# How to integrate Samba into Active Directory (UPDATED).

## maalth

How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.

Alright, I'll have to go on my notes,  I did this on Thanksgiving Day, so I may not remember everything I did.  Anyway, here goes:

Active Directory should already be implemented and working.  If you need help, there's plenty of help on the net.

Your Windows system should be secured and patched.

You have Gentoo Linux installed of course

With the config files, you need to change example.com to match your domain.

Okay, now the basics are done, let's begin the install process.

Step 1: Emerge openldap.  No configuration is necessary.  However, AD support will not be compiled into samba without it.

Step 2: Emerge mit-krb5.  Configure the file /etc/krb5.conf as follows:

```
[libdefaults]

   default_realm = EXAMPLE.COM

 

   [realms]

   EXAMPLE.COM = {

        kdc = adserver.example.com

   }
```

Add this line to /etc/hosts:

```
1.2.3.4    adserver.example.com   adserver
```

You need this to make sure you can connect to the AD server, even when DNS is down.

Notes about this config file, do NOT change the case of EXAMPLE.COM because you will get the following error message:  "Cannot find KDC for requested realm while getting initial credentials".  Also, do NOT comment the config file because the kerberos client will not read the config file correctly.

Step 3: We will stop here and test kerberos to ensure you can see the AD domain type in this command:

```
kinit Administrator@EXAMPLE.COM
```

It will ask for the password; if you type in correctly; then you will be returned to the prompt which means it worked.  Pat yourself on the back.  You've done the easy part!

Step 4: We are now going to emerge samba.  You can do this one of two ways:

Add kerberos and ldap to your USE flags make.conf file.  Emerge samba using the following command: 

```
emerge samba
```

 OR

Type in the following command: 

```
USE="kerberos ldap" emerge samba
```

IMPORTANT: kerberos and ldap MUST be included, winbind will NOT work without those flags!

Use the command 

```
emerge -pv kerberos
```

The resulting line should look similar to this (this is on my system):

```
[ebuild   R   ] net-fs/samba-3.0.2a -acl +cups +kerberos +ldap +mysql -oav +pam +python +readline +xml  127 kb
```

Simply put, pick option 1 or 2; samba takes a little time to compile and install.  Once samba is installed, you need to configure it.  You can use this example samba file:

```
# Separate domain and username with '+', like DOMAIN+username

[global]

        netbios name = SERVERNAME <- I recommend the same name as the server.

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 <- Tweak this to get the best speed out of your connection

        idmap uid = 10000-20000 <- This is for mapping uids between linux server and AD

        winbind enum users = yes <- This allows you to bind users.

        winbind gid = 10000-20000 <- This is for mapping gids between linux server and AD

        workgroup = WORKGROUP <- Change to match the NETBIOS name of the AD domain.

        os level = 20 <- This is for the master browser priority.

        winbind enum groups = yes <- This allows you to use the Active Directory groups

        socket address = 1.2.3.4 <- Change this to match the IP address or remove it to listen to all addresses.

        password server = * <- I recommend this if you have more than one server; I do in my case.

        preferred master = no <- You do NOT want to be a master browser.

        winbind separator = + <- See the first line comment.

        max log size = 50 <- In K

        log file = /var/log/samba3/log.%m <- This allows logging activities for each machine.

        encrypt passwords = yes <- Active directory does NOT accept plaintext passwords.

        dns proxy = no <- You don't want anything to do with DNS.

        realm = EXAMPLE.COM <- This is for kerberos.

        security = ADS <- Active directory server provides security for the shared resources.

        wins server = 1.2.3.4 <- Change to IP address of your installed WINS server

        wins proxy = no <- You don't want to proxy WINS either.

# Shares section

[mp3]  <- Name of the share.

        comment = MP3 Repository <- A comment...

        writeable = yes <- If you want users to update the directory

        path = /home/mp3 <- Where is the share on the linux server

        force user = mp3 <- Should be the name of the user who is responsible for the share.

```

Step 5: Fire up samba; check to make sure it's running.

```
 /etc/init.d/samba start
```

Step 6: Join your samba server to your domain by typing in this command:

```
net ads join -U Administrator
```

It will ask you for a password, type your password in.  If you typed it in correctly, you will see the message that says: Joined 'SERVERNAME' to realm 'EXAMPLE.COM.'  If you check your AD server, the machine account for your system will appear under computers.

Step 7: We are going to test winbind to ensure windows authentication does indeed work.  Winbind allows you to use Active Directory for user authentication (see link 2 for more info).  The steps for using and testing winbind are gleaned from link 2.

You need to edit the file /etc/nsswitch.conf  You need to change two lines to look like this (other lines removed to keep this post short as possible):

```
passwd:      compat winbind

shadow:      compat

group:       compat winbind
```

Let's test the winbindd daemon before we make it permanent.  Fire up winbindd by typing

```
winbindd
```

  You can also make winbindd run as two processes (which is faster; but for these purposes, let's run it as one).  Winbindd runs in dual daemon mode by default.

