How to integrate Samba into Active Directory (UPDATED).

[MartinSt]

Hi, I have spent more than two weeks to find out the main bells and whistles of deploying Linux machine as Samba server in MS W2K3 AD environment, so I would like to share my experience here. I suppose, this could help to add some important details to the previous postings in this thread and to summarize the whole process. As I am not an expert in this area, I still do not understand thoroughly many relevant things, so please be tolerant.

Installation goals:
* use Kerberos for user authentication to the system and for access to the samba shared directories
* use encrypted access to the LDAP interface of the MS Active Directory

Useful debugging tools:
Ethereal - ** THIS IS MUST-HAVE TOOL HERE** - for tracing communication between your Linux machine and the AD Server
http://www.ethereal.com/

LDAP browser - for accessing the AD through ldap and viewing information stored there (you can see the same iformation in the MS ADSI Editor, too) You can use it to check directory structure and reading/editing of the information stored there. I am using the java LDAP browser from this page:
http://www.iit.edu/~gawojar/ldap/
Unfortunatelly, this browser doesn't play well wit the blackdown-jdk, but works fine with the sun-jdk.

strace (dev-util/strace) - debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out, which files are opened during execution of the getent passwd command, you can use this command:

Code: Select all

strace -e open getent passwd

Windows Software
Microsoft Services For Unix, or SFU (current version is 3.5). You can download this software (approx. 350MB) on this site:

http://www.microsoft.com/windows/sfu/do ... efault.asp

(You have to be registered on the MS .net passport before downloading.) In previous posts, there was recommended the AD4UNIX software, but it seems to be abandoned now, while the MS SFU is for free now and still developping.

During the installation of the MS SFU choose only the "Server for NIS" option. This will extend the AD schema and install the MMC snap-in (similar to the AD4UNIX one). Verify, that you are able to create users with UNIX attributes and inspect those users from the LDAP side. When the installation is finished and the server is restarted, you can test functionality of the SFU MMC snap-in and verify the SFU attributes in the LDAP browser. As the NIS server will not be needed, stop the Server for NIS service and chnge it's startup type to Manual.

Note: The Server for NIS service among other things performs password synchronization between the Kerberos and LDAP msSFU30Password attribute. Synchronized passwords are however truncated to the 8 characters and they aren't well encrypted - that's another reason to stop te Server for NIS service.


Needed packages to emerge:
samba - make sure, that it's the 3.x version
openlssl - needed for ssl
openldap - we will need this for client ldap searches
cyrus-sasl - Simple Authentication and Security Layer - for basic encryption of ldap binds and searches
ntp - We will use the ntp-client for time synchronization (for proper Kerberos functioning)
mit-krb5 - the MIT Kerberos
pam - the Pluggable Authentication Module base
pam_krb5 - kerberos pam module (note, that pam_ldap module will not be needed). There are some problems to emerge the 1.0 version, see other posts on these forums. It seems to have problems with password change, too.
nss_ldap - LDAP module for name switch system (enables redirection of searches for users, groups, etc. to ldap)
Note: Make sure, that nss_ldap is compilled with the --enable-schema-mapping parameter enabled, otherwise it will be of no use here.


Let's assume following initial confguration:

• MS Windows Server:
  Servername: SFUSRV
  AD Domain: DC=SFU,DC=ACME,DC=COM
  DNS Name: sfusrv.sfu.acme.com
  Server's IP address: 192.168.1.20
  
  Configuration details:
  * Windows 2003 Server
  * Active Directory (Directory Master)
  * DNS&DHCP integrated into AD
  * WINS service
  * Local clock synced to a ntp server
  * If you plan to use SSL, also Enterprise Certification Authority would be handy (to issue certificates for SSL).
  
  Sample users:
  First Name: Tom
  Last Name: Sawyer
  User logon lame: toms@sfu.acme.com
  Password: PASSword.
  LDAP distinguished name: cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
  
  First Name: Huck
  Last Name: Finn
  User logon lame: huckf@sfu.acme.com
  Password: PASSword.
  LDAP distinguished name: cn=Huck Finn,cn=Users,dc=sfu,dc=acme,dc=com
  
  Gentoo Linux:
  Hostname: Gent
  DNS Name: gent.sfu.acme.com
  IP address: 192.168.1.28
  Configuration details:
  * USE settings: kerberos ldap samba sasl ssl (set them in the /etc/make.conf; I recommend to use the ufed tool for this)
  * ACCEPT_KEYWORDS="~x86" (set them in the /etc/make.conf, too) - in this way, the latest available packages for the intel platform will be installed.

