View previous topic :: View next topic |
Author |
Message |
christsong84 Veteran
Joined: 06 Apr 2003 Posts: 1003 Location: GMT-8 (Spokane)
|
Posted: Fri Aug 26, 2005 6:59 pm Post subject: |
|
|
magnesium wrote: | When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?
|
Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<
I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work. _________________ while(true) {self.input(sugar);} |
|
Back to top |
|
|
thrashed Apprentice
Joined: 01 Sep 2004 Posts: 294
|
Posted: Wed Sep 07, 2005 1:55 pm Post subject: |
|
|
christsong84 wrote: | magnesium wrote: | When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?
|
Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<
BUT - I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work. |
I have got exactly the same problem!
i can access the share when i take the ip adress of the share
\\sambaserver\share doesn't work
\\192.168.10.5\\share works fine
any idea???
i found this with the help of google, but i dont know if this is the answer to our problem(there is no newer kerberos verision in portage :/
http://archive.netbsd.se/?ml=samba&a=2004-07&t=302942
Quote: | I have been having the very same problem and managed to solve this. I'm
posting an answer to this question so that others can find this if
needed. (I'm not subscribed to the list, so please CC follow-ups if
needed).
The problem is, as you said, with the Kerberos version, I first used
MIT's implementation of Kerberos. Samba clients could correctly access
my Samba server (and I could see the KRB requests going to and from the
Win2k AD server) but as soon as I tried and did the same with a
Windows-based client, nothing worked, the Windows box kept asking for a
valid user/pass whereas the given ones were correct, and I got the same
"failed tickets" entries in my smbd logs. |
best wishes from austria
thrashed |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Wed Oct 19, 2005 12:39 pm Post subject: |
|
|
Make sure you have the following use flags - if you dont have winbind (from an old setup of this) then winbindd will fail to work (and may not even exist on your system anymore)
Code: | samba kerberos winbind |
The winbind flag is new. |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Thu Oct 20, 2005 9:58 am Post subject: |
|
|
*phew* - I am now up and running again on:
- Windows 2000 AD
- Kernel 2.6.12-gentoo-r9
- Samba 3.0.14a-r2
- USE flags I mentioned above: Code: | ldap kerberos winbind samba |
The errors I was getting in my log.winbindd:
Code: |
[2005/10/20 09:39:00, 1] libsmb/clikrb5.c:ads_krb5_mk_req(389)
ads_krb5_mk_req: krb5_get_credentials failed for dc$@DOMAIN.CO.UK (Ticket expired)
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
spnego_gen_negTokenTarg failed: Ticket expired
[2005/10/20 09:39:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:00, 1] nsswitch/winbindd_util.c:init_domain_list(322)
Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:39:16, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:16, 1] nsswitch/winbindd_util.c:init_domain_list(322)
Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:16, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:40:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DOMAIN failed: Cannot read password
|
Make sure you got the USE flags, emerge Samba again
and then check that you /etc/conf.d/samba has:
Code: | daemon_list="smbd nmbd winbind" |
Stop the daemon: Code: | /etc/init.d/samba stop |
Make sure that winbindd has been properly stopped:
Code: | ps aux | grep winbind |
And kill any processes before starting Samba again
Code: | /etc/init.d/samba start |
I think did:
And entered the password
Then klist which returned:
Code: |
jupiter ~ # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.CO.UK
Valid starting Expires Service principal
10/20/05 09:42:34 10/20/05 19:42:35 krbtgt/DOMAIN.CO.UK@DOMAIN.CO.UK
renew until 10/21/05 09:42:34
|
Et voila! It now works for me!
YMMV - just keep on restarting services and get the tickets, and you should be back in business. |
|
Back to top |
|
|
giant Tux's lil' helper
Joined: 01 Aug 2002 Posts: 107
|
Posted: Sat Nov 19, 2005 4:25 pm Post subject: |
|
|
Thanks for this great howto
I was able to add my samba fileserver to our ads in minutes |
|
Back to top |
|
|
TheJester n00b
Joined: 08 Dec 2002 Posts: 9
|
Posted: Thu Feb 09, 2006 9:12 am Post subject: Samba as domain member terribly slow ! |
|
|
Hi all,
We have a linux data server here, which used to be a workgroup member. Everything was fine then. Now we hav a new sbs server here, so the data server had to be made into a domain member. To do that i followed this manual.
The thing is now, that the samba shares on the data server are slow as h**l
What can be the problem ? Any ideas are welcome.... !
Code: |
[global]
netbios name = DATASVR
server string = DATASVR
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = GOVALOKAAL
os level = 20
winbind enum groups = yes
socket address = 10.0.0.200
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = GOVA.LOKAAL
security = ADS
wins server = 10.0.0.201
wins proxy = no
workgroup = govalokaal
[ariston]
comment = All Ariston software, cc files
path = /raid/ariston
writable = yes
|
and the krb5 config :
Code: |
datasvr etc # cat krb5.conf
[libdefaults]
default_realm = GOVA.LOKAAL
[realms]
GOVA.LOKAAL = {
kdc = adserver.gova.lokaal
}
datasvr etc #
|
the hosts file :
Code: |
datasvr etc # cat hosts
127.0.0.1 localhost
10.0.0.201 adserver.gova.lokaal adserver
|
thanks a lot ! |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Thu Mar 30, 2006 6:32 am Post subject: |
|
|
Just got my 6 gentoo clients up and bound to AD. Ran into a major bug. My UID is different on every box.
Code: |
atalbot@cslinux6:~$ id
uid=24488(atalbot) gid=10000(domain users) groups=10000(domain users)
atalbot@cslinux4:~$ id
uid=10000(atalbot) gid=10000(domain users) groups=10000(domain users)
|
Any ideas? |
|
Back to top |
|
|
Arne n00b
Joined: 23 Sep 2003 Posts: 17 Location: Berlin/Germany
|
Posted: Sat Jun 17, 2006 9:56 am Post subject: |
|
|
Hi,
first thx for the nice howto
I have a question about the keytab encryption type. Is it possible to use arcfour-hmac-md5? I try it, but it didn't work. Maybe I make a mistake. The single DES keys works and with kinit I can get rc4 tickets, so my linux box must have rc4 support. I don't why its not working.
RC4 is working:
Code: |
# kinit Administrator
Administrator@MY.EXAMPLE.COM's Password:
# klist -e
Valid starting Expires Service principal
06/17/06 10:00:01 06/17/06 19:59:55 krbtgt/MY.EXAMPLE.COM@MY.EXAMPLE.COM
renew until 06/17/06 20:00:01, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
|
keytap export:
Code: |
C:\Dokumente und Einstellungen\Administrator\Desktop>"c:\Programme\Support Tools \ktpass.exe" -mapuser linux_http -princ HTTP/my.example.com@MY.EXAMPLE.COM +DesOnly -pass <PASSWORD> -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out "linux_keytab_http"
Targeting domain controller: server.my.example.com
Successfully mapped HTTP/linux.my.example.com to linux_http.
Key created.
Output keytab to linux_keytab_http:
Keytab version: 0x502
keysize 96 HTTP/my.example.com@MY.EXAMPLE.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x058f7c3320c8e994b11dd010f8d6c7ff)
Account linux_http has been set for DES-only encryption.
|
check the exported keytab
Code: |
# ktutil
ktutil: rkt linux_keytab_http
ktutil: l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/my.example.com@MY.EXAMPLE.COM (ArcFour with HMAC/md5)
ktutil:
|
using the keytab failed:
Code: |
kinit -k -t linux_keytab_http HTTP/my.example.com@MY.EXAMPLE.COM
kinit(v5): Key table entry not found while getting initial credentials
|
PS: It's a Windows Server 2003 R2.
Any idea what caused this?
arne |
|
Back to top |
|
|
andysamuel n00b
Joined: 22 Jul 2003 Posts: 41
|
Posted: Tue Jun 20, 2006 3:42 am Post subject: |
|
|
Hi All !
Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?
I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.
With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.
'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.
'getent passwd' seems only display my /etc/passwd file.
But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.
Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.
Thank you so much.
Andy |
|
Back to top |
|
|
andysamuel n00b
Joined: 22 Jul 2003 Posts: 41
|
Posted: Tue Jun 20, 2006 11:27 am Post subject: |
|
|
andysamuel wrote: | Hi All !
Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?
I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.
With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.
'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.
'getent passwd' seems only display my /etc/passwd file.
But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.
Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.
Thank you so much.
Andy |
Hmmm...it turns out that I don't have /lib/security/pam_winbind.so.
Add the 'winbind' to USE inside /etc/make.conf, recomplie Samba, and voila ! Authentication to ADS works !
Case closed. |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Fri Oct 15, 2010 10:28 pm Post subject: This doc will be updated (soon I hope) |
|
|
I apologize that I haven't been around in the last few years. I wound up moving and getting a new job which unfortunately I had to go offline for quite a while. I intend to update this doc (sometime soon) to integrate with Windows 2003 and the latest version of Samba. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
ali3nx l33t
Joined: 21 Sep 2003 Posts: 722 Location: Winnipeg, Canada
|
Posted: Sat Oct 16, 2010 8:20 pm Post subject: |
|
|
Good howto but the only problem is using winbind which limits your options and can cause problems with ldap consistancy in some situations.
http://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP _________________ Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper! |
|
Back to top |
|
|
maalth Tux's lil' helper
Joined: 06 Jun 2003 Posts: 76 Location: Can't tell you...
|
Posted: Sun Oct 17, 2010 2:20 am Post subject: |
|
|
Samba's been updated many times in the last 7 years so I'd have to update the howto anyway. _________________ Screw you guys, I'm going home... |
|
Back to top |
|
|
Majed17 Guru
Joined: 31 Aug 2011 Posts: 328 Location: Minsk, Belarus
|
Posted: Thu Jan 26, 2012 12:36 pm Post subject: |
|
|
ritjobbie wrote: | WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.
*whew* |
i didn't find any information about adding windbind to /etc/pam.d/samba however i did find this:
https://forums.gentoo.org/viewtopic-t-445968-start-0.html
which is adding windbind to /etc/pam.d/system-auth
but that was not what solved my problem of windows constantly asking for logins and usernames and paswords. what solved was:
Disable NSCD
The service NSCD (Name Service Caching Daemon) seriously interferes with Winbind authentication and must be completely disabled before enabling Winbind.
To do this, edit /etc/nscd.conf. Edit these three lines:
enable-cache passwd yes
enable-cache group yes
enable-cache hosts yes
They should read:
enable-cache passwd no
enable-cache group no
enable-cache hosts no
This disables all NSCD caching.
taken from : http://www.stuartellis.eu/articles/linux-with-active-directory/ |
|
Back to top |
|
|
VinzC Watchman
Joined: 17 Apr 2004 Posts: 5098 Location: Dark side of the mood
|
Posted: Tue Jan 15, 2013 8:47 am Post subject: |
|
|
Hi guys.
Is it possible that two samba servers that have joined the same AD domain (e.g. "MYCOMPANY") do not map domain users and groups to the same [numeric] ID's? For instance, I have a Debian server that maps a group to GID 10243 and the same group is mapped to GID 10007201 on a QNAP network attached storage that was joined to the domain. It goes even further for domain groups are listed (using getent) without the domain part (e.g. "IT") on the Debian server while the QNAP shows domain groups with the domain name as a prefix (i.e. "MYCOMPANY+IT"). That clearly causes troubles for backup in my case for I need to backup/copy files onto a remote machine with the same security attributes so that the users owning their data can retrieve copies from the backup machine.
Can anyone confirm this? How's the best and trouble-less way to get to that point?
Thanks a lot in advance for any hint/suggestion. _________________ Gentoo addict: tomorrow I quit, I promise!... Just one more emerge...
1739! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|