Since there is no visual confirmation whether or not it's running, you can check with ps to ensure it is indeed running.

```
ps -ae | grep winbindd

The results should be something similar to this:

13324 ?        00:04:23 winbindd

13325 ?        00:00:00 winbindd
```

If you get an error message instead of the above, then you didn't compile kerberos and ldap support in and need to do that before anything will work

Let's make sure we can see the contents of Active Directory.  Type in this command:

```
wbinfo -u
```

This is the results from my system (changed for integrity), yours should be similar.

```
EXAMPLE+test <- test account on AD

EXAMPLE+test2 <- test account on AD

EXAMPLE+Administrator

EXAMPLE+Guest

EXAMPLE+TsInternetUser

EXAMPLE+krbtgt

EXAMPLE+MACHINE1$ <- test machine 1

EXAMPLE+MACHINE2$ <- test machine 2

EXAMPLE+MACHINE3$ <- test machine 3

EXAMPLE+HOST/servername <- samba machine

EXAMPLE+DOMAINCONTROLLER$
```

To see the groups, use this command:

```
wbinfo -g
```

You should see a result similar to this:u should see a result similar to this:

```
EXAMPLE+Domain Computers

EXAMPLE+Domain Controllers

EXAMPLE+Schema Admins

EXAMPLE+Enterprise Admins

EXAMPLE+Cert Publishers

EXAMPLE+Domain Admins

EXAMPLE+Domain Users

EXAMPLE+Domain Guests

EXAMPLE+Group Policy Creator Owners

EXAMPLE+DnsUpdateProxy
```

We can get a username from both the local linux server and the Active Directory server by typing in this command:

```
getent passwd
```

I will not post the results of this command for security reasons, but you should see a list of local users with the Active Directory users appended.

For groups, type in getent group

I will not post the results of this command for security reasons, but you should see a list of local groups with the Active Directory groups appended.

I would suggest reading the info in link 2 for more things you can do with other authentication  with AD. 

If everything has worked as above, pat yourself on the back!  Good job!

Step 8: If you didn't configure a share yet; do so now.  You need to restart samba if you created a share.  

You should join any machine you want to access the samba resources to your Active Directory Domain. Use a machine that's joined to the AD domain to see if your share appears via network neighborhood.

If you want samba and winbind to run on startup, type in the following commands:

```
rc-update add samba default

rc-update add winbind default
```

That's it for now, any problems, something is unclear, or questions, let me know and I will do my best to help you.

Resources:

The samba/ADS howto: http://us1.samba.org/samba/docs/man/domain-member.html#ads-member

Helpful info for winbind: http://us1.samba.org/samba/docs/man/winbind.html

----------

## PoLiPiE

and the rest????

----------

## floam

Nice.

----------

## maalth

Sorry, I was finishing up the doc.  I had to move from the Windoze machine to my linux machine because my config files were there.

----------

## maalth

 *PoLiPiE wrote:*   

> and the rest????

 

It's done.

----------

## Tom.Fischer

Okay, now it's ready   :Embarassed: 

Hi,

complemental to Original-Poster here is my solution for authentificating Users against the Active Directory. First you need the ad4unix Kit. You can download it form http://www.padl.com/download/MKSADPlugins.msi Install it on your AD-Schema Server and everywhere where you add new Users. Make sure that you have the rights to update the Schema on the AD-Server. Here is a short Description on how to enable Schema-Update

```

regsvr32 c:\winnt\system32\schmmgmt.dll

Open a new mmc an add Active-Directoy Schema

right-click on it an go to Operations Master

Activate the checkbox The Schema may be modified on this Domain Controller

```

Note: you have to install the Extensions only on the Schema-Master, the one who own the FSMO Role "Schema Master".  The Snap-In you have to install on all Computers where you want to add New Users.

You must add a User for every host which should authenticate in your AD and run this command for getting a keytab file:

```
ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab
```

Copy the keytab on a secure way to your linux host.

On the Linux Side do the following, assuming that you followed the Hints in the first Post (If not install kerberos and openldap with the USE-Flags mentioned above. NOTE: You don't need Samba for the Authentfication to work) 

```

emerge pam

emerge nss_ldap

emerge pam_ldap

```

If you want sasl (for cyrus imapd for example) also emerge cyrus-sasl.

```

USE="ldap kerberos pam" emerge cyrus-sasl

```

Edit /etc/krb5.conf to the following and change things to your need   :Cool:  :

```

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 ticket_lifetime = 24000

 default_realm = EXAMPLE.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

[realms]

 EXAMPLE.COM = {

  kdc = dc.example.com:88

  admin_server = dc.example.com:464

 }

[domain_realm]

 .example.com = EXAMPLE.COM

 example.com = EXAMPLE.COM

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

```

Now you shoul be able to obtain a ticket form the AD-Server. Test it with

```
kinit user

klist user

```

You should get back something like this:

```

 Ticket cache: FILE:/tmp/krb5cc_0

Default principal: user@EXAMPLE.COM:

Valid starting     Expires            Service principal

07/16/02 13:01:03  07/16/02 23:01:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

```

If this works we install the teytab file created earlier on the AD-Server.

```

ktutil

  rkt <host>_keytab

  list

  wkt /etc/krb5.keytab

  q

```

Place this line in crontab:

```

0       */2     *       *       *       /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache

```

Edit /etc/nsswitch.conf to look something like this:

```

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:     ldap files

group:      ldap files

shadow:     ldap files

```

Now edit /etc/ldap.conf:

```

host dc.example.com

base dc=example,,dc=com

binddn cn=host,ou=OrganistaionUnit,dc=example,dc=com

scope one

#use_sasl on

# SASL authorization ID

sasl_auth_id nssldap/proxysrv

nss_base_passwd ou=OrganistaionUnit,dc=example,dc=com?one

nss_base_shadow ou=OrganistaionUnit,dc=example,dc=com?one

nss_map_objectclass posixAccount User

nss_map_objectclass shadowAccount User

nss_map_attribute uid sAMAccountName

nss_map_attribute userPassword msSFUPassword

nss_map_attribute homeDirectory msSFUHomeDirectory

nss_map_objectclass posixGroup Group

nss_map_attribute uniqueMember member

nss_map_attribute cn sAMAccountName

pam_login_attribute sAMAccountName

pam_filter objectclass=user

pam_password ad

```

I have a Organisation Unit in AD for my Users so I'm not using the Users OU. Change this to your needs. Notice that I have disabled SASL here because i had problems with local logins and SASL, maybe I will have a deeper look at this later but saslauthd -a pam works without it!   :Very Happy: 

Last but not least copy the necessary pamd COnfigurations from /usr/share/doc/pam_ldap/pam.d to your /etc/pam.d and gunzip then.