Kerberos configuration
Before the Kerberos is configured, make sure, that you have synchronized local clock wth the ntp server. You can do it using the ntp-client module. It's configuration file is the /etc/conf.d/ntp-client.

Code: Select all

# /etc/conf.d/ntp-client
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
# $Header: /home/cvsroot/gentoo-x86/net-misc/ntp/files/ntp-client.confd,v 1.2 2003/09/19 17:50:37 vapier Exp $

# Command to run to set the clock initially
NTPCLIENT_CMD="ntpdate"

# Options to pass to the above command
NTPCLIENT_OPTS="-b tik.cesnet.cz"

To configure the Kerberos client side, we need to make needed settings in the /etc/krb5.conf file:

Code: Select all

# etc/krb5.conf 
[libdefaults] 
#       renew_lifetime = 18000 
        default_realm = SFU.ACME.COM 
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 
        dns_lookup_realm = true 
        dns_lookup_kdc = true 
        clockskew = 120 

[realms] 
        SFU.ACME.COM = { 
        kdc = sfusrv.sfu.acme.com:88 
        admin_server = sfusrv.sfu.acme.com:464 
        } 

[domain_realm] 
        .sfu.acme.com = SFU.ACME.COM 
        sfu.acme.com = SFU.ACME.COM 

[kdc] 
        profile = /etc/krb5kdc/kdc.conf 

[logging] 
        kdc = FILE:/var/log/krb5kdc.log 
        admin_server = FILE:/var/log/kadmin.log 
        default = FILE:/var/log/krb5lib.log 

[appdefaults] 
 pam = { 
   debug = false 
   forwardable = true 
   krb4_convert = false 
 } 

You cant thest the functionality of the Kerberos by requesting an initial ticket for a Windows user from the Kerberos server - using the kinit command:

Code: Select all

gent root # kinit toms 
Password for toms@SFU.ACME.COM: 
gent root # klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: toms@SFU.ACME.COM

Valid starting     Expires            Service principal 
03/25/04 14:46:58  03/26/04 00:47:02  krbtgt/SFU.ACME.COM@SFU.ACME.COM
        renew until 03/26/04 14:46:58

Once you have a working Kerberos client configuation, you'll probably want to be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to *K*, the community standard to indicate that the password comes from Kerberos.

Code: Select all

#/etc/passwd
.
.
huckf:x:10004:10004:Local AD user:/home/huckf:/bin/bash

Code: Select all

#/etc/shadow 
.
.
huckf:*K*:10004:0:::::

Kerberos principal and Kerberos keytab
Now, we need to create a Kerberos principal and corresponding keytab file for our Linux workstation on the Windows server. Let's choose one of Windows user accounts for this. There will be added the attribute Kerberos Service Principal for the Linux computer to this user account.

BEWARE: It is not tolerable to create Kerberos Service Principal with the same name in more user accounts. In such case, Kerberos would not be able to authenticate it correctly.

Following command has to performed for each Linux computer on a different user account:

Code: Select all

C:> ktpass -princ nssldap/gent@SFU.ACME.COM -pass PASSword. 
-mapuser toms@SFU.ACME.COM -out gent_keytab

Targeting domain controller: sfusrv.sfu.acme.com
Successfully mapped nssldap/linux to toms.
Key created.
Output keytab to gent_keytab:
Keytab version: 0x502
keysize 49 nssldap/linux@SFU.ACME.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (D
ES-CBC-MD5) keylength 8 (0xd34c57321fd334b5)
Account toms has been set for DES-only encryption.

The keytab file (in this case gent_keytab) resulting from this command must be securely transferred into the Linux computer. As the next step, it should be merged into the existing local keytab file:

Code: Select all

gent root # ktutil 
ktutil:  rkt gent_keytab 
ktutil:  list 
slot KVNO Principal 
---- ---- -------------------------------------------------------
   1    3                    nssldap/gent@SFU.ACME.COM 
ktutil:  wkt /etc/krb5.keytab 
ktutil:  q 

Automatic updating of the Kerberos ticket
Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated.

/sbin/kerbinit.sh

Code: Select all

#!/bin/sh 
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent 
chmod 600 /tmp/krb5cc_0 

Check the results of this script. You can use the klist command to check the tickets in the Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

Code: Select all

gent root # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: nssldap/gent@SFU.ACME.COM

Valid starting     Expires            Service principal
03/25/04 16:10:27  03/26/04 02:10:26  ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM
        renew until 03/26/04 16:10:27

You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:

Code: Select all

# /var/spool/cron/crontabs/root 
# /etc/crontab 
. 
. 
* */2 * * *      sh /sbin/kerbinit.sh 

Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

Code: Select all

.
.
# This is a good place to load any misc. 
# programs on startup ( 1>&2 ) 
sh /sbin/kerbinit.sh 

LDAP configuration
Another important step is to make correct settings in the LDAP config file. In the Gentoo Linux there are actually two LDAP config files - /etc/ldap.conf and /etc/openldap/ldap.conf respectively. If you want to use only one file for the LDAP configuration, (in this case there is nothing wrong about that), you can make a symbolic link between them - as for example:

Code: Select all

ln -s /etc/ldap.conf /etc/openldap/ldap.conf

You can also try to set a system variable to determine, which file will be used for the LDAP configuration (by adding relevant line to the /etc/env.d/00basic file)

Code: Select all

LDAPCONF="/etc/ldap.conf"

Following is an example of the /etc/ldap.conf file:

Code: Select all

host sfusrv.sfu.acme.com 
base dc=sfu,dc=acme,dc=com 

# scope one
scope sub

# binddn cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com
# bindpw PASSword.
# rootbinddn cn= Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com 
# rootbind password is in the /etc/ldap.secret

# nss_map_objectclass shadowAccount user 
# nss_map_attribute userPassword msSFU30Password 

nss_map_objectclass posixAccount user 
nss_map_attribute uidNumber msSFU30UidNumber 
nss_map_attribute uid msSFU30Name 
nss_map_attribute gidNumber msSFU30GidNumber 
nss_map_attribute homeDirectory msSFU30HomeDirectory 
nss_map_attribute loginShell msSFU30LoginShell 
nss_map_attribute gecos msSFU30Gecos 

nss_map_objectclass posixGroup group 
nss_map_attribute gid msSFU30Name 
nss_map_attribute uniqueMember msSFU30PosixMember 
# nss_map_attribute uniqueMember member 
# nss_map_attribute memberUid msSFU30MemberUid 

pam_login_attribute msSFU30Name 
pam_filter objectclass=User 
pam_password ad 

nss_base_passwd cn=Users,dc=sfu,dc=acme,dc=com 
# nss_base_passwd dc=sfu,dc=acme,dc=com 

nss_base_shadow dc=sfu,dc=acme,dc=com 

nss_base_group cn=Users,dc=sfu,dc=acme,dc=com 
# nss_base_group dc=sfu,dc=acme,dc=com 

nss_base_hosts Computers,dc=sfu,dc=acme,dc=com 

use_sasl on 
sasl start_tls 
# ssl on 
# tls_cacertfile /etc/ssl/certs/cacert.cer 
# sslpath /etc/ssl/certs/ 
# krb5_ccname FILE:/etc/.ldapcache 

In the ldap.conf file you can see lines beginning with "nss_map_attribute", which are used to map the internal unix attributes of users, groups, etc. to the attributes, available in the Active Directory after the expansion of it's schema by the MS Services for UNIX.

The lines beginning with "nss_base_passwd" and "nss_base_group" are determining the bases (or contexts in the LDAP tree), from which searches for users and groups are made. You can enter more than one base here. By the proper setting of the search bases, we can make LDAP searches more effective. Note, that if the nss_ldap was not compilled using the --enable-schema-mapping parameter, attributes mapping will not take place and the LDAP searches will be performed for the original unix parameters.

The lines containing the binddn, bindpw and rootbinddn (credentals for the authentifcation to the LDAP directory), are commented out here, as there will be used the Kerberos authentifcation.

The line beginning with scope determines, wheather the child parts of the LDAp contexts should be searched, too (sub - search in all sub-contexts, one - search only the current context).
Ending part of the ldap.conf file is containing settings for the sasl authentification (Simple Authentication and Security Layer) and basc encryption tls (Transport Layer Security).

To set up the ssl encryption, you have to make the Linux computer to trust the ssl certificate of the LDAP server, otherwise you can find the Unknown CA error message in the captured ssl handshake packets (use the Ethereal for it).

I am not sure, what is the proper procedure for making the Linux to trust to the ssl certificate. One of the promising solutions could be to copy the files named *.db from the working profile directory of the Mozilla browser to the /etc/ssl/certs directory. But first, you have to point the Mozilla to the secure LDAP port of the server and accept it's certificate permanently.

Testing LDAP access
You can test different modes of access to the LDAP directory using the ldapsearch command. Output of this command should be a list of LDAP objects (and their attributes), which are matched bz the LDAP request (in the following example it is the objectclass=user). In the beginning, try to enter most of the parameters explicitly on the command line - in this way the /etc/ldap.conf settings are bypassed. For debugging, you can also add the parameter -d N, where N is debug level (for example -d 5)

Code: Select all

gent root # ldapsearch -x -s one -b " dc=sfu,dc=acme,dc=com" -D "cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com" \
> -w PASSword. objectclass=user

If your confguration file is correct, you can perform the same search without entering most of the parameters. Moreover, you can pipe it's output to the grep command, to write out only the lines containing for example the string msSFU30Name. In this way, the result will cotain only the lines containing login names of the matched users:

Code: Select all

gent root # ldapsearch objectclass=user |grep msSFU30Name

The communication between the Linux computer and the LDAP serverem can be traced using the Ethereal. I am assuming, that Ethereal is run on the Windows server, as otherwise there is no need to install xfree on the Linux computer. It is convenient to filter captured packets in the Etherealu using the input filter - to capture only packets containing the ip address of the Linux computer:

Code: Select all

ip host gent 

You should investigate those packets to be sure, that there are no unencrypted data relating to the LDAP information in the packets. You can also check, if the LDAP bind is using the Kerberos authentication - by looking at the packet containing the bind request. Expand it's part named Lightweight Directory Access Protocol, Bind Request. If the Kerberos authentication was used, there should be present following sub-sections there:

• GSS-API Token
  GSS-API
  krb5_blob
  Kerberos
  Ticket

In the Ticket section, you can also check parameters of the Kerberos ticket (Realm, Service Name, Name)

The Name Switch System

Now, it is necessary to configure the Linux system to look for the user and group information in the LDAP directory, too. This should be made in the /etc/nsswitch.conf file by adding the keyword ldap to the lines for passwd a group.

Code: Select all

# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $
passwd:      files ldap
shadow:      files
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns
services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files
automount:   files
aliases:     files

Note: The searches are made sequentially. Order of the searched databases is determined by their possition (from the left) on the line of the /etc/nsswitch.conf file. For example, if you put "passwd: files ldap" there, at first the /etc/passwd file is parsed and then a search is performed in the LDAP directory. The results of the search are reported in the same order.

You can test the functionality of the NSS by using for example the getent or id command:

Code: Select all

gent root # getent passwd
root:x:0:0:root:/root:/bin/bash
.
.
toms:x:10003:10002:Tom Sawyer:/home/toms:/bin/sh

gent root # id toms
uid=10003(toms) gid=10002(tstgroup) groups=10002(tstgroup)

The getent passwd command should print the list of users extracted from the /etc/passwd file, followed by the list of users acquired from the LDAP directory.


The PAM configuration

To be able to authenticate users via the Kerberos, you have to add the Kerberos authentication module to the PAM configuration files. There are several configuration files, their names are corresponding to the names of the programs, which are performing the user authentication. I am listing here the most common PAM configuration files. These files are located in the /etc/pam.d directory. So you should append the lines referring to the pam_krb5.so module.
Note: The sufficient control token is defining, that for a successful authentication it is sufficient to be authenticated by the specified pam module (even in a case, when authentication made by previous "required" modules failed). The try_first_pass parameter is instructing the pam module, that the password supplied to the previous pam module should be tried first. In this way, there will not be invoked another prompt for the password. To debug the pam modules, you can also add the debug parameter, which will cause loggig of the debug messages into log file (/var/log/auth.log).

