This is a discussion on RE: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC - Samba ; I think the best solution for the Macintosh would be PADLs stuff. Check = out, http://www.padl.com/Contents/OpenSourceSoftware.html . There's a = NSS module that will plug into LDAP for unix information. You'll need = to configure the appropriate mappings. Also, there's ...
I think the best solution for the Macintosh would be PADLs stuff. Check =
out, http://www.padl.com/Contents/OpenSourceSoftware.html. There's a =
NSS module that will plug into LDAP for unix information. You'll need =
to configure the appropriate mappings. Also, there's a PAM module that =
will authenticate using a password hash stored in the LDAP. Naturally =
you should encrypt the traffic using either SASL, LDAPS, or LDAP =
StartTLS. Amongst the tools is a caching tool, which will allow the =
laptop to work offline, much like the Windows feature.
For a pure SAMBA 2.0 solution, you would have to configure NSS and PAM =
to use windbindd on the MacOS X. I am not even sure how to this or what =
Apple's level of support is for a complete SAMBA set of tools and =
Another thing, you seem to be confusing PDC with Active Directory DC. =
The PDC is from the olden days, and uses NTLM for authentication. An AD =
DC uses Kerberos for authentication. There's no concept of a PDC in =
Active Directory, as it is a "multi-master" scenario, where every DC is =
an equal citizen. If one fails, users authenticate to another DC. =
There's no "primary" like in the historic NT domain, which is a =
"single-master" scenario having a single-point of failure; if the PDC =
fails, no one authenticates until a BDC is promoted to the role of PDC.
- Joaquin Menchaca
From: David Martinez [mailto:email@example.com]=20
Sent: Thursday, December 08, 2005 8:13 AM
Subject: Re: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
Thanks for your response.
I think I'm not been clear, my environment is:
1. Fedora Core 4 + openldap 2.2 + samba 3.0: this is the PDC, samba uses =
ldap as a backend for users,computers,groups. That box has NSS, PAM and =
2. Windows XP clients are attached to the domain and are working pretty =
3. I need to join Mac OS X 10.3 clients to the same domain in order to =
have single sign-on. These clients are using samba 2.
=A0=A0 * My first test was to use incorporated LDAP authentication with =
Mac OS X (Apps->Utilities -> Directory Access -> Authentication -> =
Custom Path ), I had to change default LDAP attribute mapping and it =
worked. But this solution won't allow my mobile users to sign on once =
they are out of office because last login is not catched (I need a =
windows-like behavior where AD clients can login even when they are not =
attached to the network).
=A0=A0 * A second test is to use Active Directory Plugin incorporated =
with Panther but it doesn't work. I've been using a sniffer to see whats =
going on on the binding process and I found the Mac client asks for =
kerberos authentication, as long as I have not kerberos in the PDC box =
the binding process fails. The Active Directory Plugin works fine with =
Win2K AD servers, I have used it before... looks like the AD Plugin does =
not use samba.
As you see I have three options:
* Find a solution to the LDAP authentication catching problem when the =
Mac Clients are not connected to the network.
* Configure kerberos authentication on the LDAP+SAMBA box and join the =
Mac Clients to the PDC.
* Forgett all this and spend $15,000 bugs on win server and CALS, =
reconfigure all WinXP Clients and install Win2k on the linux box.
Does anybody here has ever attached Mac OS X clients to a Samba 3 PDC ??
On 12/8/05, SAMBA
Have you configured NSS and PAM to use winbindd?
Are you trying to use a PDC or Active Directory LDAP/Kerberos?
=A0=A0- PDC supports NTLM for authentication, which is old school =
=A0=A0- Active Directory supports Kerberos for authentication.=20
I haven't yet used the AD plug-in.=A0=A0I think that the LDAP schema =
needs to be modified to support UNIX data like gid/uid, shell, =
etc.=A0=A0There's an AD4Unix open source solution that I think can add =
the compatible schema.=A0=A0The AD plug-in also I will reconfigure PAM =
to use Apple's module, you need to configure PAM to use SAMBA's =
windbindd instead.=A0=A0Also before this, you must establish =
authentication through Kerberos, testing with kinit, and configuring =
Kerberos on the client. You might need to export a keytab that =
corresponds to a Windows service principal name(s) (user account with =
name that represents host client and services offered by host client) =
using ktpass on the Windows domain controller, and import this keybtab =
securing into the client that needs to access Windows domain controller.
As for Mac OS X, I am pretty sure they support the older SAMBA 2.0, =
which does not have support for Active Directory, other than through a =
PDC emulator operations masters on Windows 2000 or Windows Server 2003 =
Also, you say you are using SAMBA 3.0.20.=A0=A0Did you compile this on =
From: samba-bounces+letz_samba=3D firstname.lastname@example.org =
[mailto:samba-bounces+letz_samba=3Drealmspace.email@example.com g] On =
Behalf Of David Martinez
Sent: Tuesday, December 06, 2005 8:25 AM=20
Subject: [Samba] Mac OS X clients not binding to a Samba+LDAP PDC
Hi there !
This is my first post and I really would like to have this stuff working =
if not, I should go to Win2k3 server .... please help me to avoid it =
I've been trying to integrate Mac OS X (10.3) clients to my Samba server
through the Active Directory Plugin with no success. This PDC is =
working for 90 PC's with XP SP2.
My server is well configured from the DNS (or I think so):
ns=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0A=A0=A 0=A0=A0=A0=A0 =
ldap=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0A=A0=A0=A0 =A0=A0=A0 =
pruebas=A0=A0=A0=A0=A0=A0=A0=A0 A=A0=A0=A0=A0=A0=A0 192.168.101.50
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs SRV=A0=A0=A0=A00 100 =
_ldap._tcp.dc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 SRV=A0=A0=A0=A00 100 =
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs SRV=A0=A0=A0=A00 100 =
_ldap._tcp.gc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 SRV=A0=A0=A0=A00 100 =
_ldap._tcp.pdc._msdcs=A0=A0=A0=A0=A0=A0=A0=A0=A0=A 0SRV=A0=A0=A0=A00 100 =
_gc._tcp.Default-First-Site-Name._sites SRV=A0=A0=A0=A00 100 389
_ldap._tcp.Default-First-Site-Name._sites SRV=A0=A0=A0=A00 100 389=20
SRV=A0=A0=A0=A00 100 389 pruebas.valeeuro.com
_ldap._tcp=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0= A0=A0=A0=A0=A0=A0=A0 =
SRV=A0=A0=A0=A00 100 389 pruebas.valeeuro.com
When I try to bind the Mac computer to the domain it stops on step 3 and
sends an error "Invalid username and password"
As I see, the Mac is trying to connect using kerberos authentication, =
I dont know how to configure on the samba+ldap!!
=BFHow do I enable kerberos authentication on my LDAP+SAMBA+Linux =
openldap 2.2.23 (openldap is the backend for samba)
linux fedora core 4
Thanks in advance !!!
To unsubscribe from this list go to the following URL and read the=20
To unsubscribe from this list go to the following URL and read the