Note I'm still not able to log in over ssh. I don't know why, sshd returny always 

Failed password for user from xxx.xxx.xxx.xxx port 44732 ssh2

login and imap works for me. Maybe later i will have a closer look, but i don't need it this time.

Have fun.

Most of this stuff is from:  http://www.hut.fi/cc/docs/kerberos/nss_ldap.html

----------

## maalth

While your solution is a good one, what I was writing was a doc to set up file sharing on a linux server, but using Active Directory to authtenticate.  I apologize if what I wrote is misleading.

----------

## Tom.Fischer

Thx, i saw it as an addition to yours.

----------

## karwoski

Thanks for the guide.  I made it through all the steps and the gentoo machine shows up on my network now but when I try to view the shares on it I get prompted for login credentials.  Is there another step or something I've missed?

----------

## maalth

Actually, if you don't log on to the domain, it won't ask for credentials.  I'll double check to be sure.

** Update **

Yes I am correct... you do have to log on to the domain for the credentials to be "pass through" You can always map a drive letter to the share and permanently remember the password, as long as group policy don't stop you from doing it.

----------

## karwoski

I'm not sure I follow you.  Here's what I'm trying to do:  My workstation is joined to an Active Directory domain and I've got a Linux box that I joined to the domain following the above instructions.  When I browse from my Windows 2000 workstation to \\linuxbox\, I get prompted for a username and password.  Regardless of what username/pass I give it (domain\username and pass; username and pass) I can't view the shares on the linux box.

----------

## maalth

Are you logged into the domain?  Did you create a username/password on the AD server?  Try that, it may help.

----------

## karwoski

Yeah, I'm logged into the domain.   What's type of environment are you using this setup in, anything similar to my previous post or is it a bit different?

----------

## maalth

My AD server is a vmware machine.  It shouldn't make a difference though.  As long as all the machines on the network can see it, you should be fine.  In addition, the machine should be joined to the AD directory.  Something definitely strange is going on.

----------

## karwoski

OK. I'll keep playing with it as I have time and if I get it figured out I'll post what I find.  Thanks.

----------

## TheZog

I'm attempting to convert an office from mostly Win2k to mostly Linux, however the servers have to Win2k. So I'm trying to use the Active Directory to authenticate all users regardless of OS.

I've been all through Goolge looking for an up-to-date step-by-step or at least some instructions, so far this is one of the best I've seen. 

Is the ad4unix.msi really necessary? I'm loathe to make changes to our schema. Are there issues with using the default one?

I must say that although I've been using Linux as both workstation and server for the past 4 years I am unfamiliar with LDAP and modifing PAM or using NIS.

Oh, and I can't find the file "ktpass" even though I have mit-krb5 installed.

Any help would be great!

----------

## Lightspeed

TheZog: the "ktpass" command is something to be executed on the windows server, not on the linux box, hence the reason you can't find it on the linux machine.

I'm trying to work my way through setting up AD authentication for linux clients as well but getting errors referring to:

"/lib/libnss_ldap.so.2: undefined symbol: __db185_open"

I thought I had gone through all the steps above, but this error appears all over the place now  :Sad: 

----------

## TheZog

Ok thanks, I see that ktpass thing now that I've reread the the doc a few times.

However I'm still confused on some issues.

In the line:

ktpass -princ nssldap/<hostname> -pass password -mapuser <account> -out <host>_keytab

What exactly do the variables <hostname> <host> <account> stand for? The workstation's hostname? If so is that FQDN? I'm a bit lost.

I have kinda the same question in regards to the crontab section:

0       */2     *       *       *       /usr/bin/kinit -k -c /etc/.ldapcache -S ldap/dc.example.com nssldap/host && chmod a+r /etc/.ldapcache

Should nssldap/host = nssldap/wkstn01 or whatever my workstation's hostname is?

Why do we need to create a USER account on the AD server for the workstation? Can't we just add it to the domain with Samba3?

Also I had to add "TLS_REQCERT allow" to my ldap.conf file because  the SSL enabled ldapsearches would fail with a Could not find/connect to server error. I'm not sure if that's due to my not having the keytab file installed or not, probably...

I really do apprecitate the help. I have a limited amount of time to demo a working MS replacement desktop using Linux before the boss decides just to spend several tens of $k on MS licenses instead. Most of my tests are going ok except for

1) An easy way to map a user's homedir to their previous //win2kserver/userdata/{userid} share.

2) Getting an ODBC connection to a MS-SQL server to work for a Wine app.

It's gonna be a long weekend....

----------

## backjackII

I get the following error while trying to to test whether password is accepted by the domain KDC:

```

mojo:/etc # kinit Administrator

Administrator@mydomainname.com's Password:

kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP

```

Here is my configuration. I have, of course, changed mydomainname.com to my actual name.

```

[libdefaults]

        default_realm = MYDOMAINNAME.COM

        #clockskew = 300

[realms]

        MYDOMAINNAME.COM = {

                kdc = ad.mydomainname.com

          }

[domain_realm]

        .mydomainname.com = mydomainname.com

        #mydomainname.com = mydomainname.com

[logging]

        default = SYSLOG:NOTICE:DAEMON

        kdc = FILE:/var/log/kdc.log

        kadmind = FILE:/var/log/kadmind.log

[appdefaults]

        pam = {

                ticket_lifetime = 1d

                renew_lifetime = 1d

                forwardable = true

                proxiable = false

                retain_after_close = false

                minimum_uid = 0

                debug = false

        }

```

----------

## ritjobbie

I followed the above tutorial.  However, I still have problems...  I have successfully joined the Linux box to the domain.  I now am trying to create a share on the Linux box that can be accessed by users of our Win2k AD environment.  When you try to map the share, it just keeps asking for the username and password over and over.  kinit works fine on the Linux box.  I can connect to a Windows share in the domain from the Linux box with transparant passthrough via smbclient, but what I really need to happen is in the opposite direction.  I have no idea what the errors in my samba log mean (below).