/etc/pam.d/login

Code: Select all

#%PAM-1.0 

auth       required     /lib/security/pam_securetty.so 
auth       sufficient   /lib/security/pam_krb5.so try_first_pass 
auth       required     /lib/security/pam_stack.so service=system-auth 
auth       required     /lib/security/pam_nologin.so 

account    sufficient   /lib/security/pam_krb5.so 
account    required     /lib/security/pam_stack.so service=system-auth 

password   sufficient   /lib/security/pam_krb5.so 
password   required     /lib/security/pam_stack.so service=system-auth 

session    sufficient   /lib/security/pam_krb5.so 
session    required     /lib/security/pam_stack.so service=system-auth 
session    optional     /lib/security/pam_console.so 

/etc/pam.d/sshd

Code: Select all

#%PAM-1.0 
auth       sufficient   /lib/security/pam_krb5.so debug 
auth       required     /lib/security/pam_stack.so service=system-auth 

account    required     /lib/security/pam_stack.so service=system-auth 

password   sufficient   /lib/security/pam_krb5.so debug 
password   required     /lib/security/pam_cracklib.so 
password   required     /lib/security/pam_stack.so service=system-auth 

session    sufficient     /lib/security/pam_krb5.so 
session    required     /lib/security/pam_stack.so service=system-auth 
session    required     /lib/security/pam_limits.so 

/etc/pam.d/system-auth

Code: Select all

#%PAM-1.0 

auth       required     /lib/security/pam_env.so 
auth       sufficient   /lib/security/pam_krb5.so try_first_pass 
auth       sufficient   /lib/security/pam_unix.so try_first_pass likeauth nullok 
auth       required     /lib/security/pam_deny.so 

account    sufficient   /lib/security/pam_krb5.so debug 
account    required     /lib/security/pam_unix.so 

password   required     /lib/security/pam_krb5.so debug 
password   required     /lib/security/pam_cracklib.so retry=3 
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok 
password   required     /lib/security/pam_deny.so 

session    required     /lib/security/pam_limits.so 
session    required     /lib/security/pam_unix.so 
session    sufficient   /lib/security/pam_krb5.so 

The samba configuration
The samba configuration is located in the main configuration file /etc/samba/smb.conf. Following is the example of the smb.conf for the example MS network and the SFUSRV Windows 2K3 server.

/etc/samba/smb.conf

Code: Select all

# Separate domain and username with '+', like DOMAIN+username 
[global] 
        netbios name = GENT 
        server string = %h server (Samba %v) 
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 
        idmap uid = 10000-20000 
        idmap gid = 10000-20000 
        winbind enum users = yes 
        winbind enum groups = yes 
        winbind uid = 10000-20000 
        winbind gid = 10000-20000 
        winbind use default domain = yes 
        template shell = /bin/bash 
        template homedir = /home/%D/%U 
        workgroup = SFU 
        os level = 10 
        winbind enum groups = yes 
        socket address = 192.168.1.28 
        preferred master = no 
        winbind separator = + 
        max log size = 512 
        log file = /var/log/samba3/log.%m 
        dns proxy = no 
        realm = SFU.ACME.COM 
        security = ADS 
        encrypt passwords = yes 
        password server = sfusrv.sfu.acme.com 
        wins server = 192.168.1.20 
        wins proxy = no 

# Shares section 
[SharedDir] 
        comment = Shared directory 
        writeable = yes 
        path = /home/share 
        force user = huckf 

Before you can use the samba, you have to add your Linux computer to the Windows domain. It should be done by the net ads join command.

Code: Select all

gent root # net ads join -U Administrator
Administrator password:
Using short domain name -- SFU
Joined 'GENT' to realm 'SFU.ACME.COM'

After the successful executio of this command, you can check, if the Linux computer is present in the list of the domain computers in the MMC (Active Directory Users and Computers) on the Windows 2003 server .

Final configuration

In the end, the needed services and daemons should be added to the list of the services launched at startup at the Linux computer. You should add these:

• * ntp-client - for the time synchroization
  * samba - for sharing files via the SMB protocol
  * nscd (Name Service Cache Daemon) - for alleviating the communication with the LDAP server and for speed-up of the LDAP searches

Use the rc-update command to accomplish this:

Code: Select all

rc-update add ntp-client default
rc-update add samba default
rc-update add nscd default

[MartinSt]

I have found one more useful tip to add to my previous post. It was presented on the Novell Brainshare conference last week.

To automatically create home directories for the AD users in the time of their first login, you can add the following line to the /etc/pam.d/system-auth file (most pam.d configuration files point back to the system-auth file):

Code: Select all

session   required lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

You should have the skeleton /etc/skel directory, of course

[KsE]

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code: Select all

# wbinfo -u
Error looking up domain users

I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

[maalth]

Some questions first:

Did you remember to start samba and winbindd? Winbindd is the tool that handles the authentication. Without it, it won't work.

Do you have a file called system-auth-winbind in the directory /etc/pam.d?
It should have been installed when you emerged samba.

Did you edit /etc/nsswitch.conf?

I can't think of any other questions at the moment, but you can contact me. I will be home all night.

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code: Select all

# wbinfo -u
Error looking up domain users

I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

[jcummins]

With this method, can permissions be placed on shares via Windows?

[KsE]

Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

Code: Select all

passwd:      compat winbind
shadow:      compat
group:       compat winbind

I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.

[maalth]

With this method, can permissions be placed on shares via Windows?

To be honest, I'm not sure. I never though to use it that way. I did it so that I can listen to my mp3 collection from either my laptop or desktop. I don't see why it won't work. Obviously you can't see unix accounts from windows, but I don't see why setting up shares wouldn't work. I can test it next week. I can't this week because I'm leaving for NYC in two days to fill out paperwork for the NYPD and won't be home until Monday.

[maalth]

Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

Code: Select all

passwd:      compat winbind
shadow:      compat
group:       compat winbind

I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.

One more question, by chance are you running nscd? If you are, you need to stop and disable it. Winbind will not work if nscd is running. If not please PM me your config files... the files I would like to see are:
/etc/krb5
/etc/smb.conf

[KsE]

krb5.conf:

Code: Select all

[libdefaults]
        #ticket_lifetime = 600
        ticket_lifetime = 24000
        default_realm = EXAMPLE.COM
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        EXAMPLE.COM = {
        kdc = ads.example.com:88
        admin_server = ads.example.com:749
        #kdc = kerberos.example.com:88
        #kdc = kerberos2.example.com:88
        #admin_server = kerberos.example.com:749
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM

[kdc]
        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[appdefault]
        pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        }

smb.conf:

Code: Select all

[global]
   workgroup = EXAMPLE
   server string = Samba Server %v
   log file = /var/log/samba3/log.%m
   max log size = 50
hosts allow = 102.168.1.
  map to guest = bad user
   security = ads
   password server = *
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  winbind separator = +
  winbind use default domain = yes
  realm = EXAMPLE.COM
  template homedir = /home/%D/%U
  obey pam restrictions = yes
  template shell = /bin/bash
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

I changed my PDC with EXAMPLE. I got the smb.conf by "cat smb.conf | grep -v '#' | grep -v ';'"

I don't believe I'm using nscd. I didn't see it using "ps auxf". It's there, just not started.

[Diezel]

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

Code: Select all

# wbinfo -u
Error looking up domain users

I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

Did you find an sollution to this? I'm having the same problem.

[Diezel]

This i REALLY wierd. I got tired of trying so I shut down the computer. Tried to sleep but this kept bothering me, came back booted up and now it works. Don't have a clue why.
Anyway thanks.

//Diezel

[Frozensun]

Code: Select all

[/]> wbinfo -u
Error looking up domain users

EDIT: This is a win2003 domain controller

still doesn't work for me

/etc/krb5.conf

Code: Select all

[libdefaults] 
   default_realm = SPARKS.CITY
  
   [realms] 
   SPARKS.CITY = { 
        kdc = CityNT1.SPARKS.CITY
   }

/etc/samba/smb.conf

Code: Select all

# Separate domain and username with '+', like DOMAIN+username 
[global] 
        netbios name = cwit2
 # I recommend the same name as the server. 
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 
	# Tweak this to get the best speed out of your connection 
        idmap uid = 10000-20000
	 # This is for mapping uids between linux server and AD 
        winbind enum users = yes 
	# This allows you to bind users. 
        winbind gid = 10000-20000 
	# This is for mapping gids between linux server and AD 
        workgroup = LANGROUP
	# Change to match the NETBIOS name of the AD domain. 
        os level = 20 
	# This is for the master browser priority. 
        winbind enum groups = yes 
	# This allows you to use the Active Directory groups 
	#        socket address = 1.2.3.4 
	# Change this to match the IP address or remove it to listen to all addresses. 
        password server = *
	# I recommend this if you have more than one server; I do in my case. 
        preferred master = no 
	# You do NOT want to be a master browser. 
        winbind separator = + 
	# See the first line comment. 
        max log size = 50 
	# In K 
        log file = /var/log/samba3/log.%m 
	# This allows logging activities for each machine. 
        encrypt passwords = yes 
	# Active directory does NOT accept plaintext passwords. 
        dns proxy = no 
	# You don't want anything to do with DNS. 
        realm = SPARKS.CITY
	 # This is for kerberos. 
        security = ADS
	# Active directory server provides security for the shared resources. 
        #wins server = 1.2.3.4 
	# Change to IP address of your installed WINS server 
        wins proxy = no 
	# You don't want to proxy WINS either. 

# Shares section 
[downloads]  # Name of the share. 
        comment = downloads 
	# A comment... 
        writeable = yes 
	# If you want users to update the directory 
        path = /home/jason/Downloads 
	# Where is the share on the linux server 
        force user = jason 
	# Should be the name of the user who is responsible for the share.

[arkane]

Shame samba 3.x can't be an AD server on it's own

[kiko555]

When I follow the step .....
do this command :kinit Administrator@mail.hcp.com
I got this:

kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

Anything I do wrong??
I had modify the /etc/krb5.conf like below:

[libdefaults]
ticket_lifetime = 600
default_realm = EXAMPLE.COM
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
EXAMPLE.COM = {
kdc = mail.hcp.com:88
admin_server = mail.hcp.com:749
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /etc/krb5kdc/kdc.conf

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[rinacabj]

I'm having an error when I do

Code: Select all

ldapsearch -D "o=<top level of active directory>" -W "uid=Administrator" -h <IP address of the Active Directory server>

after I enter the correct password, I get

Code: Select all

ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece

[ElCondor]

I'm stuck at Step 3 (trying if krb5 works) with the following error:

Code: Select all

backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here

* ElCondor pasa *

[Martz]

I had problems getting this working too.

However, I changed in smb.conf:
password server = *

to

password server = CHOICE2K

(CHOICE2K being the NETBIOS name of the Windows 2000 domain controller). Also make sure you have a DNS entry in your /etc/hosts file.

I set mine to pa55w0rd (thinking that this entry was a PASSWORD for accessing the server.. or something.. obviously not )

So yesterday I installed Gentoo from a stage 1, and today I have got Samba working using winbind against our existing Windows 2000 domain

[ElCondor]

Thanks for the hint, but the error happens with kinit, so it's not (yet) a samba problem, something with kerberos seems to be wrong. as far as I found at google, something with the "principals" - but I got no idea what I should enter there

* ElCondor pasa *

[GenTimJS]

I followed the directions as best I could in the original post.

I successfuly created a share, which is accessible via active directory.
I have admin access on both the linux box, the AD servers, and AD clients.

However, on the linux box running samba, the winbindd stuff doesnt seem to work, and doesnt generate any errors.

Furthermore, no winbindd script was created in /etc/init.d/

??

[bdraw]

I'm stuck at Step 3 (trying if krb5 works) with the following error:

Code: Select all

backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here *

I am getting the same error, the funny thing is that mine was working but now it's not.

Ben

[bdraw]

I'm stuck at Step 3 (trying if krb5 works) with the following error:

Code: Select all

backup1 samba # kinit Administrator@MYCOMPANY.COM
kinit(v5): KRB5 error code 68 while getting initial credentials

Does anyone know how I can solve this? I googled around but found no solution that works here *

I am getting the same error, the funny thing is that mine was working but now it's not.

Ben

I had the wrong domain name duh! Now it works

[ElForesto]

I found this out the hard way.

If you didn't edit your make.conf to add ldap and kerberos and you run an emerge world, expect things to break. FAST. Just finished rebuilding it after I couldn't figure out what I did.

[Martz]

Furthermore, no winbindd script was created in /etc/init.d/

??

What is the best way to get winbind to startup with samba? I have to run prompt# winbindd from the shell each time from boot

Looking in /etc/conf.d/samba it has the following lines:

Code: Select all

smbd_start_options="-D"
smbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- ${smbd_start_options}"
smbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid"
smbd_reload="killall -HUP smbd"

nmbd_start_options="-D"
nmbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- ${nmbd_start_options}"
nmbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid"
nmbd_reload="killall -HUP nmbd"

winbind_start_options=""
winbind_start="start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- ${winbind_start_options}"
winbind_stop="start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/winbindd"
winbind_reload="killall -HUP winbindd"

Is there anything I can tweak to make winbindd start from this script?

[Martz]

OMG I'm an idiot..

winbind can be started automagically by looking at the second line of /etc/conf.d/samba

Change:

Code: Select all

daemon_list="smbd nmbd"

To:

Code: Select all

daemon_list="smbd nmbd winbind"

And thats it, it works!

[theonlymcc]

Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.