Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to integrate Samba into Active Directory (UPDATED).
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
christsong84
Veteran
Veteran


Joined: 06 Apr 2003
Posts: 1002
Location: GMT-8 (Spokane)

PostPosted: Fri Aug 26, 2005 6:59 pm    Post subject: Reply with quote

magnesium wrote:
When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?


Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<

I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work.
_________________
while(true) {self.input(sugar);} :twisted:
Back to top
View user's profile Send private message
thrashed
Apprentice
Apprentice


Joined: 01 Sep 2004
Posts: 292

PostPosted: Wed Sep 07, 2005 1:55 pm    Post subject: Reply with quote

christsong84 wrote:
magnesium wrote:
When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?


Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<

BUT - I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work.


I have got exactly the same problem!

i can access the share when i take the ip adress of the share
\\sambaserver\share doesn't work
\\192.168.10.5\\share works fine

any idea???


i found this with the help of google, but i dont know if this is the answer to our problem(there is no newer kerberos verision in portage :/
http://archive.netbsd.se/?ml=samba&a=2004-07&t=302942
Quote:
I have been having the very same problem and managed to solve this. I'm
posting an answer to this question so that others can find this if
needed. (I'm not subscribed to the list, so please CC follow-ups if
needed).

The problem is, as you said, with the Kerberos version, I first used
MIT's implementation of Kerberos. Samba clients could correctly access
my Samba server (and I could see the KRB requests going to and from the
Win2k AD server) but as soon as I tried and did the same with a
Windows-based client, nothing worked, the Windows box kept asking for a
valid user/pass whereas the given ones were correct, and I got the same
"failed tickets" entries in my smbd logs.


best wishes from austria
thrashed :)
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Wed Oct 19, 2005 12:39 pm    Post subject: Reply with quote

Make sure you have the following use flags - if you dont have winbind (from an old setup of this) then winbindd will fail to work (and may not even exist on your system anymore)

Code:
samba kerberos winbind


The winbind flag is new.
Back to top
View user's profile Send private message
Martz
n00b
n00b


Joined: 04 Mar 2004
Posts: 72

PostPosted: Thu Oct 20, 2005 9:58 am    Post subject: Reply with quote

*phew* - I am now up and running again on:

- Windows 2000 AD
- Kernel 2.6.12-gentoo-r9
- Samba 3.0.14a-r2
- USE flags I mentioned above:
Code:
ldap kerberos winbind samba


The errors I was getting in my log.winbindd:
Code:

[2005/10/20 09:39:00, 1] libsmb/clikrb5.c:ads_krb5_mk_req(389)
  ads_krb5_mk_req: krb5_get_credentials failed for dc$@DOMAIN.CO.UK (Ticket expired)
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: Ticket expired
[2005/10/20 09:39:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:00, 1] nsswitch/winbindd_util.c:init_domain_list(322)
  Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:39:16, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:16, 1] nsswitch/winbindd_util.c:init_domain_list(322)
  Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:16, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:40:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password



Make sure you got the USE flags, emerge Samba again
Code:
emerge samba

and then check that you /etc/conf.d/samba has:
Code:
daemon_list="smbd nmbd winbind"


Stop the daemon:
Code:
/etc/init.d/samba stop


Make sure that winbindd has been properly stopped:
Code:
 ps aux | grep winbind

And kill any processes before starting Samba again

Code:
/etc/init.d/samba start


I think did:

Code:
kinit

And entered the password
Then klist which returned:
Code:

jupiter ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.CO.UK

Valid starting     Expires            Service principal
10/20/05 09:42:34  10/20/05 19:42:35  krbtgt/DOMAIN.CO.UK@DOMAIN.CO.UK
        renew until 10/21/05 09:42:34



Et voila! It now works for me!

YMMV - just keep on restarting services and get the tickets, and you should be back in business.
Back to top
View user's profile Send private message
giant
Tux's lil' helper
Tux's lil' helper


Joined: 01 Aug 2002
Posts: 107

PostPosted: Sat Nov 19, 2005 4:25 pm    Post subject: Reply with quote

Thanks for this great howto :-)

I was able to add my samba fileserver to our ads in minutes :-)
Back to top
View user's profile Send private message
TheJester
n00b
n00b


Joined: 08 Dec 2002
Posts: 9

PostPosted: Thu Feb 09, 2006 9:12 am    Post subject: Samba as domain member terribly slow ! Reply with quote

Hi all,

We have a linux data server here, which used to be a workgroup member. Everything was fine then. Now we hav a new sbs server here, so the data server had to be made into a domain member. To do that i followed this manual.

