I think the best solution for the Macintosh would be PADLs stuff. Check =
out, http://www.padl.com/Contents/OpenSourceSoftware.html. There's a =
NSS module that will plug into LDAP for unix information. You'll need =
to configure the appropriate mappings. Also, there's a PAM module that =
will authenticate using a password hash stored in the LDAP. Naturally =
you should encrypt the traffic using either SASL, LDAPS, or LDAP =
StartTLS. Amongst the tools is a caching tool, which will allow the =
laptop to work offline, much like the Windows feature.

For a pure SAMBA 2.0 solution, you would have to configure NSS and PAM =
to use windbindd on the MacOS X. I am not even sure how to this or what =
Apple's level of support is for a complete SAMBA set of tools and =

Another thing, you seem to be confusing PDC with Active Directory DC. =
The PDC is from the olden days, and uses NTLM for authentication. An AD =
DC uses Kerberos for authentication. There's no concept of a PDC in =
Active Directory, as it is a "multi-master" scenario, where every DC is =
an equal citizen. If one fails, users authenticate to another DC. =
There's no "primary" like in the historic NT domain, which is a =
"single-master" scenario having a single-point of failure; if the PDC =
fails, no one authenticates until a BDC is promoted to the role of PDC.

- Joaquin Menchaca

From: David Martinez [mailto:davidmx@gmail.com]=20
Sent: Thursday, December 08, 2005 8:13 AM
Cc: samba@lists.samba.org
Subject: Re: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC

Thanks for your response.

I think I'm not been clear, my environment is:

1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses =
ldap as a backend for users,computers,groups. That box has NSS, PAM and =
LDAP configured

2. Windows XP clients are attached to the domain and are working pretty =

3. I need to join Mac OS X 10.3 clients to the same domain in order to =
have single sign-on. These clients are using samba 2.

=A0=A0 * My first test was to use incorporated LDAP authentication with =
Mac OS X (Apps->Utilities -> Directory Access -> Authentication -> =
Custom Path ), I had to change default LDAP attribute mapping and it =
worked. But this solution won't allow my mobile users to sign on once =
they are out of office because last login is not catched (I need a =
windows-like behavior where AD clients can login even when they are not =
attached to the network).
=A0=A0 * A second test is to use Active Directory Plugin incorporated =
with Panther but it doesn't work. I've been using a sniffer to see whats =
going on on the binding process and I found the Mac client asks for =
kerberos authentication, as long as I have not kerberos in the PDC box =
the binding process fails. The Active Directory Plugin works fine with =
Win2K AD servers, I have used it before... looks like the AD Plugin does =
not use samba.

As you see I have three options:

* Find a solution to the LDAP authentication catching problem when the =
Mac Clients are not connected to the network.
* Configure kerberos authentication on the LDAP+SAMBA box and join the =
Mac Clients to the PDC.
* Forgett all this and spend $15,000 bugs on win server and CALS, =
reconfigure all WinXP Clients and install Win2k on the linux box.

Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??



On 12/8/05, SAMBA wrote:
Have you configured NSS and PAM to use winbindd?

Are you trying to use a PDC or Active Directory LDAP/Kerberos?
=A0=A0- PDC supports NTLM for authentication, which is old school =
Windows NT.
=A0=A0- Active Directory supports Kerberos for authentication.=20

I haven't yet used the AD plug-in.=A0=A0I think that the LDAP schema =
needs to be modified to support UNIX data like gid/uid, shell, =
etc.=A0=A0There's an AD4Unix open source solution that I think can add =
the compatible schema.=A0=A0The AD plug-in also I will reconfigure PAM =
to use Apple's module, you need to configure PAM to use SAMBA's =
windbindd instead.=A0=A0Also before this, you must establish =
authentication through Kerberos, testing with kinit, and configuring =
Kerberos on the client. You might need to export a keytab that =
corresponds to a Windows service principal name(s) (user account with =
name that represents host client and services offered by host client) =
using ktpass on the Windows domain controller, and import this keybtab =
securing into the client that needs to access Windows domain controller.

As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, =
which does not have support for Active Directory, other than through a =
PDC emulator operations masters on Windows 2000 or Windows Server 2003 =
domain controller.

Also, you say you are using SAMBA 3.0.20.=A0=A0Did you compile this on =
the Macintosh?

- Joaquin

-----Original Message-----
From: samba-bounces+letz_samba=3D realmspace.com@lists.samba.org =
[mailto:samba-bounces+letz_samba=3Drealmspace.com@lists.samba.or g] On =
Behalf Of David Martinez
Sent: Tuesday, December 06, 2005 8:25 AM=20
To: samba@lists.samba.org
Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC

Hi there !

This is my first post and I really would like to have this stuff working =
if not, I should go to Win2k3 server .... please help me to avoid it =

I've been trying to integrate Mac OS X (10.3) clients to my Samba server
through the Active Directory Plugin with no success. This PDC is =
working for 90 PC's with XP SP2.

My server is well configured from the DNS (or I think so):

ns=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0A=A0=A 0=A0=A0=A0=A0 =
ldap=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0A=A0=A0=A0 =A0=A0=A0 =
pruebas=A0=A0=A0=A0=A0=A0=A0=A0 A=A0=A0=A0=A0=A0=A0
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV=A0=A0=A0=A00 100 =
_ldap._tcp.dc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 SRV=A0=A0=A0=A00 100 =
389 pruebas.valeeuro.com
_ldap._tcp.aab455e4-bbb2-408b-a097-bb359f315574.domains._msdcs =
SRV=A0=A0=A0=A00 100
389 pruebas.valeeuro.com=20
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV=A0=A0=A0=A00 100 =
_ldap._tcp.gc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 SRV=A0=A0=A0=A00 100 =
389 pruebas.valeeuro.com
_ldap._tcp.pdc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0SRV=A0=A0=A0=A00 100 =
389 pruebas.valeeuro.com
_gc._tcp.Default-First-Site-Name._sites SRV=A0=A0=A0=A00 100 389
_ldap._tcp.Default-First-Site-Name._sites SRV=A0=A0=A0=A00 100 389=20
_gc._tcp=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0=A0=A0=A0=A0=A0=A0=A0=
SRV=A0=A0=A0=A00 100 389 pruebas.valeeuro.com
_ldap._tcp=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= A0=A0=A0=A0=A0=A0=A0 =
SRV=A0=A0=A0=A00 100 389 pruebas.valeeuro.com

When I try to bind the Mac computer to the domain it stops on step 3 and
sends an error "Invalid username and password"

As I see, the Mac is trying to connect using kerberos authentication, =
I dont know how to configure on the samba+ldap!!
=BFHow do I enable kerberos authentication on my LDAP+SAMBA+Linux =

My configuration:=20
samba 3.0.20
openldap 2.2.23 (openldap is the backend for samba)
bind 9.3
linux fedora core 4

Thanks in advance !!!


To unsubscribe from this list go to the following URL and read the=20


To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba