FreeBSD to authenticate against Active Directory
Hello, Is there any up-to-date definitive resource which explains how to get FreeBSD (6.2) to authenticate against Active Directory (in my case Windows 2003 R2 which includes SFU). There are a few informative articles floating around, but most date back to 2004/2005 and most involve the use of Samba and Winbind (I'd like to avoid this if possible). I don't really know what is possible here, I'm coming from only a basic understanding of how things like pam work. Would I have to configure every service separately to use Active Directory or could I tell FreeBSD to blindly rely on AD for user authentication? I read about pam_mkhomedir, so users could have homedirs created automatically when they logged in. Is this possible in FreeBSD? Would I be able to map this automatically to their existing "My Documents" folder which is redirected to the network by group policy? Please feel free to tell me what can/can't be done and if doing so is a good/bad thing. I can explain bits in more detail if needed. Kind regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
/var/log/messages filling up with DHCPDISCOVER messages
/usr/local/etc/dhcpd.conf is configured with "log-facility local7;" and /etc/syslog.conf is also configured with "local7.* /var/log/dhcpd.log" However, /var/log/messages is filling up with "DHCPDISCOVER / no free leases" messages for those clients that are unknown to the DHCP server (eg. on a different subnet). I suspect that these messages are being caught by "*.notice" which is why they end up in /var/log/messages. Is there a way to prevent this happening? Many thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Which java binary to use?
I installed the Diablo java packages (http://www.freebsdfoundation.org/downloads/java.shtml), but "which java" shows "/usr/local/bin/java" which is a link to javavm in the same directory. I wondered about changing the link to point to one of these: /usr/local/diablo-jre1.5.0/bin/java /usr/local/diablo-jdk1.5.0/bin/java /usr/local/diablo-jdk1.5.0/jre/bin/java Should I change the link, and which one of these should it point to... the JRE? Many thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Question about rc-scripts
Under normal circumstance, should the /etc/rc.subr functions handle the
creation of the pid at service start?
The basic vendor-provided script (which I've had to adapt somewhat to
suit this installation) runs "echo $! > ${dbgw_pidfile}" as the last
line of the script. When you do a 'status' command though, it blanks
out the contents of the pid. That echo line isn't present in any of the
standard scripts - hence my initial question.
Apart from variable assignments, the script defines 'start_cmd' (which I
assume is used as the start command by rc.subr). Strange that I
couldn't find any reference to start_cmd in /etc/rc.subr though.
So, my question is, why isn't the pidfile being automagically created?
Many thanks,
Steve
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Question about rc-scripts
Hi Derek, Not all scripts create a pid file is the simple answer. I didn't see how the isc-dhcpd script or dovecot created a pid, so I assumed it was something that rc.subr took care of. Your script should create the pid file on start, remove it on stop, and simply cat that file on a status. If you want help with your script, post it, and I'm sure one of us will give you a hand. Again, I thought the rc.subr functions took care of all that for you (unless you wanted something special from those commands). I've posted the script (changed quite a lot from vendor supplied) at: http://www.pastebin.ca/730238 If you (or anyone) were to suggest changes, I would very much appreciate the reasons why, so I can learn. Many thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How to provide fail-over capability for servers?
I'm completely new to this so some of my ideas may sound ludicrous... please put me right where necessary! I will have 3 net-facing servers which must be available 24/7. I had planned to have an additional box located in a different building on the same site (in case of part power-outage) that will run VMware server and host all the fail-over servers. What options are there for providing automatic fail-over capability? I had thought of running a cron job every minute that would test for the existence of the other server and assume its identity if it couldn't get a reply, but it feels like a 'sub-optimal' way of doing it. Can anyone give me some ideas I should be looking at? Many thanks, Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Dangers of using a non-base shell
It's been drawn to my attention not to use bash from the ports collection, because if one of it's dependencies (gettext or libiconv) fails or is updated significantly, it could break, and prevent login. The suggested solution was to use a base shell (such as sh) and append 'bash -l' to .shrc to automatically enter bash. The quite annoying side-effect is having to type 'exit' twice to get out of a su shell or screen. Would it be a better idea to use the pre-compiled binary for bash? And if I did so, could I be alerted to updates as easy as using 'pkg_version -v' when checking if any ports need updating? Many thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ABI for i386 binaries under FreeBSD-amd64
Roland Smith wrote: Than they should run i386. You only _need_ (as opposed to "nice to play with" :-) amd64 if you run out of address space on a typical workload. What if you have more than 3Gb of RAM to play with... would you have to use amd64 then? Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Samba 3.0.26a (from Ports) won't compile if 'WITH_EXP_MODULES=true' is set
Hello, Using FreeBSD 6.2-RELEASE, I'm trying to configure FreeBSD/Samba/Winbind to talk to Active Directory, following these instructions: http://joseph.randomnetworks.com/archives/2005/11/08/freebsd-users-and-groups-with-samba-winbind-and-active-directory/ As per subject, using Samba 3.0.26a (from the ports collection), it will not compile if 'WITH_EXP_MODULES=true' is set (apparently 'WITH_EXP_MODULES' is needed for 'imap_rid'). The nature of the error is: "The following command failed: cc -I <..>". I've pasted the few error lines here (also including `uname -a` and `cat /var/db/ports/samba3/options`) http://pastebin.com/m4892a0d0 Can anyone help explain my problem (and solution?) please? Kind regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Problems mounting a DOMAIN share, rather than a COMPUTER share
FreeBSD 6.2 + Samba 3.0.26a Can Samba mount a DFS share, using \\DOMAIN\dfs, rather than \\COMPUTER\dfs? The following command successfully lists all the shares on a domain controller, the same as \\DOMAIN does on Windows. One of the shares returned is "dfs" which is the root of my dfs tree: smbclient -U administrator -L domain.example.com | grep Disk So, I tried to mount "dfs" using the various commands below (errors are in ""), none of which work. Is this impossible, or am I missing something? Kind regards, Steve -- mount_smbfs -I domaincontroller.example.com //[EMAIL PROTECTED]/dfs /mnt "server name 'example.com' too long" mount_smbfs -I domaincontroller.example.com //[EMAIL PROTECTED]/dfs /mnt "mount_smbfs: unable to open connection: syserr = Connection reset by peer" mount //[EMAIL PROTECTED]/dfs /mnt "mount: //[EMAIL PROTECTED]/dfs: No such file or directory" mount_smbfs //[EMAIL PROTECTED]/dfs /mnt "mount_smbfs: can't get server address: syserr = Operation timed out" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
How to enable Linujx binary compatibility using sysinstall
Hello, After installing FreeBSD 7.0, I realised I'd forgotten to choose Linux binary compatibility during the install. I tried installing from ports, but it's gone and installed a load of other unwanted packages aswell now (perl/popt/rpm etc...). So, a few questions really... 1. Why does the ports install require all these other packages, when none of these are installed if you remember to select the "Enable Linux binary compatibility" option during install? 2. If I wanted to install from sysinstall (like during an installation), what do I do to enable Linux binary compatibility, without reinstalling? 3. There are 6 Linux binary compatibility packages available, which is the best one to use... fc4-10? Kind regards, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Problem creating sendmail.cf file from .mc using /usr/bin/m4
Hello, When I run /usr/bin/m4 freebsd.mc, the output looks ok, except that none of the define() lines show up in the output - even when running m4 on an unaltered freebsd.mc. Can anyone help? Many thanks, Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
SMB share not mounting at startup
I am trying to mount an SMB share at startup. I have configured (as root) .nsmbrc so I don't have to type a password. When I run "mount -a", it mounts beautifully. However, when restarting the server, it will not mount automatically. According to rc.conf(5), smbfs is part of 'netfs_types' so rc should wait until after the network is started before trying to mount it (so shouldn't fail). I have an entry in /etc/fstab as follows: //[EMAIL PROTECTED]/unix_backups /mnt/snapserver smbfs rw 0 0 Does anyone have any ideas? I'm wondering if the .nsmbrc file can't be read because rc isn't running as root - and if so, where can I put .nsmbrc? Many thanks, Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: SMB share not mounting at startup
I copied /root/.nsmbrc to /etc/nsmb.conf with security at 600, and it doesn't work. With security at 777 it still doesn't work. Any more suggestions? Many thanks, Steve :) Dominic Fandrey wrote: Stephen Allen wrote: I am trying to mount an SMB share at startup. I have configured (as root) .nsmbrc so I don't have to type a password. When I run "mount -a", it mounts beautifully. However, when restarting the server, it will not mount automatically. According to rc.conf(5), smbfs is part of 'netfs_types' so rc should wait until after the network is started before trying to mount it (so shouldn't fail). I have an entry in /etc/fstab as follows: //[EMAIL PROTECTED]/unix_backups /mnt/snapserver smbfs rw 0 0 Does anyone have any ideas? I'm wondering if the .nsmbrc file can't be read because rc isn't running as root - and if so, where can I put .nsmbrc? Many thanks, Steve :) I don't think $HOME or $USER are already set at the time hard disks are mounted. Use the global file /etc/nsmb.conf as suggested in another mail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Questions from a Total samba Novice.
(forgot to send to list the first time) Hi Martin, You don't need samba if all you want to do is copy files from FreeBSD to a Windows system. The easiest way to do it is to mount an existing Windows share, on FreeBSD. This will give you access to the Windows share, but nothing is shared out on your FreeBSD box. Let's assume you have a non-protected share (called MYSHARE) on a Windows server called FRED. Let's also assume you have prepared a mount point on FreeBSD for this share, called /mnt/fred. All you need to do is: $ mount -t smbfs //FRED/MYSHARE /mnt/fred If you need to specify a username/password combo to access the share, try: $ mount -t smbfs //[EMAIL PROTECTED]/MYSHARE /mnt/fred You will need to input a password, but if you want to save the password so it's used automatically, use /etc/nsmb.conf (see the man page), but here's an example. [SNAP-CMS] addr=192.168.0.4 [SNAP-CMS:BACKUP] password=$$14b5d4732371b1c00e5d2f5cd96 The hashed password was created by using 'smbutil crypt' and inputting the real password (see the man page). Obviously you need to make sure the permissions on /etc/nsmb.conf are secure. If you want it to automount at startup, then /etc/fstab could contain: //[EMAIL PROTECTED]/MYSHARE /mnt/fred smbfs rw 0 0 Cheers, Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Questions from a Total samba Novice.
Hi Martin, I would have had to enabled nfs client if using mount_smbfs, correct? Nopes - stick to using the mount command. Depending on the filesystem you specify (with the -t option), it will call the relevant mount command itself (eg. mount_smbfs, mount_nfs). When I built the system in question, I did not enable nfs capabilities and don't really want to if I can avoid doing so. You don't need it. It sounds like smbclient fits the bill for now, but thanks to all of you for making things more clear. It seems that /usr/ports/net/samba3 gives one a whole boatload of possibilities. Although installing samba will give you smbclient and a load of other things, if you don't need them I wouldn't install it. From what you've previously explained, everything can be done with the (already supplied) mount command. Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Samba/Winbind/nsswitch problem
Hello, I've installed and configured samba with winbind, to allow Windows Active Directory users to login without me having to create a local account for them. Generally speaking, it works (I can login, wbinfo -u|-g returns the correct data). I can login as a Windows user through ssh, and am using the pam_mkhomedir module (which also works ok). Anyway, I've got 2 questions/problems... (1) Whenever I restart samba, syslog receives messages like these below. auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users (2) If I use the "winbind enum users|groups = Yes" options, syslog receives messages like these below (hundreds of them... every few mins). nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group department (maths) nsswitch/winbindd_group.c:winbindd_getgrent(1110) could not lookup domain group department (mecheng) Can anyone help please? Many thanks, Steve :) SOME NOTES ON MY CONFIG: FreeBSD 7.0-RELEASE amd64 samba-3.0.28a,1 [EMAIL PROTECTED] ~ $ testparm -s Load smb config files from /usr/local/etc/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER [global] workgroup = TECHNOLOGY security = DOMAIN allow trusted domains = No syslog only = Yes load printers = No printcap name = /dev/null ldap ssl = no idmap domains = TECHNOLOGY template shell = /usr/local/bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config TECHNOLOGY:range = 1-2 idmap config TECHNOLOGY:backend = rid [EMAIL PROTECTED] ~ $ wbinfo -u | wc -l 2944 [EMAIL PROTECTED] ~ $ wbinfo -g | wc -l 117 [EMAIL PROTECTED] ~ $ cat /etc/nsswitch.conf group: files winbind group_compat: files nis hosts: files dns networks: files passwd: files winbind passwd_compat: files nis shells: files services: files services_compat: files nis protocols: files rpc: files ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
"Invalid credentials" errors using pam_ldap on FreeBSD
Hello, I'm pretty sure I've done all the necessary steps to be able to ssh to my FreeBSD box using pam_ldap, but I'm getting "Invalid credentials" errors whenever I try (I can successfully perform an ldapsearch operation though). Here are snippets from my config: [/etc/nsswitch.conf] passwd: files ldap [/etc/pam.d/sshd] authsufficient /usr/local/lib/pam_ldap.so authrequiredpam_unix.so [/usr/local/etc/ldap.conf] base o=brookes uri ldap://ldap.brookes.ac.uk:389/ scope one And here is the error: Jul 18 19:19:41 vh1a9f58 sshd[19601]: pam_ldap: error trying to bind as user "uid=p0036343,o=Brookes" (Invalid credentials) Incidentally, the following ldapsearch query _IS_ successful, and returns me some details about user 'jsmith' ldapsearch -H ldap://ldap.brookes.ac.uk -b 'o=brookes' -x -W -D 'uid=me,o=Brookes' uid=jsmith I'm really stumped on this one... can anyone help please? Many thanks, Steve :) -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Problem running 'top' when ldap is around
I've noticed that with "files ldap" in nsswitch.conf, if I try to run "top" and the ldap server is not available, it takes about a minute to start showing information, whereas normally it's instantaneous. The problem seems to be the mapping of uid numbers to usernames (the -u options prevents this). The man page says: "Normally, top will read as much of the file "/etc/passwd" as is necessary to map all the user id numbers it encounters into login names" So my question is, top must be finding a uid number that it can't match in /etc/passwd, then going on to search ldap. How can this be? Thanks, Steve :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
