Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to integrate Samba into Active Directory (UPDATED).
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Sat Jul 24, 2004 10:53 am    Post subject: Reply with quote

theonlymcc wrote:
Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.


The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc. You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.

So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik.
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Mon Jul 26, 2004 3:22 am    Post subject: Reply with quote

Martz wrote:
OMG I'm an idiot..

winbind can be started automagically by looking at the second line of /etc/conf.d/samba

Change:
Code:
daemon_list="smbd nmbd"

To:
Code:
daemon_list="smbd nmbd winbind"

And thats it, it works! :)


You can have winbind start automagically by typing this simple command....

/etc/init.d/winbind add default

Much much simpler.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Mon Jul 26, 2004 3:27 am    Post subject: Reply with quote

Martz wrote:
theonlymcc wrote:
Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.


The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc. You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.

So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik.


Couldn't have said it better myself.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Mon Jul 26, 2004 7:46 pm    Post subject: Reply with quote

maalth wrote:

You can have winbind start automagically by typing this simple command....

/etc/init.d/winbind add default

Much much simpler.


Hrm, for some reason I cannot add it though rc-update, On my home machine I can, but for some reason on my work Gentoo box I can't (which is why I spent some much time figuring out the work around! :))
Code:
jupiter root # rc-update add winbind default
 * /sbin/rc-update: /etc/init.d/winbind not found; aborting.

jupiter root # ls /etc/init.d/w* -lha
-rwxr-xr-x  1 root root 859 Jul 19 11:04 /etc/init.d/webmi


Code:

jupiter root # rc-update -s
             apache2 |      default
            bootmisc | boot
          bootsplash |
             checkfs | boot
           checkroot | boot
               clock | boot
         consolefont | boot
         crypto-loop |
               cupsd |
        dansguardian |      default
          domainname | boot default
              hdparm |
            hostname | boot
             hotplug |      default
            iptables |      default
             keymaps | boot
               local |      default nonetwork
          localmount | boot
     mit-krb5kadmind |
         mit-krb5kdc |
             modules | boot
               mysql |      default
              nagios |
            net.eth0 |      default
              net.lo | boot
            netmount |      default
                nrpe |
                nsca |
                nscd |
          ntp-client |
                ntpd |      default
             numlock |      default
           rmnologin | boot
              rsyncd |      default
               samba |      default
              serial | boot
               slapd |
              slurpd |
               snmpd |
               squid |      default
                sshd |      default
           syslog-ng |      default
             urandom | boot
          vixie-cron |      default
              webmin |      default
Back to top
View user's profile Send private message
Smilez:)
n00b
n00b


Joined: 23 Jan 2004
Posts: 58
Location: Edmonton

PostPosted: Wed Jul 28, 2004 4:01 pm    Post subject: Reply with quote

i have a problem. I followed the guide and got most computers mapping the samba shares using ADS. however, only win2k and prior work, my winxp pro machines don't authenticate. I get

Failed to verify incoming ticket!

in the log for the machine.

I've checked everything over 3 times and I can't see anything wrong. Is there something I have to do different for the winxp pro machines to work?

SMilez:)
Back to top
View user's profile Send private message
lord_ph
Tux's lil' helper
Tux's lil' helper


Joined: 18 Nov 2003
Posts: 97
Location: Portland,OR

PostPosted: Fri Aug 13, 2004 3:51 pm    Post subject: Reply with quote

I'm getting this error, what can i be doing wrong?

kinit(v5): KDC reply did not match expectations while getting initial credentials


any ideas?

thanks
Back to top
View user's profile Send private message
GenTimJS
Guru
Guru


Joined: 03 May 2003
Posts: 406
Location: NH, USA

PostPosted: Mon Aug 16, 2004 3:16 pm    Post subject: Reply with quote

Everything configured exactly as described. kinit works, samba is up.

bash-2.05b$ sudo net ads join -U Administrator
Administrator's password:
[2004/08/16 11:13:06, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password Administrator@DOMAIN.NET failed: KDC has no support for encryption type



? any tips?
_________________
-Tim Smith
Back to top
View user's profile Send private message
annunaki2k2
Tux's lil' helper
Tux's lil' helper


Joined: 14 Oct 2003
Posts: 118
Location: Wandsworth, London, UK

PostPosted: Tue Aug 17, 2004 8:38 pm    Post subject: Reply with quote

Hi,
I've followed these instructions to the word, and haven't had a single error related to the process. I can list users and groups in the directory and have no errors returned using kinit. I can even mapped network drives.
But I can't browse them. Using gnome I get an error "The attempt to log in failed", and from the prompt you just get permission denied, regardless what user you try to access them with.
Is there anything I am doing wrong?

Thanx in advance :)
_________________
The great thing about standards is there are so many to choose from.....
Back to top
View user's profile Send private message
lord_ph
Tux's lil' helper
Tux's lil' helper


Joined: 18 Nov 2003
Posts: 97
Location: Portland,OR

PostPosted: Wed Aug 18, 2004 7:07 pm    Post subject: Reply with quote

i found out the answer to my own question... and to anybody else who is getting the error i had:

Quote:

kinit(v5): KDC reply did not match expectations while getting initial credentials



The solution is really simple... so simple that you'll hit yourself on the head. When doing your kinit, make sure you do the realm in UPPER CASE.

Code:


kinit lord_ph@EXAMPLE.COM



i hope this helps more people than me. :wink:
Back to top
View user's profile Send private message
thisboyiscrazy
n00b
n00b


Joined: 06 Feb 2004
Posts: 9

PostPosted: Fri Aug 27, 2004 8:16 pm    Post subject: DNS Name Reply with quote

does anyone know how can I get samba to set the DNS Name property in AD to the FQDN instead of just the hostname when I do a "net join"?

Thanks
Back to top
View user's profile Send private message
m4chine
Apprentice
Apprentice


Joined: 12 Mar 2003
Posts: 271
Location: Ventura, CA, USA

PostPosted: Thu Sep 02, 2004 4:56 pm    Post subject: Reply with quote

I thought Id document that I got this error because the time difference between my samba server and domain server was greater than 5min.

Code:
kinit(v5): Clock skew too great while getting initial credentials


hope it helps someone.
_________________
never trust a man who can count to 1023 on his fingers.

-m4chine
Back to top
View user's profile Send private message
zurd
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 228
Location: Canada, Montreal

PostPosted: Fri Sep 24, 2004 2:48 am    Post subject: What to update next in the How-to Reply with quote

In the middle of setting a Gentoo box with Samba/ldap/kerberos/winbind with a Windows 2000 Server acting as a PDC. Followed the guide and here's what I think should be updated in the How-to :

Step 2
In /etc/krb5.conf, the How-to doesn't say what to do about the [domain_realm] section.

Step 4
In /etc/samba/smb.conf the "socket address" field says "to match the IP address" but doesn't tell which IP address we're talking about. More clarification would be much appreciated about this option.

Step 6
After running the "net ads join -U Administrator" command, it took use 15 minutes here to see our samba server in the Active Directory Server, would be nice to say in the How-to that it might take some time to see it.
I also found the reason : "If your network has backup domain controllers, it will take up to 15 minutes for the new computer account to propagate to the BDCs." at this URL http://us3.samba.org/samba/docs/using_samba/ch09.html

Step 8
if "rc-update add winbind default" fails saying :
"/sbin/rc-update: /etc/init.d/winbind not found; aborting" just change /etc/conf.d/samba to show : daemon_list="smbd nmbd winbind"


I'm still struggling to make it all work, I just want 1 share where only 1 specific group from the Windows 2000 Active Directory can access, so maybe I'll find more updates. But in overall, great how-to, I love it 8)
Back to top
View user's profile Send private message
zurd
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 228
Location: Canada, Montreal

PostPosted: Fri Sep 24, 2004 8:52 pm    Post subject: Windows keeps asking for a password with a group [SOLVED] Reply with quote

So, everything has been setup properly (I think so).

I can set in /etc/samba/smb.conf in the Share section the "valid users = " option to give access to the share to only 1 user and this has work just fine.

But I want to give access to the share to groups, not a user.

So I have set "valid users = TEST+My Group" in the Share section. But, in Windows XP when trying to access the share, even though I am in the group it keeps asking for a password. Since I am in the group, it shouldn't ask for a password, right? Because there is no password for groups, only for users !

Any help ?

[EDIT]
Ok found the solution, if you want to give access to group, use this syntax :
valid users = @WORKGROUP+"Your group here"
You have to use the "" after the + sign !
And do not forget the @ sign !
That would also be great to include in the How-to ! :)


Last edited by zurd on Tue Feb 01, 2005 8:15 pm; edited 2 times in total
Back to top
View user's profile Send private message
magnesium
Apprentice
Apprentice


Joined: 28 Oct 2003
Posts: 280
Location: Toronto, Canada

PostPosted: Fri Oct 08, 2004 4:25 pm    Post subject: Reply with quote

I used this guide as my main information as to how to share a directory on my linux box to AD users, but I've hit several issues. Here's what I'd appreciate clarification on.

1) Is the PAM stuff listed out in other people's posts vital to getting this work, or is this just another way of getting this to work?

2) How do I get this box to register with the AD DNS so that I can find this server through FQDN requests?

3) In my syslogs I see winbindd output the following which I think may be why this guide is not working for me:
Quote:
Ignoring unknown parameter "encrypt password"


4) In my syslogs I also see the following which makes me think that stuff is wrong:
Quote:
Unable to open new log file /var/log/samba3/log.winbindd: No such file or directory
winbindd: idmap gid range missing or invalid
nsswitch/winbindd_util.c:winbindd_param_init(567)
winbindd: cannot continue, exiting.


5) Does the MP3 user in this example exist in AD or local to the linux box? Do I even need a local account to manage the share? Does the "shared" directory need a certain chmod group set?

6) When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?

Help with these 6 questions would greatly be appreciated.
_________________
Adopt an unanswered post
Back to top
View user's profile Send private message
zurd
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 228
Location: Canada, Montreal

PostPosted: Fri Oct 08, 2004 5:24 pm    Post subject: A few solution Reply with quote

I'm not an expert yet with all of this Samba+AD, but here's what I would try if I were you :

1) I guess you have to modify PAM, I didn't try if it would work if you don't modify it, but it would be a good thing to include the kerberos modules in some of the PAM file.

2) No idea on what is FQDN ... sorry

3) There is a password server string or encrypt password string in /etc/samba/smb.conf, make sure the syntax is right. In any case you have "encrypt password" written somewhere and causing this bug.

4) do a "touch /var/log/samba3/log.winbindd"
Also in /etc/samba.smb.conf you have options about GID and UID, you sure you got them right in the configuration file, because it says missing or invalid range.

5) If the user is call "mp3" then it is hosted on the Linux box. But if it is "WORKGROUP+mp3" then you can be sure it is hosted on the WIndows PDC machine. As shown by wbinfo -g and wbinfo -u which is all the user and group from the Windows PDC.

And yes for now do a chmod 777 on your directory, after it is working, you just chmod something else more secure.

6) Might be anything, of course the password is wrong would be the first answer if the usrename/password box just keeps popping up. But yes it also means that your linux box is not handling the authentication right, maybe you just need to modify the PAM file to include the kerberos module since Windows is using kerberos.

Hope it helps...
Back to top
View user's profile Send private message
magnesium
Apprentice
Apprentice


Joined: 28 Oct 2003
Posts: 280
Location: Toronto, Canada

PostPosted: Fri Oct 08, 2004 6:36 pm    Post subject: Reply with quote

Thanks for the response zurd.

Basically my issues were that I screwed up following the guide. I had "encrypt password" instead of "encrypt passwords", I was missing the line for
Code:
winbind enum users = yes
winbind gid = 10000-20000
and I had samba3 instead of samba in my log file path (the guide said samba3 but I should have checked before posting).

I included minimal pam support and the above changes and now users can authenticate by mapping to \\netbiosname\sharename but still can't get there by \\server.full.domain.name\sharename because this server is not registering in AD DNS. This form of binding is said to use FQDN (a.k.a. Fully qualified domain names).

I also noticed that I was unable to authenticate to the samba share until my samba box became a local master browser.

Thanks all
_________________
Adopt an unanswered post
Back to top
View user's profile Send private message
zurd
Apprentice
Apprentice


Joined: 17 Dec 2003
Posts: 228
Location: Canada, Montreal

PostPosted: Fri Oct 08, 2004 7:31 pm    Post subject: ping Reply with quote

let's say the name of your PDC is test
can you do "ping test" instead of "ping 192.168.x.x" to ping it ?

If not modify /etc/hosts to make it working, seems like it is the issue here.
Back to top
View user's profile Send private message
magnesium
Apprentice
Apprentice


Joined: 28 Oct 2003
Posts: 280
Location: Toronto, Canada

PostPosted: Fri Oct 08, 2004 8:46 pm    Post subject: Reply with quote

What I want to accomplish is to register my linux box into an AD DNS. I've been doing some reading and was hopeing that addind a line dhcpcd_eth0="-h myhostname" to the /etc/conf.d/net file would register my box in the AD DNS, but no dice.

I want other computers to be able to ping my linux box by using
Code:
ping mylinuxhostname.my.dnsdomain.name


I've got the domain name I want to register into in my /etc/dnsdomanname and I am a member server now in the domain. I don't know what else to do to register this server and was hopeing someone else here would know (or perhaps it's a samba configuration that I don't know about).
_________________
Adopt an unanswered post
Back to top
View user's profile Send private message
CopterGuy85
n00b
n00b


Joined: 15 Aug 2003
Posts: 27

PostPosted: Fri Oct 08, 2004 10:54 pm    Post subject: Reply with quote

I'm still trying to go through MartinSt's guild to settings things up, so I can't report personal success/failure reports just yet.

But magnesium, I've set up a couple Samba boxes to work with AD, and the only way I was able to get the FQDN to work is to manually set them up in the server's DNS. Just go to Administrative Tools->DNS->$yourdnsserver->Forward Lookup Zones->$yourdomain and you should see a list of current entries in DNS (you should have at least 1 entry, the domain controller itself). Right click either on the domain name in the tree view or in the background behind the host list, select "New Host (A)...", and fill in the short name of your box (it lists the FQDN right below so you can check that) and the IP address (probably a good idea to use static IP on your Samba box, because if your IP changes you have to update it in the DNS settings again), and when you're all done click "Add Host."

EDIT: IIRC, my domain controller would sometimes take 15-20 minutes before the DNS service would reflect the changes, so it make take a bit before you'll be able to ping it, or have it show up in the Windows network browser.

Let me know how it turns out :)
Back to top
View user's profile Send private message
erratic
n00b
n00b


Joined: 12 Dec 2004
Posts: 3

PostPosted: Sun Dec 12, 2004 1:23 pm    Post subject: Reply with quote

it might be worth pointing out that winbind is not built by default these days, and you need to add 'winbind' to your USE list to get it.

the build does mention that winbind is not enabled by default, which is fine, but as I was using it, and was just updating samba, I expected that the in-place upgrade would work fine. I didn't expect the winbind binarys going AWOL.

maybe a message stating that you should add the USE entry and a beepy pause drawing your attention and giving you the time to cancel would save you having fileserver downtime?... ;-/
Back to top
View user's profile Send private message
cuban
Guru
Guru


Joined: 23 Aug 2003
Posts: 448
Location: Houston, TX

PostPosted: Tue Dec 28, 2004 7:30 pm    Post subject: Reply with quote

Worked on the first try!
_________________
Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today!
Back to top
View user's profile Send private message
cuban
Guru
Guru


Joined: 23 Aug 2003
Posts: 448
Location: Houston, TX

PostPosted: Tue Dec 28, 2004 10:26 pm    Post subject: Reply with quote

Well it almost worked on my first try. When any users try to access the server by doing a \\server_name from their PC, they get a username/pw prompt.

Any idea why?

EDIT: This appears to be only from a Windows 2000 machine. From Win2k3 and XP it works great!
_________________
Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today!
Back to top
View user's profile Send private message
Deathscythe
n00b
n00b


Joined: 04 May 2004
Posts: 65

PostPosted: Tue Jan 04, 2005 10:31 pm    Post subject: Reply with quote

I still can't get any windows machine to browse the Samba server. I have already logged into the domain, everytime I try to access the Samba serve, it ask for the username and password. No matter what username and password I try, it still not authorising it.

Quote:
We can get a username from both the local linux server and the Active Directory server by typing in this command:
Code:

getent passwd


This supposted to print out a list of username from both linux server and AD. For some reason, it only print out username from the linux server.
_________________
Deathscythe

http://www.revster.com
Back to top
View user's profile Send private message
unix
l33t
l33t


Joined: 06 Jul 2003
Posts: 615
Location: Dürnten ZH Switzerland

PostPosted: Thu Jan 06, 2005 1:16 pm    Post subject: Reply with quote

Hi,

Nice documentation THX. But i had no winbind. The new samba need winbind as useflag

Code:

USE="kerberos ldap winbind" emerge samba


regards,
UNIX
_________________
Neue Funktionen in Portage 2.0.51 || BBCode Guide
Linux User #379064
Back to top
View user's profile Send private message
lhurgoyf
n00b
n00b


Joined: 11 Jun 2003
Posts: 34

PostPosted: Fri Jan 07, 2005 12:11 pm    Post subject: Reply with quote

GenTimJS wrote:
Everything configured exactly as described. kinit works, samba is up.

bash-2.05b$ sudo net ads join -U Administrator

Administrator's password:
[2004/08/16 11:13:06, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password Administrator@DOMAIN.NET failed: KDC has no support for encryption type



? any tips?


I got this to, but after using another account which is also an administrator in the AD it worked
_________________
Nederlands linux forum? Flash @ http://www.nedlinux.nl
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 3 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum