How to integrate Samba into Active Directory (UPDATED).

[cpdsaorg]

I had the same problem and I solved it like this...

Code: Select all

[mp3]
     writable = yes
     browsable = yes
     path = /home/mp3
     valid users = @"EXAMPLE+Domain Admins", @"EXAMPLE+Linux Admins"

Above "EXAMPLE" is my short domain name. like YAHOO or GOOGLE

"Domain Admins" and "Linux Admins" are the groups that I want to have access to the share.
Dont forget the + in between. group names are seperated by a comma (,)

[cpdsaorg]

Next question,

is there a way for the "Linux Admin" group to be able to ssh into the box without having to create a local user for each admin?

[cuban]

This is odd. I emerged samba as instructed but winbindd is not anywhere to be found.

[cuban]

It appears there is a new use flag to add winbind it's called "winbind" it does not create an init.d script though.

[cpdsaorg]

found this for you in the instructions posted here:

NOTE: If rc-update add winbind default fails, you could add winbind to /etc/conf.d/samba under deamon_list:

File: /etc/conf.d/samba

Code: Select all

daemon_list="smbd nmbd winbind"

[cuban]

Out of no where I'm starting to get the below... Anyone have any ideas?

Code: Select all

[2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

[Skywacker]

Thanks for howto, but I have one problem.

Everything works great for 10 minutes, then starts to fail. I can map a drive on a Windows XP box and access the files on the Samba share. However, after about 10 minutes if I re-map the drive it will ask for a password.

Different form of same problem- I can 'cd ~TESTDOM+testuser' and it works fine. But after a while it will tell me "-bash: cd ~TESTDOM+testuser: No such file or directory". If I run 'getent passwd', it shows me all the correct users from my PDC, and then 'cd ~CMRLDOM+testuser' will result in changing me to /home/TESTDOM/testuser

I know that my kerberos ticket is set to last 600 seconds, and I could raise this number, but whats the correct way to fix this problem?

TESTDOM is my domain name and testuser is my test user.

Thanks

-Skywacker

[Radi]

Hello There,

I'm Using a Linux Box with Samba as active directory client, login with AD user works perfectly but for the most Users the Homedirectory has been named in uppercase characters, like "SomeUser". Samba itselfs resolvs the username as "someuser" and everytime i login with an account that has such named home directorys Samba fails to cd into the directory because Linux is case sensitive. Is there a way of going around it without changing every homedir?

Thanks, Radi

[mgladding4423]

I'm having the same problem other people are having with all of this. When I attempt to get to the network share (\\<server name>\<share name> From any system I get a invalid username and password prompt and I can't get in.
winbind is up and running, as in samba, I can use smbclient to connect to a windows share, I'm joined to the domain, and can query ad with wbinfo, so I have no clue what to do now. Any ideas?

edit side note:
When I try to connect via smbclient/mount on another linux box (we have tons in my company) I get the following:

tmp # smbmount //<server name>/root$ /tmp/smbtest -o username=root
Password:
29178: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed

Doesn't matter what username I use, I tried root, administrator, mine, all of em same thing.

Here is my smb.conf:

Code: Select all

[global]
        netbios name = backup
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        idmap uid = 10000-20000
        winbind enum users = yes
        winbind gid = 10000-20000
        workgroup = <workgroup name>
        os level = 20
        winbind enum groups = yes
        password server = *
        preferred master = no
        winbind separator = +
        max log size = 50
        log file = /var/log/samba3/log.%m
        encrypt passwords = yes
        dns proxy = no
        realm = <realm name>
        security = ADS
        wins server = 192.168.1.2
        wins proxy = no
        username map = /etc/samba/smbusers

[root$]
        comment = Root share
        writeable = yes
        path = /
        valid users = @"<short domain name>+<group name>"

and in case you ask it does the same thing when I remove the valid users part and make it public and such.

here is my nsswitch.conf:

Code: Select all

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

Anyone got any ideas?

[mgladding4423]

I'm bumping in hopes that someone will have some clue.
I've also checked my logs and found this in the log.winbindd

Code: Select all

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)
  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

I'm assuming that this is my problem but I can't find anything as to what it means. or how to fix it.

And this shows up in my /var/log/samba3/log.<machine name>

Code: Select all

[2005/05/16 10:26:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username <Short domain name>+<me> is invalid on this system
[2005/05/16 10:26:29, 0] lib/util_sock.c:get_peer_addr(1000)
  getpeername failed. Error was Transport endpoint is not connected
[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket_data(430)
  write_socket_data: write failure. Error = Connection reset by peer
[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket(455)
  write_socket: Error writing 4 bytes to socket 23: ERRNO = Connection reset by peer
[2005/05/16 10:26:29, 0] lib/util_sock.c:send_smb(647)
  Error writing 4 bytes to client. -1. (Connection reset by peer)

[njcwotx]

This question is in reguards to using Samba+AD after its installed and working.

I am currently reading through man pages, this forum and other LDAP, Kerberos, Samba docs and the like; however, I am posting the question now in case somebody can assist me before any research is complete.

Problem:
Samba+AD is working and in production. We have 2 problems that are resolved the same way. First issue, every once in a while a user will not be able to authenticate directly to shares. Other users can connect just fine except this one user. Second issue, we have an intranet website that uses AD accounts to access shares on another samba server. If we restart samba on this server, we need to perform the command below on the intranet box as well. We resolve this issue by perfroming the following command:

Code: Select all

kinit administrator    #followed by the appropriate password

The Date and Time are correct and the same on all servers, we just need to occaisionally reset the ticket.

Solution needed:
Obviously, re-initializing the kerberos ticket makes everyone happy. However, this is a manual proceedure that needs to be done automatically whenever this occurs. My problem is partly a lack of understanding of Kerberos and LDAP and I am trying to correct this problem via RTFM. However, any insight to speed up this process would help.
I have seen examples of putting kinit in a cron job but need some more insight about what it is I am actually doing and how this works before I modify production servers.


Additional Info:

I am reading through this forum and found this info above, however, I need some clarification on some of it if anyone cares to try.

Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.

/sbin/kerbinit.sh
Code:

#!/bin/sh
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent
chmod 600 /tmp/krb5cc_0



Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

Code:

gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nssldap/gent@SFU.ACME.COM

Valid starting Expires Service principal
03/25/04 16:10:27 03/26/04 02:10:26 ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM
renew until 03/26/04 16:10:27





You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:

Code:

# /var/spool/cron/crontabs/root
# /etc/crontab
.
.
* */2 * * * sh /sbin/kerbinit.sh



Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

Code:

.
.
# This is a good place to load any misc.
# programs on startup ( 1>&2 )
sh /sbin/kerbinit.sh

I have a keytab file but I want to be clear on the particulars of

Code: Select all

kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent 
chmod 600 /tmp/krb5cc_0 

plus any other comments concerning this.

[mikec49]

How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.

Alright, I'll have to go on my notes, I did this on Thanksgiving Day, so I may not remember everything I did. Anyway, here goes:

• Active Directory should already be implemented and working. If you need help, there's plenty of help on the net.
• Your Windows system should be secured and patched.
• You have Gentoo Linux installed of course
• With the config files, you need to change example.com to match your domain.

Okay, now the basics are done, let's begin the install process.

Step 1: Emerge openldap. No configuration is necessary. However, AD support will not be compiled into samba without it.
Step 2: Emerge mit-krb5. Configure the file /etc/krb5.conf as follows:

Code: Select all

[libdefaults]
   default_realm = EXAMPLE.COM
 
   [realms]
   EXAMPLE.COM = {
        kdc = adserver.example.com
   }

Add this line to /etc/hosts:

Code: Select all

1.2.3.4    adserver.example.com   adserver

You need this to make sure you can connect to the AD server, even when DNS is down.

Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message: "Cannot find KDC for requested realm while getting initial credentials". Also, do NOT comment the config file because the kerberos client will not read the config file correctly.

Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:

Code: Select all

kinit Administrator@EXAMPLE.COM

It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked. Pat yourself on the back. You've done the easy part!

Step 4: We are now going to emerge samba. You can do this one of two ways:

1. Add kerberos and ldap to your USE flags make.conf file. Emerge samba using the following command:

   Code: Select all

   emerge samba

   OR
2. Type in the following command:

   Code: Select all

   USE="kerberos ldap" emerge samba

IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!

Use the command

Code: Select all

emerge -pv kerberos

The resulting line should look similar to this (this is on my system):

Code: Select all

[ebuild   R   ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml  127 kb

Simply put, pick option 1 or 2; samba takes a little time to compile and install. Once samba is installed, you need to configure it. You can use this example samba file:

Code: Select all

# Separate domain and username with '+', like DOMAIN+username
[global]
        netbios name = SERVERNAME <- I recommend the same name as the server.
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection
        idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD
        winbind enum users = yes <- This allows you to bind users.
        winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD
        workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.
        os level = 20 <- This is for the master browser priority.
        winbind enum groups = yes <- This allows you to use the Active Directory groups
        socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.
        password server = * <- I recommend this if you have more than one server; I do in my case.
        preferred master = no <- You do NOT want to be a master browser.
        winbind separator = + <- See the first line comment.
        max log size = 50 <- In K
        log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.
        encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.
        dns proxy = no <- You don't want anything to do with DNS.
        realm = EXAMPLE.COM <- This is for kerberos.
        security = ADS <- Active directory server provides security for the shared resources.
        wins server = 1.2.3.4 <- Change to IP address of your installed WINS server
        wins proxy = no <- You don't want to proxy WINS either.

# Shares section
[mp3]  <- Name of the share.
        comment = MP3 Repository <- A comment...
        writeable = yes <- If you want users to update the directory
        path = /home/mp3 <- Where is the share on the linux server
        force user = mp3 <- Should be the name of the user who is responsible for the share.

Step 5: Fire up samba; check to make sure it's running.

Code: Select all

 /etc/init.d/samba start

Step 6: Join your samba server to your domain by typing in this command:

Code: Select all

net ads join -U Administrator

It will ask you for a password, type your password in. If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.' If you check your AD server, the machine account for your system will appear under computers.

Step 7: We are going to test winbind to ensure windows authentication does indeed work. Winbind allows you to use Active Directory for user authentication (see link 2 for more info). The steps for using and testing winbind are gleaned from link 2.

You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):

Code: Select all

passwd:      compat winbind
shadow:      compat
group:       compat winbind

Let's test the winbindd daemon before we make it permanent. Fire up winbindd by typing

Code: Select all

winbindd

You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one). Winbindd runs in dual daemon mode by default.

Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.

Code: Select all

ps -ae | grep winbindd

The results should be something similar to this:
13324 ?        00:04:23 winbindd
13325 ?        00:00:00 winbindd

If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work

Let's make sure we can see the contents of Active Directory. Type in this command:

Code: Select all

wbinfo -u

This is the results from my system (changed for integrity), yours should be similar.

Code: Select all

EXAMPLE+test <- test account on AD
EXAMPLE+test2 <- test account on AD
EXAMPLE+Administrator
EXAMPLE+Guest
EXAMPLE+TsInternetUser
EXAMPLE+krbtgt
EXAMPLE+MACHINE1$ <- test machine 1
EXAMPLE+MACHINE2$ <- test machine 2
EXAMPLE+MACHINE3$ <- test machine 3
EXAMPLE+HOST/servername <- samba machine
EXAMPLE+DOMAINCONTROLLER$

To see the groups, use this command:

Code: Select all

wbinfo -g

You should see a result similar to this:u should see a result similar to this:

Code: Select all

EXAMPLE+Domain Computers
EXAMPLE+Domain Controllers
EXAMPLE+Schema Admins
EXAMPLE+Enterprise Admins
EXAMPLE+Cert Publishers
EXAMPLE+Domain Admins
EXAMPLE+Domain Users
EXAMPLE+Domain Guests
EXAMPLE+Group Policy Creator Owners
EXAMPLE+DnsUpdateProxy

We can get a username from both the local linux server and the Active Directory server by typing in this command:

Code: Select all

getent passwd

I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.

For groups, type in getent group
I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.

I would suggest reading the info in link 2 for more things you can do with other authentication with AD.

If everything has worked as above, pat yourself on the back! Good job!

Step 8: If you didn't configure a share yet; do so now. You need to restart samba if you created a share.

You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.

If you want samba and winbind to run on startup, type in the following commands:

Code: Select all

rc-update add samba default
rc-update add winbind default

That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.

Resources:

The samba/ADS howto: http://us1.samba.org/samba/docs/man/dom ... ads-member
Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html[b][/b]

Small problem, all of the above works (sort of!!)

each command in turn works fine ie wbinfo -u and genent passwd, returning as expected.

but, I edited the login within /etc/pam.d using all of the available info that I could find, but .. when you logon as an AD user, the error 'User not known to the Underlying Authentication Module'

yet, if you run a getent passwd |grep (for that user) and then go back to the console,it does login!!

any ideas?

anyone have a working /etc/pam.d/login ? (its a start maybe!?)

thanks in advance

[njcwotx]

can you post your configs?

[mikec49]

can you post your configs?

Since my posting, I set up SWAT to look at the samba config, and in the advanced settings there were some interesting winbind options that i had never seen before, I messed around with a few of these, and I managed to get console login working with ad users, but other things were still broken.

So, early next week I will go through all of my configs and see where I'm at.

I know I could use help with the /etc/pam.d/sshd as this is (was) working, but as root (a non ad user) it asked for the password twice, now I know I need to put use_first_pass somewhere, just unsure where, so anybody that has a working sshd pam file for use with winbind , this would be useful.

Thanks

[JDStone]

I'm confused, is the Active Directory server a Windows machine or is it a Linux machine? Is it even possible to make a Linux machine a Active Directory server?

[njcwotx]

in my case its a windows server domain with linux boxes becoming memebers that need windows domain users having access to samba shares.

[Martz]

I'm confused, is the Active Directory server a Windows machine or is it a Linux machine? Is it even possible to make a Linux machine a Active Directory server?

In this case, it should always be a Windows AD server (Domain Controller). There are other how-to's for building your own Samba/AD/LDAP style servers. This thread is for people who have existing Windows Domain Controllers and want to extend linux services to them.

[Gendal]

Just an FYI, I spent the past few hours banging my head against the wall trying to get it to join a domain. Finally traced it back to the ISA (Internet Security Server) 2004 firewall. It's the debil, it kept blocking port 464 no matter what I did. Once I removed ISA viola, worked with out a hitch.

[NightMonkey]

EDIT: Er, never mind. I fixed this problem. Lots of Kerberos voodoo... Also, I found that this cryptic error comes from Kerberos - a password mismatch... Must have been with the machine account, I guess. I also checked "Trust this computer for delegation" on the Win2K server - dunno, that might have fixed it too. I'll break everything down over the next few days to see if I can replicate the problem.

Out of no where I'm starting to get the below... Anyone have any ideas?

Code: Select all

[2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

I get this to, after getting *everything* else working. Turned up logging, here's the result:

Code: Select all

[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBnegprot (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LANMAN1.0]
[2005/07/25 02:44:35, 3]
 smbd/negprot.c:reply_negprot(461)
  Requested protocol [Windows for Workgroups 3.1a]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LM1.2X002]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [LANMAN2.1]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [NT LM 0.12]
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_nt1(333)
  using SPNEGO
[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(555)
  Selected protocol NT LM 0.12
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 2 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 3 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)
  Transaction 4 of length 1368
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)
  switch message SMBsesssetupX (pid 3846) conn 0x0
[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 1166
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)
  ads_verify_ticket: krb5_rd_req with auth failed (Success)
[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_
FAILURE

Running samba 3.0.14a (problem occours with 3.0.10, too). This line looks suspicious:

Code: Select all

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 
integrity check failed

I googled around, and found that this "enc type" is for md4-hmac. I set this in /etc/krb5.conf explicitly (though I think this should "just work" with mit-krb5-1.4.1) and no change. This is a connection from a Win2K Pro client -> a Samba Domain Member server, authenticating against a Win2K AD DC.

Anyone else get this too, and have a solution? Thanks in advance!

[m4chine]

I have had samba up and running for some time now with AD integration, nothing changed on the linux side that I know of, there were updates applied to our AD server (Windows2003 SP1 iirc). So out of no where I get these errors in /var/log/samba3/log.%u for each username:

Code: Select all

[2005/08/02 10:03:23, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'USERNAME' does not exist

I was able to fix them by adding the following to my /etc/samba/smb.conf file:

Code: Select all

client schannel = no

I then noticed that I got this error:

Code: Select all

[2005/08/02 10:46:14, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 1 requested.
[2005/08/02 10:46:15, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested.

I was able to fix this error by upgrading to samba-3.0.14a-r2.

cheers,

[cyphz0r]

Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!

[m4chine]

Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!

What do you mean by authenticate a single user? You want only a single user to have access to a share? When you try to access a samba share, various authentications are attempted that are specified in /etc/samba/system-auth-winbind. By setting these auth lines up accordingly, you setup the order in which the user attempts to authenticate, meaning you local user can be authenticated before or after winbind attempts to authenticate your AD user.

There is also /etc/samba/smbusers which allows you to map local users to AD users.

Code: Select all

# Unix_name = SMB_name1 SMB_name2 ...
root = DOMAIN+Administrator administrator admin
nobody = guest pcguest smbguest

Elaborate on your question and I'll try to give a more detailed answer.

[cyphz0r]

Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!

What do you mean by authenticate a single user? You want only a single user to have access to a share? When you try to access a samba share, various authentications are attempted that are specified in /etc/samba/system-auth-winbind. By setting these auth lines up accordingly, you setup the order in which the user attempts to authenticate, meaning you local user can be authenticated before or after winbind attempts to authenticate your AD user.

There is also /etc/samba/smbusers which allows you to map local users to AD users.

Code: Select all

# Unix_name = SMB_name1 SMB_name2 ...
root = DOMAIN+Administrator administrator admin
nobody = guest pcguest smbguest

Elaborate on your question and I'll try to give a more detailed answer.

What I am looking for is to have local users still be able to authenticate, I only have a few, I use them for service accounts like Nagios monitoring and such. And then also be able say that "aduser" has access to this share without defining an entire group. I will play with the system-auth-winbind tomorrow while at work and see what I come up with.

Thanks.


edit, adding system-auth-winbind

Code: Select all

#%PAM-1.0
# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.2
2004/07/18 03:55:05 dragonheart Exp $

auth        required      /lib/security/pam_env.so
#auth        sufficient    /lib/security/pam_winbind.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pa
ss
auth        sufficient    /lib/security/pam_winbind.so
auth        required      /lib/security/pam_deny.so

#account     sufficient    /lib/security/pam_winbind.so
account     required      /lib/security/pam_unix.so
account     sufficient    /lib/security/pam_winbind.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

I tried moving the order, still tries to do NT login via the domain first

[cyphz0r]

anyone????


still can't figure out how to make it check both AD and local users.

I want it to default to AD, but also be able to fall back onto local users.


And I still can't figure out how to permit a single AD user to a share, I can only do groups?

[BigBeer]

I had this working, but after an emerge -upD world I have seem to broken my setup.

I have gone back and followed the steps again from scratch and still can not get it to work.


Here is that I am getting in log.winbindd

Code: Select all

[2005/08/23 10:26:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain ATL failed: Preauthentication failed
[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
  Kinit failed: Preauthentication failed
[2005/08/23 10:26:28, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password host/UNICRON@ATL.MYDOMAIN.COM failed: Preauthentication failed
[2005/08/23 10:26:28, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
  ads_connect for domain ATL failed: Preauthentication failed

Anyone have any ideas as to what I am doing wrong ??!?!


--BigBeer