The thing is now, that the samba shares on the data server are slow as h**l
What can be the problem ? Any ideas are welcome.... !

Code:

[global]
        netbios name = DATASVR
        server string = DATASVR
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000
        workgroup = GOVALOKAAL
        os level = 20
        winbind enum groups = yes
        socket address = 10.0.0.200
        password server = *
        preferred master = no
        winbind separator = +
        max log size = 50
        log file = /var/log/samba3/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = GOVA.LOKAAL
        security = ADS
        wins server = 10.0.0.201
        wins proxy = no
        workgroup = govalokaal
       
[ariston]
        comment = All Ariston software, cc files
        path = /raid/ariston
        writable = yes




and the krb5 config :


Code:


datasvr etc # cat krb5.conf
[libdefaults]
        default_realm = GOVA.LOKAAL

[realms]
   GOVA.LOKAAL = {
        kdc = adserver.gova.lokaal
   }

datasvr etc #


the hosts file :

Code:

datasvr etc # cat hosts
127.0.0.1       localhost
10.0.0.201      adserver.gova.lokaal adserver


thanks a lot !
Back to top
View user's profile Send private message
DingbatCA
Guru
Guru


Joined: 07 Jul 2004
Posts: 354
Location: Portland Or

PostPosted: Thu Mar 30, 2006 6:32 am    Post subject: Reply with quote

Just got my 6 gentoo clients up and bound to AD. Ran into a major bug. My UID is different on every box.

Code:

atalbot@cslinux6:~$ id
uid=24488(atalbot) gid=10000(domain users) groups=10000(domain users)

atalbot@cslinux4:~$ id
uid=10000(atalbot) gid=10000(domain users) groups=10000(domain users)


Any ideas?
Back to top
View user's profile Send private message
Arne
n00b
n00b


Joined: 23 Sep 2003
Posts: 17
Location: Berlin/Germany

PostPosted: Sat Jun 17, 2006 9:56 am    Post subject: Reply with quote

Hi,
first thx for the nice howto :!:

I have a question about the keytab encryption type. Is it possible to use arcfour-hmac-md5? I try it, but it didn't work. Maybe I make a mistake. The single DES keys works and with kinit I can get rc4 tickets, so my linux box must have rc4 support. I don't why its not working. :(

RC4 is working:
Code:

# kinit Administrator
Administrator@MY.EXAMPLE.COM's Password:
# klist -e
Valid starting     Expires            Service principal
06/17/06 10:00:01  06/17/06 19:59:55  krbtgt/MY.EXAMPLE.COM@MY.EXAMPLE.COM
        renew until 06/17/06 20:00:01, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5


keytap export:
Code:

C:\Dokumente und Einstellungen\Administrator\Desktop>"c:\Programme\Support Tools \ktpass.exe" -mapuser linux_http -princ  HTTP/my.example.com@MY.EXAMPLE.COM +DesOnly -pass <PASSWORD>  -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out  "linux_keytab_http"
Targeting domain controller: server.my.example.com
Successfully mapped HTTP/linux.my.example.com to linux_http.
Key created.
Output keytab to linux_keytab_http:
Keytab version: 0x502
keysize 96 HTTP/my.example.com@MY.EXAMPLE.COM ptype 1
 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x058f7c3320c8e994b11dd010f8d6c7ff)
Account linux_http has been set for DES-only encryption.


check the exported keytab
Code:

# ktutil
ktutil:  rkt linux_keytab_http
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/my.example.com@MY.EXAMPLE.COM (ArcFour with HMAC/md5)
ktutil:


using the keytab failed:
Code:

kinit  -k -t linux_keytab_http HTTP/my.example.com@MY.EXAMPLE.COM
kinit(v5): Key table entry not found while getting initial credentials


PS: It's a Windows Server 2003 R2.

Any idea what caused this?
arne
Back to top
View user's profile Send private message
andysamuel
n00b
n00b


Joined: 22 Jul 2003
Posts: 41

PostPosted: Tue Jun 20, 2006 3:42 am    Post subject: Reply with quote

Hi All !

Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?

I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.

With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.

'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.

'getent passwd' seems only display my /etc/passwd file.

But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.

Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.

Thank you so much.
Andy
Back to top
View user's profile Send private message
andysamuel
n00b
n00b


Joined: 22 Jul 2003
Posts: 41

PostPosted: Tue Jun 20, 2006 11:27 am    Post subject: Reply with quote

andysamuel wrote:
Hi All !

Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?

I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.

With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.

'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.

'getent passwd' seems only display my /etc/passwd file.

But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.

Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.

Thank you so much.
Andy


Hmmm...it turns out that I don't have /lib/security/pam_winbind.so.
Add the 'winbind' to USE inside /etc/make.conf, recomplie Samba, and voila ! Authentication to ADS works !

Case closed.
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Fri Oct 15, 2010 10:28 pm    Post subject: This doc will be updated (soon I hope) Reply with quote

I apologize that I haven't been around in the last few years. I wound up moving and getting a new job which unfortunately I had to go offline for quite a while. I intend to update this doc (sometime soon) to integrate with Windows 2003 and the latest version of Samba.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
ali3nx
Guru
Guru


Joined: 21 Sep 2003
Posts: 476
Location: Winnipeg, Canada

PostPosted: Sat Oct 16, 2010 8:20 pm    Post subject: Reply with quote

Good howto but the only problem is using winbind which limits your options and can cause problems with ldap consistancy in some situations.

http://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
maalth
n00b
n00b


Joined: 06 Jun 2003
Posts: 56
Location: Can't tell you...

PostPosted: Sun Oct 17, 2010 2:20 am    Post subject: Reply with quote

Samba's been updated many times in the last 7 years so I'd have to update the howto anyway.
_________________
Screw you guys, I'm going home...
Back to top
View user's profile Send private message
Majed17
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2011
Posts: 108
Location: Minsk, Belarus

PostPosted: Thu Jan 26, 2012 12:36 pm    Post subject: Reply with quote

ritjobbie wrote:
WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.

*whew*


i didn't find any information about adding windbind to /etc/pam.d/samba however i did find this:
http://forums.gentoo.org/viewtopic-t-445968-start-0.html
which is adding windbind to /etc/pam.d/system-auth
but that was not what solved my problem of windows constantly asking for logins and usernames and paswords. what solved was:
Disable NSCD

The service NSCD (Name Service Caching Daemon) seriously interferes with Winbind authentication and must be completely disabled before enabling Winbind.

To do this, edit /etc/nscd.conf. Edit these three lines:

enable-cache passwd yes
enable-cache group yes
enable-cache hosts yes

They should read:

enable-cache passwd no
enable-cache group no
enable-cache hosts no

This disables all NSCD caching.

taken from : http://www.stuartellis.eu/articles/linux-with-active-directory/
Back to top
View user's profile Send private message
VinzC
Advocate
Advocate


Joined: 17 Apr 2004
Posts: 4672
Location: Theux (Belgium)

PostPosted: Tue Jan 15, 2013 8:47 am    Post subject: Reply with quote

Hi guys.

Is it possible that two samba servers that have joined the same AD domain (e.g. "MYCOMPANY") do not map domain users and groups to the same [numeric] ID's? For instance, I have a Debian server that maps a group to GID 10243 and the same group is mapped to GID 10007201 on a QNAP network attached storage that was joined to the domain. It goes even further for domain groups are listed (using getent) without the domain part (e.g. "IT") on the Debian server while the QNAP shows domain groups with the domain name as a prefix (i.e. "MYCOMPANY+IT"). That clearly causes troubles for backup in my case for I need to backup/copy files onto a remote machine with the same security attributes so that the users owning their data can retrieve copies from the backup machine.

Can anyone confirm this? How's the best and trouble-less way to get to that point?

Thanks a lot in advance for any hint/suggestion.
_________________
Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
GNU/Linux user #369763
“Wow! I feel root”
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6
Page 6 of 6

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum