[PLUG] Linux, Active Directory, and Samba
Larry Brigman
larry.brigman at gmail.com
Thu May 31 15:47:32 UTC 2007
On 5/31/07, Joshua | Mace | Skinner <jmskinner at gmail.com> wrote:
> Hello PLUG!
>
> This is my first post to any user group so I apologize for my naivety.
>
> My Background:
> I have a little sysadmin experience on the Windows side and am comfortable
> hacking away on the *nix side. But I'm no guru.
>
> My Situation:
> Web developer with a non-Admin Windows account charged with creating an
> internal site that gives users the ability to automatically authenticate via
> their Windows Domain account.
>
> My Chosen Path:
> I decided on using a Linux web server with Apache2 in conjunction with
> mod_auth_ntlm_winbind, Samba, Kerberos, OpenLDAP, and Winbind to connect to
> our Domain Controller to get the user automatically authenticated when they
> visit the site.
>
> My Problem:
> After a few weeks of fumbling, stumbling, and grumbling I've got it
> working. Except it stops working 5 minutes after I start the winbindd
> service. After looking online for an answer I've found only one solution to
> the problem - upgrading to the latest Samba. So I compiled it and got it
> working....for 5 minutes. Fails with the same error after the same amount
> of time.
...
> [appdefaults]
> pam = {
> ticket_lifetime = 301d
> renew_lifetime = 301d
> forwardable = true
> proxiable = false
> retain_after_close = false
> minimum_uid = 0
> debug = false
> }
>
> [nsswitch.conf]
> passwd: compat winbind
> group: compat winbind
>
> hosts: files dns
>
> ethers: files
> netmasks: files
> publickey: files
>
> bootparams: files
> automount: files nis
> shadow: compat
> services: files nis
> netgroup: nis files
> networks: nis files
> protocols: nis files
> rpc: nis files
> aliases: files nis
>
Could it be exactly 301 seconds after starting(ticket_lifetime)? It
acts like the
box cannot renew tickets.
The box needs to be joined to the domain.
If you were using Fedora I would recommend the Fedora Directory Server.
It helps getting this setup correctly.
More information about the PLUG
mailing list