How to integrate Samba into Active Directory (UPDATED).

[christsong84]

When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?

Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<

I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work.

[thrashed]

When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?

Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<

BUT - I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt. Linux nor AD users work.

I have got exactly the same problem!

i can access the share when i take the ip adress of the share
\\sambaserver\share doesn't work
\\192.168.10.5\\share works fine

any idea???


i found this with the help of google, but i dont know if this is the answer to our problem(there is no newer kerberos verision in portage :/
http://archive.netbsd.se/?ml=samba&a=2004-07&t=302942

I have been having the very same problem and managed to solve this. I'm
posting an answer to this question so that others can find this if
needed. (I'm not subscribed to the list, so please CC follow-ups if
needed).

The problem is, as you said, with the Kerberos version, I first used
MIT's implementation of Kerberos. Samba clients could correctly access
my Samba server (and I could see the KRB requests going to and from the
Win2k AD server) but as soon as I tried and did the same with a
Windows-based client, nothing worked, the Windows box kept asking for a
valid user/pass whereas the given ones were correct, and I got the same
"failed tickets" entries in my smbd logs.

best wishes from austria
thrashed

[Martz]

Make sure you have the following use flags - if you dont have winbind (from an old setup of this) then winbindd will fail to work (and may not even exist on your system anymore)

Code: Select all

samba kerberos winbind

The winbind flag is new.

[Martz]

*phew* - I am now up and running again on:

- Windows 2000 AD
- Kernel 2.6.12-gentoo-r9
- Samba 3.0.14a-r2
- USE flags I mentioned above:

Code: Select all

ldap kerberos winbind samba 

The errors I was getting in my log.winbindd:

Code: Select all

[2005/10/20 09:39:00, 1] libsmb/clikrb5.c:ads_krb5_mk_req(389)
  ads_krb5_mk_req: krb5_get_credentials failed for dc$@DOMAIN.CO.UK (Ticket expired)
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: Ticket expired
[2005/10/20 09:39:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:00, 1] nsswitch/winbindd_util.c:init_domain_list(322)
  Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:39:16, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password
[2005/10/20 09:39:16, 1] nsswitch/winbindd_util.c:init_domain_list(322)
  Could not fetch sid for our domain DOMAIN
[2005/10/20 09:39:16, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)
  spnego_gen_negTokenTarg failed: No credentials cache found
[2005/10/20 09:40:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain DOMAIN failed: Cannot read password

Make sure you got the USE flags, emerge Samba again

Code: Select all

emerge samba

and then check that you /etc/conf.d/samba has:

Code: Select all

daemon_list="smbd nmbd winbind"

Stop the daemon:

Code: Select all

/etc/init.d/samba stop

Make sure that winbindd has been properly stopped:

Code: Select all

 ps aux | grep winbind

And kill any processes before starting Samba again

Code: Select all

/etc/init.d/samba start

I think did:

Code: Select all

kinit

And entered the password
Then klist which returned:

Code: Select all

jupiter ~ # klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.CO.UK

Valid starting     Expires            Service principal
10/20/05 09:42:34  10/20/05 19:42:35  krbtgt/DOMAIN.CO.UK@DOMAIN.CO.UK
        renew until 10/21/05 09:42:34

Et voila! It now works for me!

YMMV - just keep on restarting services and get the tickets, and you should be back in business.

[giant]

Thanks for this great howto

I was able to add my samba fileserver to our ads in minutes

[TheJester]

Hi all,

We have a linux data server here, which used to be a workgroup member. Everything was fine then. Now we hav a new sbs server here, so the data server had to be made into a domain member. To do that i followed this manual.

The thing is now, that the samba shares on the data server are slow as h**l
What can be the problem ? Any ideas are welcome.... !

Code: Select all

[global]
        netbios name = DATASVR
        server string = DATASVR
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000
        workgroup = GOVALOKAAL
        os level = 20
        winbind enum groups = yes
        socket address = 10.0.0.200
        password server = *
        preferred master = no
        winbind separator = +
        max log size = 50
        log file = /var/log/samba3/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = GOVA.LOKAAL
        security = ADS
        wins server = 10.0.0.201
        wins proxy = no
        workgroup = govalokaal
       
[ariston]
        comment = All Ariston software, cc files
        path = /raid/ariston
        writable = yes

and the krb5 config :

Code: Select all

datasvr etc # cat krb5.conf
[libdefaults]
        default_realm = GOVA.LOKAAL

[realms]
   GOVA.LOKAAL = {
        kdc = adserver.gova.lokaal
   }

datasvr etc #

the hosts file :

Code: Select all

datasvr etc # cat hosts
127.0.0.1       localhost
10.0.0.201      adserver.gova.lokaal adserver

thanks a lot !

[DingbatCA]

Just got my 6 gentoo clients up and bound to AD. Ran into a major bug. My UID is different on every box.

Code: Select all

atalbot@cslinux6:~$ id
uid=24488(atalbot) gid=10000(domain users) groups=10000(domain users)

atalbot@cslinux4:~$ id
uid=10000(atalbot) gid=10000(domain users) groups=10000(domain users)

Any ideas?

