AD in order to do that.  Our older
>> build did not join hosts to AD.  Our new one does and it works fine for
>> us.  Using '-d' with the `net` command will display debug info about the
>> join attempt.
> 
> What is your Linux setup to allow you to have users authenticate to AD
> without joining?
> 
> What kerberos, samba, pam updates, etc, do you do to permit this?
>

Below is our standard krb5.conf:
------
# $Id: krb5.conf 143 2011-12-29 21:03:39Z tm707 $
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 # XXX: Match AD domain default
 ticket_lifetime = 10h
 forwardable = yes

[realms]
# XXX: Not necessary due to DNS lookups enabled above.
# EXAMPLE.COM = {
#  admin_server = ldap.example.com:749
# }

[domain_realm]
 example.com = EXAMPLE.COM
 .example.com = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
------

And the following lines were added in the system-auth pam.d file.
------
auth        sufficient    pam_krb5.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
password    sufficient    pam_krb5.so use_authtok
session     optional      pam_krb5.so
------

Additionally, make sure no /etc/krb5.keytab file exists.  Typically our
hosts are joined to AD but I just removed my test box from the domain
and it still works fine once I also removed the keytab file.

tom

> Thanks.
> 
> Scott
> 
>>
>>> So two questions -
>>>
>>> 1) What exactly is samba3x - from where does it originate?   No amount
>>> of googling reveals an answer, other than available patches.
>>> samba.org doesn't seem to say anything about it.
>>>
>>> 2) An attempted rpm install of the latest version of samba3x, obtained
>>> from the CentOS site (didn't have immediate access to the RHEL repo) ,
>>> hit some snags:
>>>
>>> rpm -Uvh samba3x-<package> hit some unmet library dependencies.   I
>>> resolve two of the three, but libwbclient.so.0 is refusing to be
>>> acknowledged.
>>>
>>> It lives in /usr/local/samba/...
>>>
>>> I've placed it in /lib64 and tried ldconfig and a reboot.   It refuses
>>> to be picked up.
>>>
>>> What am I missing?
>>>
>>> Thanks.
>>>
>>> Scott
>>> _______________________________________________
>>> Discuss mailing list
>>> Discuss at blu.org
>>> http://lists.blu.org/mailman/listinfo/discuss
>>>
>>
>> --
>> | tmclaugh at gmail.com                        tmclaugh at FreeBSD.org |
>> | FreeBSD                                       http://www.FreeBSD.org |
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

-- 
| tmclaugh at gmail.com                        tmclaugh at FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |