Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to integrate Samba into Active Directory (UPDATED).
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
cpdsaorg
Guru
Guru


Joined: 16 Oct 2003
Posts: 359

PostPosted: Mon Feb 28, 2005 2:23 pm    Post subject: Reply with quote

I had the same problem and I solved it like this...

Code:

[mp3]
     writable = yes
     browsable = yes
     path = /home/mp3
     valid users = @"EXAMPLE+Domain Admins", @"EXAMPLE+Linux Admins"


Above "EXAMPLE" is my short domain name. like YAHOO or GOOGLE :-)

"Domain Admins" and "Linux Admins" are the groups that I want to have access to the share.
Dont forget the + in between. group names are seperated by a comma (,)
_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB
Back to top
View user's profile Send private message
cpdsaorg
Guru
Guru


Joined: 16 Oct 2003
Posts: 359

PostPosted: Mon Feb 28, 2005 2:25 pm    Post subject: Reply with quote

Next question,

is there a way for the "Linux Admin" group to be able to ssh into the box without having to create a local user for each admin?
_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB
Back to top
View user's profile Send private message
cuban
Guru
Guru


Joined: 23 Aug 2003
Posts: 448
Location: Houston, TX

PostPosted: Tue Mar 08, 2005 4:11 pm    Post subject: Reply with quote

This is odd. I emerged samba as instructed but winbindd is not anywhere to be found.
_________________
Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today!
Back to top
View user's profile Send private message
cuban
Guru
Guru


Joined: 23 Aug 2003
Posts: 448
Location: Houston, TX

PostPosted: Tue Mar 08, 2005 6:15 pm    Post subject: Reply with quote

It appears there is a new use flag to add winbind it's called "winbind" it does not create an init.d script though.
_________________
Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today!
Back to top
View user's profile Send private message
cpdsaorg
Guru
Guru


Joined: 16 Oct 2003
Posts: 359

PostPosted: Wed Mar 09, 2005 8:29 am    Post subject: Reply with quote

found this for you in the instructions posted here:

NOTE: If rc-update add winbind default fails, you could add winbind to /etc/conf.d/samba under deamon_list:

File: /etc/conf.d/samba
Code:
daemon_list="smbd nmbd winbind"

_________________
PentiumM 2.0 GHz, MSI 915GM Speedster-FA4, Seagate ST3500641AS SATA 400GB
Back to top
View user's profile Send private message
cuban
Guru
Guru


Joined: 23 Aug 2003
Posts: 448
Location: Houston, TX

PostPosted: Wed Apr 06, 2005 9:09 pm    Post subject: Reply with quote

Out of no where I'm starting to get the below... Anyone have any ideas?

Code:
[2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

_________________
Tell your ISP to support SPF/SASL AUTH (http://spf.pobox.com) today!
Back to top
View user's profile Send private message
Skywacker
n00b
n00b


Joined: 23 Jan 2004
Posts: 72
Location: Missouri

PostPosted: Thu Apr 28, 2005 10:03 pm    Post subject: Reply with quote

Thanks for howto, but I have one problem.

Everything works great for 10 minutes, then starts to fail. I can map a drive on a Windows XP box and access the files on the Samba share. However, after about 10 minutes if I re-map the drive it will ask for a password.

Different form of same problem- I can 'cd ~TESTDOM+testuser' and it works fine. But after a while it will tell me "-bash: cd ~TESTDOM+testuser: No such file or directory". If I run 'getent passwd', it shows me all the correct users from my PDC, and then 'cd ~CMRLDOM+testuser' will result in changing me to /home/TESTDOM/testuser

I know that my kerberos ticket is set to last 600 seconds, and I could raise this number, but whats the correct way to fix this problem?

TESTDOM is my domain name and testuser is my test user.

Thanks

-Skywacker
Back to top
View user's profile Send private message
Radi
Tux's lil' helper
Tux's lil' helper


Joined: 09 Jul 2002
Posts: 108

PostPosted: Mon May 09, 2005 2:09 pm    Post subject: Reply with quote

Hello There,

I'm Using a Linux Box with Samba as active directory client, login with AD user works perfectly but for the most Users the Homedirectory has been named in uppercase characters, like "SomeUser". Samba itselfs resolvs the username as "someuser" and everytime i login with an account that has such named home directorys Samba fails to cd into the directory because Linux is case sensitive. Is there a way of going around it without changing every homedir?

Thanks, Radi
Back to top
View user's profile Send private message
mgladding4423
n00b
n00b


Joined: 12 May 2005
Posts: 15

PostPosted: Thu May 12, 2005 6:06 pm    Post subject: Reply with quote

I'm having the same problem other people are having with all of this. When I attempt to get to the network share (\\<server name>\<share name> From any system I get a invalid username and password prompt and I can't get in.
winbind is up and running, as in samba, I can use smbclient to connect to a windows share, I'm joined to the domain, and can query ad with wbinfo, so I have no clue what to do now. Any ideas?

edit side note:
When I try to connect via smbclient/mount on another linux box (we have tons in my company) I get the following:
Quote:
tmp # smbmount //<server name>/root$ /tmp/smbtest -o username=root
Password:
29178: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed

Doesn't matter what username I use, I tried root, administrator, mine, all of em same thing.

Here is my smb.conf:
Code:
[global]
        netbios name = backup
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000
        workgroup = <workgroup name>
        os level = 20
        winbind enum groups = yes
        password server = *
        preferred master = no
        winbind separator = +
        max log size = 50
        log file = /var/log/samba3/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = <realm name>
        security = ADS
        wins server = 192.168.1.2
        wins proxy = no
        username map = /etc/samba/smbusers

[root$]
        comment = Root share
        writeable = yes
        path = /
        valid users = @"<short domain name>+<group name>"


and in case you ask it does the same thing when I remove the valid users part and make it public and such.

here is my nsswitch.conf:
Code:
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files


Anyone got any ideas?
Back to top
View user's profile Send private message
mgladding4423
n00b
n00b


Joined: 12 May 2005
Posts: 15

PostPosted: Mon May 16, 2005 5:48 pm    Post subject: Reply with quote

I'm bumping in hopes that someone will have some clue.
I've also checked my logs and found this in the log.winbindd

Code:

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639


I'm assuming that this is my problem but I can't find anything as to what it means. or how to fix it.

And this shows up in my /var/log/samba3/log.<machine name>

Code:
[2005/05/16 10:26:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:29, 0] lib/util_sock.c:get_peer_addr(1000)
  getpeername failed. Error was Transport endpoint is not connected
[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket_data(430)
  write_socket_data: write failure. Error = Connection reset by peer
[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket(455)
  write_socket: Error writing 4 bytes to socket 23: ERRNO = Connection reset by peer
[2005/05/16 10:26:29, 0] lib/util_sock.c:send_smb(647)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 514
Location: Texas

PostPosted: Mon May 16, 2005 10:07 pm    Post subject: Reply with quote

This question is in reguards to using Samba+AD after its installed and working.

I am currently reading through man pages, this forum and other LDAP, Kerberos, Samba docs and the like; however, I am posting the question now in case somebody can assist me before any research is complete.

Problem:
Samba+AD is working and in production. We have 2 problems that are resolved the same way. First issue, every once in a while a user will not be able to authenticate directly to shares. Other users can connect just fine except this one user. Second issue, we have an intranet website that uses AD accounts to access shares on another samba server. If we restart samba on this server, we need to perform the command below on the intranet box as well. We resolve this issue by perfroming the following command:

Code:
kinit administrator    #followed by the appropriate password


The Date and Time are correct and the same on all servers, we just need to occaisionally reset the ticket.

Solution needed:
Obviously, re-initializing the kerberos ticket makes everyone happy. However, this is a manual proceedure that needs to be done automatically whenever this occurs. My problem is partly a lack of understanding of Kerberos and LDAP and I am trying to correct this problem via RTFM. However, any insight to speed up this process would help.
I have seen examples of putting kinit in a cron job but need some more insight about what it is I am actually doing and how this works before I modify production servers.


Additional Info:

I am reading through this forum and found this info above, however, I need some clarification on some of it if anyone cares to try.
Quote:

Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.

/sbin/kerbinit.sh
Code:

#!/bin/sh
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent
chmod 600 /tmp/krb5cc_0



Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

Code:

gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nssldap/gent@SFU.ACME.COM

Valid starting Expires Service principal
03/25/04 16:10:27 03/26/04 02:10:26 ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM
renew until 03/26/04 16:10:27





You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:

Code:

# /var/spool/cron/crontabs/root
# /etc/crontab
.
.
* */2 * * * sh /sbin/kerbinit.sh



Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

Code:

.
.
# This is a good place to load any misc.
# programs on startup ( 1>&2 )
sh /sbin/kerbinit.sh



I have a keytab file but I want to be clear on the particulars of

Code:
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent
chmod 600 /tmp/krb5cc_0


plus any other comments concerning this.
Back to top
View user's profile Send private message
mikec49
n00b
n00b


Joined: 15 Jun 2005
Posts: 2

PostPosted: Wed Jun 15, 2005 12:23 pm    Post subject: Re: How to integrate Samba into Active Directory (UPDATED). Reply with quote

maalth wrote:
How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.

Alright, I'll have to go on my notes, I did this on Thanksgiving Day, so I may not remember everything I did. Anyway, here goes:

  • Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
  • Your Windows system should be secured and patched.
  • You have Gentoo Linux installed of course
  • With the config files, you need to change example.com to match your domain.

Okay, now the basics are done, let's begin the install process.

Step 1: Emerge openldap. No configuration is necessary. However, AD support will not be compiled into samba without it.
Step 2: Emerge mit-krb5. Configure the file /etc/krb5.conf as follows:
Code:
[libdefaults]
   default_realm = EXAMPLE.COM
 
   [realms]
   EXAMPLE.COM = {
        kdc = adserver.example.com
   }


Add this line to /etc/hosts:
Code:
1.2.3.4    adserver.example.com   adserver


You need this to make sure you can connect to the AD server, even when DNS is down.

Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message: "Cannot find KDC for requested realm while getting initial credentials". Also, do NOT comment the config file because the kerberos client will not read the config file correctly.

Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:
Code:
kinit Administrator@EXAMPLE.COM

It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked. Pat yourself on the back. You've done the easy part!

Step 4:
We are now going to emerge samba. You can do this one of two ways:

  1. Add kerberos and ldap to your USE flags make.conf file. Emerge samba using the following command:
    Code:
    emerge samba
    OR

  2. Type in the following command:
    Code:
    USE="kerberos ldap" emerge samba


IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!

Use the command
Code:
emerge -pv kerberos

The resulting line should look similar to this (this is on my system):
Code:
[ebuild   R   ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml  127 kb

Simply put, pick option 1 or 2; samba takes a little time to compile and install. Once samba is installed, you need to configure it. You can use this example samba file:
Code:
# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = SERVERNAME <- I recommend the same name as the server.
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection
        idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD
        winbind enum users = yes <- This allows you to bind users.
        winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD
        workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.
        os level = 20 <- This is for the master browser priority.
        winbind enum groups = yes <- This allows you to use the Active Directory groups
        socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.
        password server = * <- I recommend this if you have more than one server; I do in my case.
        preferred master = no <- You do NOT want to be a master browser.
        winbind separator = + <- See the first line comment.
        max log size = 50 <- In K
        log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.
        encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.
        dns proxy = no <- You don't want anything to do with DNS.
        realm = EXAMPLE.COM <- This is for kerberos.
        security = ADS <- Active directory server provides security for the shared resources.
        wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
        wins proxy = no <- You don't want to proxy WINS either.

# Shares section
[mp3]  <- Name of the share.
        comment = MP3 Repository <- A comment...
        writeable = yes <- If you want users to update the directory
        path = /home/mp3 <- Where is the share on the linux server
        force user = mp3 <- Should be the name of the user who is responsible for the share.


Step 5: Fire up samba; check to make sure it's running.
Code:
 /etc/init.d/samba start


Step 6: Join your samba server to your domain by typing in this command:
Code:
net ads join -U Administrator

It will ask you for a password, type your password in. If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.' If you check your AD server, the machine account for your system will appear under computers.

Step 7: We are going to test winbind to ensure windows authentication does indeed work. Winbind allows you to use Active Directory for user authentication (see link 2 for more info). The steps for using and testing winbind are gleaned from link 2.

You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):
Code:
passwd:      compat winbind
shadow:      compat
group:       compat winbind

Let's test the winbindd daemon before we make it permanent. Fire up winbindd by typing
Code:
winbindd
You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one). Winbindd runs in dual daemon mode by default.

Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.
Code:
ps -ae | grep winbindd

The results should be something similar to this:
13324 ?        00:04:23 winbindd
13325 ?        00:00:00 winbindd

If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work

Let's make sure we can see the contents of Active Directory. Type in this command:
Code:
wbinfo -u

This is the results from my system (changed for integrity), yours should be similar.
Code:
EXAMPLE+test <- test account on AD
EXAMPLE+test2 <- test account on AD
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+TsInternetUser
EXAMPLE+krbtgt
EXAMPLE+MACHINE1$ <- test machine 1
EXAMPLE+MACHINE2$ <- test machine 2
EXAMPLE+MACHINE3$ <- test machine 3
EXAMPLE+HOST/servername <- samba machine
EXAMPLE+DOMAINCONTROLLER$

To see the groups, use this command:
Code:
wbinfo -g

You should see a result similar to this:u should see a result similar to this:
Code:
EXAMPLE+Domain Computers
EXAMPLE+Domain Controllers
EXAMPLE+Schema Admins
EXAMPLE+Enterprise Admins
EXAMPLE+Cert Publishers
EXAMPLE+Domain Admins
EXAMPLE+Domain Users
EXAMPLE+Domain Guests
EXAMPLE+Group Policy Creator Owners
EXAMPLE+DnsUpdateProxy

We can get a username from both the local linux server and the Active Directory server by typing in this command:
Code:
getent passwd

I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.

For groups, type in getent group
I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.

I would suggest reading the info in link 2 for more things you can do with other authentication with AD.

If everything has worked as above, pat yourself on the back! Good job!

Step 8: If you didn't configure a share yet; do so now. You need to restart samba if you created a share.

You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.

If you want samba and winbind to run on startup, type in the following commands:
Code:
rc-update add samba default
rc-update add winbind default


That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.

Resources:

The samba/ADS howto: http://us1.samba.org/samba/docs/man/domain-member.html#ads-member
Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html



Small problem, all of the above works (sort of!!)

each command in turn works fine ie wbinfo -u and genent passwd, returning as expected.

but, I edited the login within /etc/pam.d using all of the available info that I could find, but .. when you logon as an AD user, the error 'User not known to the Underlying Authentication Module'

yet, if you run a getent passwd |grep (for that user) and then go back to the console,it does login!!

any ideas?

anyone have a working /etc/pam.d/login ? (its a start maybe!?)

thanks in advance
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 514
Location: Texas

PostPosted: Thu Jun 16, 2005 6:30 am    Post subject: Reply with quote

can you post your configs?
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
mikec49
n00b
n00b


Joined: 15 Jun 2005
Posts: 2

PostPosted: Sat Jun 18, 2005 12:32 pm    Post subject: Reply with quote

njcwotx wrote:
can you post your configs?


Since my posting, I set up SWAT to look at the samba config, and in the advanced settings there were some interesting winbind options that i had never seen before, I messed around with a few of these, and I managed to get console login working with ad users, but other things were still broken.

So, early next week I will go through all of my configs and see where I'm at.

I know I could use help with the /etc/pam.d/sshd as this is (was) working, but as root (a non ad user) it asked for the password twice, now I know I need to put use_first_pass somewhere, just unsure where, so anybody that has a working sshd pam file for use with winbind , this would be useful.

Thanks
Back to top
View user's profile Send private message
JDStone
n00b
n00b


Joined: 27 Apr 2005
Posts: 3
Location: Santa Clarita, CA, USA

PostPosted: Fri Jun 24, 2005 5:51 am    Post subject: Confused! Active Directory Reply with quote

I'm confused, is the Active Directory server a Windows machine or is it a Linux machine? Is it even possible to make a Linux machine a Active Directory server?
Back to top
View user's profile Send private message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 514
Location: Texas

PostPosted: Sat Jul 02, 2005 8:57 pm    Post subject: Reply with quote

in my case its a windows server domain with linux boxes becoming memebers that need windows domain users having access to samba shares.
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Mon Jul 04, 2005 8:12 am    Post subject: Re: Confused! Active Directory Reply with quote

JDStone wrote:
I'm confused, is the Active Directory server a Windows machine or is it a Linux machine? Is it even possible to make a Linux machine a Active Directory server?


In this case, it should always be a Windows AD server (Domain Controller). There are other how-to's for building your own Samba/AD/LDAP style servers. This thread is for people who have existing Windows Domain Controllers and want to extend linux services to them.
Back to top
View user's profile Send private message
Gendal
n00b
n00b


Joined: 25 Apr 2003
Posts: 18

PostPosted: Sun Jul 10, 2005 10:33 pm    Post subject: Reply with quote

Just an FYI, I spent the past few hours banging my head against the wall trying to get it to join a domain. Finally traced it back to the ISA (Internet Security Server) 2004 firewall. It's the debil, it kept blocking port 464 no matter what I did. Once I removed ISA viola, worked with out a hitch.
Back to top
View user's profile Send private message
NightMonkey
Guru
Guru


Joined: 21 Mar 2003
Posts: 312
Location: Brisbane, CA

PostPosted: Mon Jul 25, 2005 9:52 am    Post subject: Solved? Reply with quote

EDIT: Er, never mind. I fixed this problem. Lots of Kerberos voodoo... Also, I found that this cryptic error comes from Kerberos - a password mismatch... Must have been with the machine account, I guess. I also checked "Trust this computer for delegation" on the Win2K server - dunno, that might have fixed it too. I'll break everything down over the next few days to see if I can replicate the problem.

cuban wrote:
Out of no where I'm starting to get the below... Anyone have any ideas?

Code:
[2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!


I get this to, after getting *everything* else working. Turned up logging, here's the result:

Code:
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBnegprot (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LANMAN1.0]
[2005/07/25 02:44:35, 3]
 smbd/negprot.c:reply_negprot(461)
  Requested protocol [Windows for Workgroups 3.1a]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LM1.2X002]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LANMAN2.1]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [NT LM 0.12]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_nt1(333)
  using SPNEGO
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(555)
  Selected protocol NT LM 0.12
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 2 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 3 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 4 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_
FAILURE


Running samba 3.0.14a (problem occours with 3.0.10, too). This line looks suspicious:

Code:
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed


I googled around, and found that this "enc type" is for md4-hmac. I set this in /etc/krb5.conf explicitly (though I think this should "just work" with mit-krb5-1.4.1) and no change. This is a connection from a Win2K Pro client -> a Samba Domain Member server, authenticating against a Win2K AD DC.

Anyone else get this too, and have a solution? Thanks in advance!
Back to top
View user's profile Send private message
m4chine
Apprentice
Apprentice


Joined: 12 Mar 2003
Posts: 271
Location: Ventura, CA, USA

PostPosted: Tue Aug 02, 2005 6:15 pm    Post subject: Reply with quote

I have had samba up and running for some time now with AD integration, nothing changed on the linux side that I know of, there were updates applied to our AD server (Windows2003 SP1 iirc). So out of no where I get these errors in /var/log/samba3/log.%u for each username:

Code:
[2005/08/02 10:03:23, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'USERNAME' does not exist


I was able to fix them by adding the following to my /etc/samba/smb.conf file:

Code:
client schannel = no


I then noticed that I got this error:

Code:
[2005/08/02 10:46:14, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 1 requested.
[2005/08/02 10:46:15, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested.


I was able to fix this error by upgrading to samba-3.0.14a-r2.

cheers,
_________________
never trust a man who can count to 1023 on his fingers.

-m4chine
Back to top
View user's profile Send private message
cyphz0r
n00b
n00b


Joined: 29 Oct 2003
Posts: 12

PostPosted: Tue Aug 02, 2005 6:46 pm    Post subject: Reply with quote

Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!
Back to top
View user's profile Send private message
m4chine
Apprentice
Apprentice


Joined: 12 Mar 2003
Posts: 271
Location: Ventura, CA, USA

PostPosted: Tue Aug 02, 2005 10:53 pm    Post subject: Reply with quote

cyphz0r wrote:
Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!


What do you mean by authenticate a single user? You want only a single user to have access to a share? When you try to access a samba share, various authentications are attempted that are specified in /etc/samba/system-auth-winbind. By setting these auth lines up accordingly, you setup the order in which the user attempts to authenticate, meaning you local user can be authenticated before or after winbind attempts to authenticate your AD user.

There is also /etc/samba/smbusers which allows you to map local users to AD users.
Code:

# Unix_name = SMB_name1 SMB_name2 ...
root = DOMAIN+Administrator administrator admin
nobody = guest pcguest smbguest


Elaborate on your question and I'll try to give a more detailed answer.
_________________
never trust a man who can count to 1023 on his fingers.

-m4chine
Back to top
View user's profile Send private message
cyphz0r
n00b
n00b


Joined: 29 Oct 2003
Posts: 12

PostPosted: Wed Aug 03, 2005 1:55 am    Post subject: Reply with quote

m4chine wrote:
cyphz0r wrote:
Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!


What do you mean by authenticate a single user? You want only a single user to have access to a share? When you try to access a samba share, various authentications are attempted that are specified in /etc/samba/system-auth-winbind. By setting these auth lines up accordingly, you setup the order in which the user attempts to authenticate, meaning you local user can be authenticated before or after winbind attempts to authenticate your AD user.

There is also /etc/samba/smbusers which allows you to map local users to AD users.
Code:

# Unix_name = SMB_name1 SMB_name2 ...
root = DOMAIN+Administrator administrator admin
nobody = guest pcguest smbguest


Elaborate on your question and I'll try to give a more detailed answer.


What I am looking for is to have local users still be able to authenticate, I only have a few, I use them for service accounts like Nagios monitoring and such. And then also be able say that "aduser" has access to this share without defining an entire group. I will play with the system-auth-winbind tomorrow while at work and see what I come up with.

Thanks.


edit, adding system-auth-winbind

Code:

#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.2
2004/07/18 03:55:05 dragonheart Exp $

auth        required      /lib/security/pam_env.so
#auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pa
ss
auth        sufficient    /lib/security/pam_winbind.so
auth        required      /lib/security/pam_deny.so

#account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


I tried moving the order, still tries to do NT login via the domain first
Back to top
View user's profile Send private message
cyphz0r
n00b
n00b


Joined: 29 Oct 2003
Posts: 12

PostPosted: Tue Aug 16, 2005 1:31 pm    Post subject: Reply with quote

anyone????


still can't figure out how to make it check both AD and local users.

I want it to default to AD, but also be able to fall back onto local users.


And I still can't figure out how to permit a single AD user to a share, I can only do groups?
Back to top
View user's profile Send private message
BigBeer
n00b
n00b


Joined: 18 Oct 2004
Posts: 40

PostPosted: Tue Aug 23, 2005 2:35 pm    Post subject: Reply with quote

I had this working, but after an emerge -upD world I have seem to broken my setup.

I have gone back and followed the steps again from scratch and still can not get it to work.


Here is that I am getting in log.winbindd
Code:

[2005/08/23 10:26:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain ATL failed: Preauthentication failed
[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/08/23 10:26:28, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password host/UNICRON@ATL.MYDOMAIN.COM failed: Preauthentication failed
[2005/08/23 10:26:28, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain ATL failed: Preauthentication failed


Anyone have any ideas as to what I am doing wrong ??!?!


--BigBeer
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6  Next
Page 5 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum