topic Re: linux file server and windows AD in Operating System - Linux

linux file server and windows AD

iinfi1 — Sat, 11 Jul 2009 04:07:22 GMT

hi all,
i need suggestion on the following scenario.
we have a client requirement wherein they have a linux file server (RHEL 4/5) and windows DC and end users on windows and linux.
right now this is all the information i have. i have been asked to check the feasibility on this.
would it be sensible to share the files on the file server over samba to the windows AD and when users authenticate they are directed to their shared drives.
but this i feel would put a lot of load on the AD server.
how do i go about this?
i can add a RHEL machine to windows AD, but howto go about using it as a file server, i m not too sure.
thanks

Re: linux file server and windows AD

Matti_Kurkela — Sun, 12 Jul 2009 09:53:23 GMT

There should be no reason to make the filesharing go through the AD server.

When the Linux server is properly joined to the AD domain, you should be able to direct the users' workstations to access the Linux server directly, just like another Windows server in the domain. You can refer to it using an UNC path like \\linuxserver\share.

Please see the documentation on the "winbind" components of Samba.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

You might use Samba's winbind component to automatically create Unix/Linux-style usernames & home directories for any new AD users as necessary, minimizing the need for manual configuration when adding new users.

You'll probably want to add the winbind NSS module to /etc/nsswitch.conf, otherwise you cannot identify the owners of the users' files when using Linux native tools: without the winbind NSS module, you'll see only UID/GID numbers instead of usernames for Windows users in "ls -l" listings, for example.

You could even use the PAM winbind module to make the Linux native services use AD for authentication information. This would allow you to consolidate *all* your user account management to the AD. (Treat the root password just like the local Administrator password on Windows servers, i.e. to be used in emergency only. Use sudo to allow some AD-configured group to access the root account, and you're all set.)

In this configuration, you might want to use the Name Service Cache Daemon (nscd) to minimize the number of AD lookups.

MK

Re: linux file server and windows AD

iinfi1 — Sun, 12 Jul 2009 12:35:06 GMT

thank you sir. i will go through your post ..

thanks for your help

Re: linux file server and windows AD

iinfi1 — Tue, 14 Jul 2009 15:11:21 GMT

hi i am able to successfully add the linux file server to the windows AD.
i created a couple of accounts in the AD and successfully logged into the FS.
i think i goofed up something somewhere and i am now facing this error while logging in to X and also through command line for all AD users

=======================================
/etc/gdm/PreSession/Default: Registering your session with utmp
/etc/gdm/PreSession/Default: running: /usr/bin/sessreg -a -u /var/run/utmp -x "/var/gdm/:0.Xservers" -h "" -l ":0" "user1"
id: cannot find name for user ID 16778326
X Error of failed request: BadValue (integer parameter out of range for operation)
Major opcode of failed request: 109 (X_ChangeHosts)
Value in failed request: 0x12
Serial number of failed request: 7
Current serial number in output stream: 9
localuser:16778326 being added to access control list
No profile for user 'user1' found
id: cannot find name for user ID 16778326
id: cannot find name for group ID 16778328
id: cannot find name for user ID 16778326
Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry

Failed to start message bus: Memory allocation failure in message bus
EOF in dbus-launch reading address from bus daemon
=======================================

well i have not yet reached what i initially wanted to do with the file server. but since i am stuck with this i just thought of troubleshooting it.

No profile for user 'user1' found
id: cannot find name for user ID 16778326
id: cannot find name for group ID 16778328
id: cannot find name for user ID 16778326
why do we get the above error? is it because that the linux machine cannot fetch the correct UID or GID?

getting back to what i was doing,
i created a folder /fs with owner as root and group owner as "gr1". gr1 is a group in the windows AD.
under samba definitioins i wrote this,
[fs]
comment = Home Directories
path = /fs
browseable = yes
writable = yes
; valid users = %S
valid users = WIND\%S

is this not correct? i logged in as user1 on a windows machine and tried to \\fs1\fs and found nothing.
thanks for your time

Re: linux file server and windows AD

Steven E. Protter — Tue, 14 Jul 2009 17:16:04 GMT

Shalom,

There is a communication problem between the Linux system running samba and the windows ADS system.

I'd need to see the smb.conf file to provide further assistance.

SEP

Re: linux file server and windows AD

iinfi1 — Tue, 14 Jul 2009 17:34:32 GMT

http://sites.google.com/site/techworldgroup/Home/smb.conf

here is my smb.conf file sir. i removed the linux server from AD and joined it again.

the following giv correct results
=================
[root@fs1 ~]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@fs1 ~]# wbinfo -u
administrator
guest
iusr_thephenomenon
iwam_thephenomenon
support_388945a0
krbtgt
user1
user2
user3
user4
[root@fs1 ~]# wbinfo -g
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
gr1
gr2
[root@fs1 ~]#
===========

but when i do a
[root@fs1 ~]# su - user1
id: cannot find name for user ID 16778326
id: cannot find name for group ID 16778328
id: cannot find name for user ID 16778326
[I have no name!@fs1 ~]$

wonder why this happens. when i initially joined the linux machine to the AD things were working fine. in trying to share the /fs folder over samba and be able to access it from windows i screwed some pam files i think.
i am not too sure.

http://sites.google.com/site/techworldgroup/Home/system-auth
http://sites.google.com/site/techworldgroup/Home/login

thanks a lot for your time

Re: linux file server and windows AD

iinfi1 — Thu, 16 Jul 2009 11:03:23 GMT

hi ... :)

i got it. i started from scratch and got it going.
thanks a lot :)

Re: linux file server and windows AD

iinfi1 — Thu, 16 Jul 2009 15:46:35 GMT

i have one more question.
while creating a file server on RHEL 5.3 we have the option of using GFS (in RHEL AP).

if we have data may be upto 500GB-1.5 TB, will ext3 give good throughput?

further do we need a fencing device (similar to wats used in clustering) if we use GFS?

Re: linux file server and windows AD

iinfi1 — Sun, 19 Jul 2009 07:25:50 GMT

there are a couple of things which i noticed

i changed the idmap uid and gid from
idmap uid = 16777216-33554431
to
idmap uid = 1000-33554431

then when i restarted winbind and smb i noticed that all the owner and group owner names went awry.this despite i had set nsswitch.conf to

passwd: files winbind
shadow: files winbind
group: files winbind
[code]
[root@fs3 shares]# ll
total 24
drwxrwx--- 2 16778332 16778331 4096 Jul 19 00:57 fin
drwxrwx--- 3 16778326 16778328 4096 Jul 19 01:25 it
drwxrwx--- 3 16778341 16778338 4096 Jul 19 01:52 sales
[/code]
it came back to normal only when i manually did a chown.
why is this so?

Further,
http://wiki.samba.org/index.php/Samba_&_Active_Directory
the above link asks me to write use_first_pass across all winbind.so lines while my system-auth file

auth sufficient pam_winbind.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
password sufficient pam_winbind.so use_authtok

and i have no line saying
session required pam_winbind.so

what is the significance? if i understand correctly is it to reduce the number of AD lookups from the file server while users are connected? m confused with reading howtos all over the WWW