Am I making a n00b mistake?  Does Coyboyneal own me?

Blelow is my smb.conf, krb5.conf, and the output of /var/log/samba3/log.blah:

smb.conf

```
# Separate domain and username with '+', like DOMAIN+username

[global]

netbios name = PHASERTEST

socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind enum users = yes

winbind enum groups = yes

winbind uid = 10000-20000

winbind gid = 10000-20000

workgroup = MAIN

os level = 20

winbind enum groups = yes

password server = *

preferred master = no

winbind separator = +

max log size = 512

log file = /var/log/samba3/log.%m

encrypt passwords = yes

dns proxy = no

realm = MAIN.AD.SOMEDOMAIN.EDU

security = ADS

wins server = ?.?.3.95

wins proxy = no

winbind use default domain = no

 

[pub]

        comment = pub test

        writeable = yes

        path = /pub

```

krb5.conf

```

[libdefaults]

        default_realm = MAIN.AD.SOMEDOMAIN.EDU

 

[realms]

        MAIN.AD.SOMEDOMAIN.EDU = {

                kdc = svits03.SOMEDOMAIN.edu

                kdc = svits04.SOMEDOMAIN.edu

                kdc = svits15.SOMEDOMAIN.edu

        }

```

/var/log/samba3/log.?.?.13.196 (these same messages repeat about 40 times a second for a few seconds).  svits13 is the Windows machine that I was trying to map a share on.  The share is shared from \\phasertest\pub.  cosdss is my username (domain admin on AD).

```
[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system

[2004/03/04 09:23:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system

[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system

[2004/03/04 09:23:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system

[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-SVITS13$ is invalid on this system

[2004/03/04 09:23:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(245)

  Username MAIN.AD.SOMEDOMAIN.EDU-cosdss is invalid on this system

```

This was in /var/log/samba3/log.svits13 (again, svits13 is the WINS name of a windows box)

```
[2004/03/04 09:25:56, 0] auth/auth_util.c:make_server_info_info3(1100)

  make_server_info_info3: pdb_init_sam failed!

```

Again, I just want Windows users to be able to get to a share on this Linux box.  Help?

~Jay

----------

## ritjobbie

WORD UP!  I got it working.  I had to add winbind to the /etc/pam.d/samba config file, duh.

*whew*

----------

## xavior2180

ritjobbie:  how did you configure your /etc/pam.d/samba file?

i've edited mine so now i have the following:

```

auth       required     /lib/security/pam_winbind.so nodelay

account    required     /lib/security/pam_winbind.so service=system-auth

session    required     /lib/security/pam_winbind.so service=system-auth

password   required     /lib/security/pam_winbind.so nodelay smbconf=/etc/samba/smb.conf

```

i basically just changed where it had smbpass.so or pam_stack.so to pam_winbind.so but i have the same problem as you had initially, where it wouldn't accept a username from the windows domain.  i don't think this is what i'm supposed to have in there exactly, and i couldn't find any documentation for what to put exactly, even on the samba manual.

----------

## ritjobbie

```
#%PAM-1.0

# pam_smbpass.so authenticates against the smbpasswd file

auth       required     pam_smbpass.so nodelay

auth       sufficient   /lib/security/pam_winbind.so try_first_pass

account    required     /lib/security/pam_winbind.so

account    required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

```

I still can't get /etc/pam.d/login right so that users can log in to a console.  I haven't tried playing with /etc/pam.d/ssh yet.  Also, for me it takes about 2 or 3 minutes before someone can access a samba share after winbind starts up.  I restarted winbind and thought that I had broken something, but it just takes forever to do its business with AD or something...

~Jay

----------

## xavior2180

 *ritjobbie wrote:*   

> 
> 
> ```
> #%PAM-1.0
> 
> ...

 

THANKS! it works like a charm now  :Smile: 

i wasn't really concerned about the other services as i was the samba server tho.  i don't get the delay that you're talking about, but if i set permissions on the AD server on a shared folder, it does seem to take a little while for the permissins to propagate.

----------

## ritjobbie

If anyone does have a working /etc/pam.d/login that allows console logins, please let me know (or just post here).  I have been trying to get it working for a while now, but I suck.  This thread was a ton of help, but I am just missing something, I think...

I'm going to try netatalk next.  =)

~Jay

----------

## MartinSt

Hi, I have spent more than two weeks to find out the main bells and whistles of deploying Linux machine as Samba server in MS W2K3 AD environment, so I would like to share my experience here. I suppose, this could help to add some important details to the previous postings in this thread and to summarize the whole process. As I am not an expert in this area, I still do not understand thoroughly many relevant things, so please be tolerant.

Installation goals:

* use Kerberos for user authentication to the system and for access to the samba shared directories 

* use encrypted access to the LDAP interface of the MS Active Directory 

Useful debugging tools:

Ethereal - ** THIS IS MUST-HAVE TOOL HERE** - for tracing communication between your Linux machine and the AD Server

http://www.ethereal.com/

LDAP browser - for accessing the AD through ldap and viewing information stored there (you can see the same iformation in the MS ADSI Editor, too) You can use it to check directory structure and reading/editing of the information stored there. I am using the java LDAP browser from this page:	

http://www.iit.edu/~gawojar/ldap/

Unfortunatelly, this browser doesn't play well wit the blackdown-jdk, but works fine with the sun-jdk.

strace (dev-util/strace) - debugging utility, which intercepts and records the system calls called by a process and the signals which are received by a process. For example, to find out, which files are opened during execution of the getent passwd command, you can use this command:

```

strace -e open getent passwd

```

Windows Software

Microsoft Services For Unix, or SFU (current version is 3.5). You can download this software (approx. 350MB) on this site:

http://www.microsoft.com/windows/sfu/downloads/default.asp

(You have to be registered on the MS .net passport before downloading.) In previous posts, there was recommended the AD4UNIX software, but it seems to be abandoned now, while the MS SFU is for free now and still developping.

During the installation of the MS SFU choose only the "Server for NIS" option. This will extend the AD schema and install the MMC snap-in (similar to the AD4UNIX one). Verify, that you are able to create users with UNIX attributes and inspect those users from the LDAP side. When the installation is finished and the server is restarted, you can test functionality of the SFU MMC snap-in and verify the SFU attributes in the LDAP browser. As the NIS server will not be needed, stop the Server for NIS service and chnge it's startup type to Manual.

Note: The Server for NIS service among other things performs password synchronization between the Kerberos and LDAP msSFU30Password attribute. Synchronized passwords are however truncated to the 8 characters and they aren't well encrypted - that's another reason to stop te Server for NIS service.

Needed packages to emerge:

samba - make sure, that it's the 3.x version

openlssl - needed for ssl 

openldap - we will need this for client ldap searches

cyrus-sasl - Simple Authentication and Security Layer - for basic encryption of ldap binds and searches

ntp - We will use the ntp-client for time synchronization (for proper Kerberos functioning)

mit-krb5 - the MIT Kerberos

pam - the Pluggable Authentication Module base

pam_krb5 - kerberos pam module (note, that pam_ldap module will not be needed). There are some problems to emerge the 1.0 version, see other posts on these forums. It seems to have problems with password change, too.

nss_ldap - LDAP module for name switch system (enables redirection of searches for users, groups, etc. to ldap)

Note: Make sure, that nss_ldap is compilled with the --enable-schema-mapping parameter enabled, otherwise it will be of no use here.

Let's assume following initial confguration:

MS Windows Server:

Servername: SFUSRV

AD Domain: DC=SFU,DC=ACME,DC=COM

DNS Name: sfusrv.sfu.acme.com

Server's IP address: 192.168.1.20

Configuration details:

* Windows 2003 Server 

* Active Directory (Directory Master)

* DNS&DHCP integrated into AD

* WINS service 

* Local clock synced to a ntp server 

* If you plan to use SSL, also Enterprise Certification Authority would be handy (to issue certificates for SSL).

Sample users: 

First Name: Tom 

Last Name: Sawyer 

User logon lame: toms@sfu.acme.com

Password: PASSword. 

LDAP distinguished name: cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com 

First Name: Huck 

Last Name: Finn 

User logon lame: huckf@sfu.acme.com

Password: PASSword. 

LDAP distinguished name: cn=Huck Finn,cn=Users,dc=sfu,dc=acme,dc=com

Gentoo Linux:

Hostname: Gent 

DNS Name: gent.sfu.acme.com 

IP address: 192.168.1.28 

Configuration details:

* USE settings: kerberos ldap samba sasl ssl  (set them in the /etc/make.conf; I recommend to use the ufed tool for this)

* ACCEPT_KEYWORDS="~x86" (set them in the /etc/make.conf, too) - in this way, the latest available packages for the intel platform will be installed. 

Kerberos configuration

Before the Kerberos is configured, make sure, that you have synchronized local clock wth the ntp server. You can do it using the ntp-client module. It's configuration file is the /etc/conf.d/ntp-client.

```

# /etc/conf.d/ntp-client

# Copyright 1999-2002 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: /home/cvsroot/gentoo-x86/net-misc/ntp/files/ntp-client.confd,v 1.2 2003/09/19 17:50:37 vapier Exp $

# Command to run to set the clock initially

NTPCLIENT_CMD="ntpdate"

# Options to pass to the above command

NTPCLIENT_OPTS="-b tik.cesnet.cz"

```

To configure the Kerberos client side, we need to make needed settings in the /etc/krb5.conf file:

```

# etc/krb5.conf 

[libdefaults] 

#       renew_lifetime = 18000 

        default_realm = SFU.ACME.COM 

        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc 

        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc 

        dns_lookup_realm = true 

        dns_lookup_kdc = true 

        clockskew = 120 

[realms] 

        SFU.ACME.COM = { 

        kdc = sfusrv.sfu.acme.com:88 

        admin_server = sfusrv.sfu.acme.com:464 

        } 

[domain_realm] 

        .sfu.acme.com = SFU.ACME.COM 

        sfu.acme.com = SFU.ACME.COM 

[kdc] 

        profile = /etc/krb5kdc/kdc.conf 

[logging] 

        kdc = FILE:/var/log/krb5kdc.log 

        admin_server = FILE:/var/log/kadmin.log 

        default = FILE:/var/log/krb5lib.log 

[appdefaults] 

 pam = { 

   debug = false 

   forwardable = true 

   krb4_convert = false 

 } 

```

You cant thest the functionality of the Kerberos by requesting an initial ticket for a Windows user from the Kerberos server - using the kinit command:

```

gent root # kinit toms 

Password for toms@SFU.ACME.COM: 

gent root # klist 

Ticket cache: FILE:/tmp/krb5cc_0 

Default principal: toms@SFU.ACME.COM

Valid starting     Expires            Service principal 

03/25/04 14:46:58  03/26/04 00:47:02  krbtgt/SFU.ACME.COM@SFU.ACME.COM

        renew until 03/26/04 14:46:58

```

Once you have a working Kerberos client configuation, you'll probably want to be able to log into your system using your Kerberos password. Since we don't have LDAP working yet, you should add a local entry for your username to the passwd and shadow files, but set your crypted password in /etc/shadow to *K*, the community standard to indicate that the password comes from Kerberos.

```

#/etc/passwd

.

.

huckf:x:10004:10004:Local AD user:/home/huckf:/bin/bash

```

```

#/etc/shadow 

.

.

huckf:*K*:10004:0:::::

```

Kerberos principal and Kerberos keytab

Now, we need to create a Kerberos principal and corresponding keytab file for our Linux workstation on the Windows server. Let's choose one of Windows user accounts for this. There will be added the attribute Kerberos Service Principal for the Linux computer to this user account. 

