[PLUG] Linux, Active Directory, and Samba

Larry Brigman larry.brigman at gmail.com
Thu May 31 15:47:32 UTC 2007


On 5/31/07, Joshua | Mace | Skinner <jmskinner at gmail.com> wrote:
> Hello PLUG!
>
> This is my first post to any user group so I apologize for my naivety.
>
> My Background:
> I have a little sysadmin experience on the Windows side and am comfortable
> hacking away on the *nix side.  But I'm no guru.
>
> My Situation:
> Web developer with a non-Admin Windows account charged with creating an
> internal site that gives users the ability to automatically authenticate via
> their Windows Domain account.
>
> My Chosen Path:
> I decided on using a Linux web server with Apache2 in conjunction with
> mod_auth_ntlm_winbind, Samba, Kerberos, OpenLDAP, and Winbind to connect to
> our Domain Controller to get the user automatically authenticated when they
> visit the site.
>
> My Problem:
> After a few weeks of fumbling, stumbling, and grumbling I've got it
> working.  Except it stops working 5 minutes after I start the winbindd
> service.  After looking online for an answer I've found only one solution to
> the problem - upgrading to the latest Samba.  So I compiled it and got it
> working....for 5 minutes.  Fails with the same error after the same amount
> of time.
...
> [appdefaults]
>         pam = {
>                 ticket_lifetime = 301d
>                 renew_lifetime = 301d
>                 forwardable = true
>                 proxiable = false
>                 retain_after_close = false
>                 minimum_uid = 0
>                 debug = false
>         }
>
> [nsswitch.conf]
> passwd: compat winbind
> group:  compat winbind
>
> hosts:  files dns
>
> ethers: files
> netmasks:       files
> publickey:      files
>
> bootparams:     files
> automount:      files nis
> shadow: compat
> services:       files nis
> netgroup:       nis files
> networks:       nis files
> protocols:      nis files
> rpc:    nis files
> aliases:        files nis
>

Could it be exactly 301 seconds after starting(ticket_lifetime)?  It
acts like the
box cannot renew tickets.
The box needs to be joined to the domain.

If you were using Fedora I would recommend the Fedora Directory Server.
It helps getting this setup correctly.



More information about the PLUG mailing list