[Arne]

Hi,
first thx for the nice howto

I have a question about the keytab encryption type. Is it possible to use arcfour-hmac-md5? I try it, but it didn't work. Maybe I make a mistake. The single DES keys works and with kinit I can get rc4 tickets, so my linux box must have rc4 support. I don't why its not working.

RC4 is working:

Code: Select all

# kinit Administrator
Administrator@MY.EXAMPLE.COM's Password:
# klist -e
Valid starting     Expires            Service principal
06/17/06 10:00:01  06/17/06 19:59:55  krbtgt/MY.EXAMPLE.COM@MY.EXAMPLE.COM
        renew until 06/17/06 20:00:01, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

keytap export:

Code: Select all

C:\Dokumente und Einstellungen\Administrator\Desktop>"c:\Programme\Support Tools \ktpass.exe" -mapuser linux_http -princ  HTTP/my.example.com@MY.EXAMPLE.COM +DesOnly -pass <PASSWORD>  -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out  "linux_keytab_http"
Targeting domain controller: server.my.example.com
Successfully mapped HTTP/linux.my.example.com to linux_http.
Key created.
Output keytab to linux_keytab_http:
Keytab version: 0x502
keysize 96 HTTP/my.example.com@MY.EXAMPLE.COM ptype 1
 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x058f7c3320c8e994b11dd010f8d6c7ff)
Account linux_http has been set for DES-only encryption.

check the exported keytab

Code: Select all

# ktutil
ktutil:  rkt linux_keytab_http
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/my.example.com@MY.EXAMPLE.COM (ArcFour with HMAC/md5)
ktutil:

using the keytab failed:

Code: Select all

kinit  -k -t linux_keytab_http HTTP/my.example.com@MY.EXAMPLE.COM
kinit(v5): Key table entry not found while getting initial credentials

PS: It's a Windows Server 2003 R2.

Any idea what caused this?
arne

[andysamuel]

Hi All !

Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?

I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.

With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.

'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.

'getent passwd' seems only display my /etc/passwd file.

But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.

Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.

Thank you so much.
Andy

[andysamuel]

Hi All !

Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?

I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server. Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.

With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.

'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.

'getent passwd' seems only display my /etc/passwd file.

But when I tried to access from a Windows machine, it keeps on asking for password.
My log.winbindd seems ok, no error. Log.smbd also seems fine, only complaining about cups witch I dont use. Log.nmbd seems fine.

Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ? My suspicion is my previous system using pam-login while newer system using shadow.

Thank you so much.
Andy

Hmmm...it turns out that I don't have /lib/security/pam_winbind.so.
Add the 'winbind' to USE inside /etc/make.conf, recomplie Samba, and voila ! Authentication to ADS works !

Case closed.

[maalth]

I apologize that I haven't been around in the last few years. I wound up moving and getting a new job which unfortunately I had to go offline for quite a while. I intend to update this doc (sometime soon) to integrate with Windows 2003 and the latest version of Samba.

[ali3nx]

Good howto but the only problem is using winbind which limits your options and can cause problems with ldap consistancy in some situations.

http://wiki.samba.org/index.php/Samba%2 ... y_%26_LDAP

[maalth]

Samba's been updated many times in the last 7 years so I'd have to update the howto anyway.

[Majed17]

WORD UP! I got it working. I had to add winbind to the /etc/pam.d/samba config file, duh.

*whew*

i didn't find any information about adding windbind to /etc/pam.d/samba however i did find this:
http://forums.gentoo.org/viewtopic-t-44 ... art-0.html
which is adding windbind to /etc/pam.d/system-auth
but that was not what solved my problem of windows constantly asking for logins and usernames and paswords. what solved was:
Disable NSCD

The service NSCD (Name Service Caching Daemon) seriously interferes with Winbind authentication and must be completely disabled before enabling Winbind.

To do this, edit /etc/nscd.conf. Edit these three lines:

enable-cache passwd yes
enable-cache group yes
enable-cache hosts yes

They should read:

enable-cache passwd no
enable-cache group no
enable-cache hosts no

This disables all NSCD caching.

taken from : http://www.stuartellis.eu/articles/linu ... directory/

[VinzC]

Hi guys.

Is it possible that two samba servers that have joined the same AD domain (e.g. "MYCOMPANY") do not map domain users and groups to the same [numeric] ID's? For instance, I have a Debian server that maps a group to GID 10243 and the same group is mapped to GID 10007201 on a QNAP network attached storage that was joined to the domain. It goes even further for domain groups are listed (using getent) without the domain part (e.g. "IT") on the Debian server while the QNAP shows domain groups with the domain name as a prefix (i.e. "MYCOMPANY+IT"). That clearly causes troubles for backup in my case for I need to backup/copy files onto a remote machine with the same security attributes so that the users owning their data can retrieve copies from the backup machine.

Can anyone confirm this? How's the best and trouble-less way to get to that point?

Thanks a lot in advance for any hint/suggestion.