BEWARE: It is not tolerable to create Kerberos Service Principal with the same name in more user accounts. In such case, Kerberos would not be able to authenticate it correctly. 

Following command has to performed for each Linux computer on a different user account:

```

C:> ktpass -princ nssldap/gent@SFU.ACME.COM -pass PASSword. 

-mapuser toms@SFU.ACME.COM -out gent_keytab

Targeting domain controller: sfusrv.sfu.acme.com

Successfully mapped nssldap/linux to toms.

Key created.

Output keytab to gent_keytab:

Keytab version: 0x502

keysize 49 nssldap/linux@SFU.ACME.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (D

ES-CBC-MD5) keylength 8 (0xd34c57321fd334b5)

Account toms has been set for DES-only encryption.

```

The keytab file (in this case gent_keytab) resulting from this command must be securely transferred into the Linux computer. As the next step, it should be merged into the existing local keytab file:

```

gent root # ktutil 

ktutil:  rkt gent_keytab 

ktutil:  list 

slot KVNO Principal 

---- ---- -------------------------------------------------------

   1    3                    nssldap/gent@SFU.ACME.COM 

ktutil:  wkt /etc/krb5.keytab 

ktutil:  q 

```

Automatic updating of the Kerberos ticket

Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated. 

/sbin/kerbinit.sh

```

#!/bin/sh 

kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent 

chmod 600 /tmp/krb5cc_0 

```

Check the results of this script. You can use the klist command to check the tickets in the  Kerberos cache file. Note, that the default location of this file is /tmp/krb5cc_[uid] (here for the user root it is the file /tmp/krb5cc_0)

```

gent root # klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: nssldap/gent@SFU.ACME.COM

Valid starting     Expires            Service principal

03/25/04 16:10:27  03/26/04 02:10:26  ldap/sfusrv.sfu.acme.com@ SFU.ACME.COM

        renew until 03/26/04 16:10:27

```

You should add this script to the root's crontab file (/var/spool/cron/crontabs/root). Following example will call the kerbinit.sh every 2 hours:

```

# /var/spool/cron/crontabs/root 

# /etc/crontab 

. 

. 

* */2 * * *      sh /sbin/kerbinit.sh 

```

Furthermore, it is necessary to run the kerbinit.sh in the boot of the computer. In this way, the Linux computer will have a valid Kerberos ticket for the access to the LDAP. So let's add it to the /etc/conf.d/local.start file:

```

.

.

# This is a good place to load any misc. 

# programs on startup ( 1>&2 ) 

sh /sbin/kerbinit.sh 

```

LDAP configuration

Another important step is to make correct settings in the LDAP config file. In the Gentoo Linux there are actually two LDAP config files - /etc/ldap.conf and /etc/openldap/ldap.conf respectively. If you want to use only one file for the LDAP configuration, (in this case there is nothing wrong about that), you can make a symbolic link between them - as for example:

```

ln -s /etc/ldap.conf /etc/openldap/ldap.conf

```

You can also try to set a system variable to determine, which file will be used for the LDAP configuration (by adding relevant line to the /etc/env.d/00basic file)

```

LDAPCONF="/etc/ldap.conf"

```

Following is an example of the /etc/ldap.conf file:

```

host sfusrv.sfu.acme.com 

base dc=sfu,dc=acme,dc=com 

# scope one

scope sub

# binddn cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com

# bindpw PASSword.

# rootbinddn cn= Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com 

# rootbind password is in the /etc/ldap.secret

# nss_map_objectclass shadowAccount user 

# nss_map_attribute userPassword msSFU30Password 

nss_map_objectclass posixAccount user 

nss_map_attribute uidNumber msSFU30UidNumber 

nss_map_attribute uid msSFU30Name 

nss_map_attribute gidNumber msSFU30GidNumber 

nss_map_attribute homeDirectory msSFU30HomeDirectory 

nss_map_attribute loginShell msSFU30LoginShell 

nss_map_attribute gecos msSFU30Gecos 

nss_map_objectclass posixGroup group 

nss_map_attribute gid msSFU30Name 

nss_map_attribute uniqueMember msSFU30PosixMember 

# nss_map_attribute uniqueMember member 

# nss_map_attribute memberUid msSFU30MemberUid 

pam_login_attribute msSFU30Name 

pam_filter objectclass=User 

pam_password ad 

nss_base_passwd cn=Users,dc=sfu,dc=acme,dc=com 

# nss_base_passwd dc=sfu,dc=acme,dc=com 

nss_base_shadow dc=sfu,dc=acme,dc=com 

nss_base_group cn=Users,dc=sfu,dc=acme,dc=com 

# nss_base_group dc=sfu,dc=acme,dc=com 

nss_base_hosts Computers,dc=sfu,dc=acme,dc=com 

use_sasl on 

sasl start_tls 

# ssl on 

# tls_cacertfile /etc/ssl/certs/cacert.cer 

# sslpath /etc/ssl/certs/ 

# krb5_ccname FILE:/etc/.ldapcache 

```

In the ldap.conf file you can see lines beginning with "nss_map_attribute", which are used to map the internal unix attributes of users, groups, etc. to the attributes, available in the Active Directory after the expansion of it's schema by the MS Services for UNIX. 

The lines beginning with "nss_base_passwd" and "nss_base_group" are determining the bases (or contexts in the LDAP tree), from which searches for users and groups are made. You can enter more than one base here. By the proper setting of the search bases, we can make LDAP searches more effective. Note, that if the nss_ldap was not compilled using the --enable-schema-mapping parameter, attributes mapping will not take place and the LDAP searches will be performed for the original unix parameters. 

The lines containing the binddn, bindpw and rootbinddn (credentals for the authentifcation to the LDAP directory), are commented out here, as there will be used the Kerberos authentifcation. 

The line beginning with scope determines, wheather the child parts of the LDAp contexts should be searched, too (sub - search in all sub-contexts, one - search only the current context).

Ending part of the ldap.conf file is containing settings for the sasl authentification (Simple Authentication and Security Layer) and basc encryption tls (Transport Layer Security). 

To set up the ssl encryption, you have to make the Linux computer to trust the ssl certificate of the LDAP server, otherwise you can find the Unknown CA error message in the captured ssl handshake packets (use the Ethereal for it). 

I am not sure, what is the proper procedure for making the Linux to trust to the ssl certificate. One of the promising solutions could be to copy the files named *.db from the working profile directory of the Mozilla browser to the /etc/ssl/certs directory. But first, you have to point the Mozilla to the secure LDAP port of the server and accept it's certificate permanently.

Testing LDAP access

You can test different modes of access to the LDAP directory using the ldapsearch command. Output of this command should be a list of LDAP objects (and their attributes), which are matched bz the LDAP request (in the following example it is the objectclass=user). In the beginning, try to enter most of the parameters explicitly on the command line - in this way the /etc/ldap.conf settings are bypassed. For debugging, you can also add the parameter -d N, where N is debug level (for example -d 5)

```

gent root # ldapsearch -x -s one -b " dc=sfu,dc=acme,dc=com" -D "cn=Tom Sawyer,cn=Users,dc=sfu,dc=acme,dc=com" \

> -w PASSword. objectclass=user

```

If your confguration file is correct, you can perform the same search without entering most of the parameters. Moreover, you can pipe it's output to the grep command, to write out only the lines containing for example the string msSFU30Name. In this way, the result will cotain only the lines containing login names of the matched users:

```

gent root # ldapsearch objectclass=user |grep msSFU30Name

```

The communication between the Linux computer and the LDAP serverem can be traced using the Ethereal. I am assuming, that Ethereal is run on the Windows server, as otherwise there is no need to install xfree on the Linux computer. It is convenient to filter captured packets in the  Etherealu using the input filter - to capture only packets containing the ip address of the Linux computer:

```

ip host gent 

```

You should investigate those packets to be sure, that there are no unencrypted data relating to the LDAP information in the packets. You can also check, if the LDAP bind is using the Kerberos authentication - by looking at the packet containing the bind request. Expand it's part named Lightweight Directory Access Protocol, Bind Request. If the Kerberos authentication was used, there should be present following sub-sections there:

GSS-API Token 

   GSS-API 

      krb5_blob 

         Kerberos 

            Ticket

In the Ticket section, you can also check parameters of the Kerberos ticket (Realm, Service Name, Name)

The Name Switch System

Now, it is necessary to configure the Linux system to look for the user and group information in the LDAP directory, too. This should be made in the /etc/nsswitch.conf file by adding the keyword ldap to the lines for passwd a group. 

```

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap

shadow:      files

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

Note: The searches are made sequentially. Order of the searched databases is determined by their possition (from the left) on the line of the /etc/nsswitch.conf file. For example, if you put "passwd: files ldap" there, at first the /etc/passwd file is parsed and then a search is performed in the LDAP directory. The results of the search are reported in the same order.

You can test the functionality of the NSS by using for example the getent or id command:

```

gent root # getent passwd

root:x:0:0:root:/root:/bin/bash

.

.

toms:x:10003:10002:Tom Sawyer:/home/toms:/bin/sh

gent root # id toms

uid=10003(toms) gid=10002(tstgroup) groups=10002(tstgroup)

```

The getent passwd command should print the list of users extracted from the /etc/passwd file, followed by the list of users acquired from the LDAP directory. 

The PAM configuration

To be able to authenticate users via the Kerberos, you have to add the Kerberos authentication module to the PAM configuration files. There are several configuration files, their names are corresponding to the names of the programs, which are performing the user authentication. I am listing here the most common PAM configuration files. These files are located in the /etc/pam.d directory. So you should append the lines referring to the pam_krb5.so module. 

Note: The sufficient control token is defining, that for a successful authentication it is sufficient to be authenticated by the specified pam module (even in a case, when authentication made by previous "required" modules failed). The try_first_pass parameter is instructing the pam module, that the password supplied to the previous pam module should be tried first. In this way, there will not be invoked another prompt for the password. To debug the pam modules, you can also add the debug parameter, which will cause loggig of the debug messages into log file (/var/log/auth.log).

/etc/pam.d/login

```

#%PAM-1.0 

auth       required     /lib/security/pam_securetty.so 

auth       sufficient   /lib/security/pam_krb5.so try_first_pass 

auth       required     /lib/security/pam_stack.so service=system-auth 

auth       required     /lib/security/pam_nologin.so 

account    sufficient   /lib/security/pam_krb5.so 

account    required     /lib/security/pam_stack.so service=system-auth 

password   sufficient   /lib/security/pam_krb5.so 

password   required     /lib/security/pam_stack.so service=system-auth 

session    sufficient   /lib/security/pam_krb5.so 

session    required     /lib/security/pam_stack.so service=system-auth 

session    optional     /lib/security/pam_console.so 

```

/etc/pam.d/sshd

```

#%PAM-1.0 

auth       sufficient   /lib/security/pam_krb5.so debug 

auth       required     /lib/security/pam_stack.so service=system-auth 

account    required     /lib/security/pam_stack.so service=system-auth 

password   sufficient   /lib/security/pam_krb5.so debug 

password   required     /lib/security/pam_cracklib.so 

password   required     /lib/security/pam_stack.so service=system-auth 

session    sufficient     /lib/security/pam_krb5.so 

session    required     /lib/security/pam_stack.so service=system-auth 

session    required     /lib/security/pam_limits.so 

```

/etc/pam.d/system-auth

```

#%PAM-1.0 

auth       required     /lib/security/pam_env.so 

auth       sufficient   /lib/security/pam_krb5.so try_first_pass 

auth       sufficient   /lib/security/pam_unix.so try_first_pass likeauth nullok 

auth       required     /lib/security/pam_deny.so 

account    sufficient   /lib/security/pam_krb5.so debug 

account    required     /lib/security/pam_unix.so 

password   required     /lib/security/pam_krb5.so debug 

password   required     /lib/security/pam_cracklib.so retry=3 

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok 

password   required     /lib/security/pam_deny.so 

session    required     /lib/security/pam_limits.so 

session    required     /lib/security/pam_unix.so 

session    sufficient   /lib/security/pam_krb5.so 

```

The samba configuration

The samba configuration is located in the main configuration file /etc/samba/smb.conf. Following is the example of the smb.conf for the example MS network and the SFUSRV Windows 2K3 server.

/etc/samba/smb.conf

```

# Separate domain and username with '+', like DOMAIN+username 

[global] 

        netbios name = GENT 

        server string = %h server (Samba %v) 

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 

        idmap uid = 10000-20000 

        idmap gid = 10000-20000 

        winbind enum users = yes 

        winbind enum groups = yes 

        winbind uid = 10000-20000 

        winbind gid = 10000-20000 

        winbind use default domain = yes 

        template shell = /bin/bash 

        template homedir = /home/%D/%U 

        workgroup = SFU 

        os level = 10 

        winbind enum groups = yes 

        socket address = 192.168.1.28 

        preferred master = no 

        winbind separator = + 

        max log size = 512 

        log file = /var/log/samba3/log.%m 

        dns proxy = no 

        realm = SFU.ACME.COM 

        security = ADS 

        encrypt passwords = yes 

        password server = sfusrv.sfu.acme.com 

        wins server = 192.168.1.20 

        wins proxy = no 

# Shares section 

[SharedDir] 

        comment = Shared directory 

        writeable = yes 

        path = /home/share 

        force user = huckf 

```

Before you can use the samba, you have to add your Linux computer to the Windows domain. It should be done by the net ads join command.

```

gent root # net ads join -U Administrator

Administrator password:

Using short domain name -- SFU

Joined 'GENT' to realm 'SFU.ACME.COM'

```

After the successful executio of this command, you can check, if the Linux computer is present in the list of the domain computers in the MMC (Active Directory Users and Computers) on the Windows 2003 server .

Final configuration

In the end, the needed services and daemons should be added to the list of the services launched at startup at the Linux computer. You should add these:

* ntp-client - for the time synchroization

* samba - for sharing files via the SMB protocol

* nscd (Name Service Cache Daemon) - for alleviating the communication with the LDAP server and for speed-up of the LDAP searches

Use the rc-update command to accomplish this:

```

rc-update add ntp-client default

rc-update add samba default

rc-update add nscd default

```

----------

## MartinSt

I have found one more useful tip to add to my previous post. It was presented on the Novell Brainshare conference last week. 

To automatically create home directories for the AD users in the time of their first login, you can add the following line to the  /etc/pam.d/system-auth  file (most pam.d configuration files point back to the system-auth file):

```

session   required lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

```

You should have the skeleton /etc/skel directory, of course  :Wink: 

----------

## KsE

I've been following the posts here, and getting info from www.samba.org and I can't get it to work.

All I need is for users logging in to a linux box to be authenticated via an active directory server.

I can connect with kerberos and I can join the domain, but I get an error when I do this:

```

# wbinfo -u

Error looking up domain users

```

I can't figure out what's going on here. Can someone please help me? I can post any config files that are needed.

-KsE

----------

## maalth

Some questions first:

Did you remember to start samba and winbindd?  Winbindd is the tool that handles the authentication.  Without it, it won't work.

Do you have a file called system-auth-winbind in the directory /etc/pam.d?

It should have been installed when you emerged samba.

Did you edit /etc/nsswitch.conf?

I can't think of any other questions at the moment, but you can contact me.  I will be home all night.

 *KsE wrote:*   

> I've been following the posts here, and getting info from www.samba.org and I can't get it to work.
> 
> All I need is for users logging in to a linux box to be authenticated via an active directory server.
> 
> I can connect with kerberos and I can join the domain, but I get an error when I do this:
> ...

 

----------

## jcummins

With this method, can permissions be placed on shares via Windows?

----------

## KsE

Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf

```

passwd:      compat winbind

shadow:      compat

group:       compat winbind

```

I can auth with kerberos and I can join the domain. Doing wbinfo -u doesn't work though.

----------

## maalth

 *jcummins wrote:*   

> With this method, can permissions be placed on shares via Windows?

 

To be honest, I'm not sure.  I never though to use it that way.  I did it so that I can listen to my mp3 collection from either my laptop or desktop.  I don't see why it won't work.  Obviously you can't see unix accounts from windows, but I don't see why setting up shares wouldn't work.  I can test it next week.  I can't this week because I'm leaving for NYC in two days to fill out paperwork for the NYPD and won't be home until Monday.

----------

## maalth

 *KsE wrote:*   

> Yes, I started samba and winbind and they both start just fine. I have system-auth-winbind in /etc/pam.d and I also copied those contents to system-auth. I added this to /etc/nsswitch.conf
> 
> ```
> 
> passwd:      compat winbind
> ...

 

One more question, by chance are you running nscd?  If you are, you need to stop and disable it.  Winbind will not work if nscd is running.  If not please PM me your config files...  the files I would like to see are:

/etc/krb5

/etc/smb.conf

----------

## KsE

krb5.conf:

```

[libdefaults]

        #ticket_lifetime = 600

        ticket_lifetime = 24000

        default_realm = EXAMPLE.COM

        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

        EXAMPLE.COM = {

        kdc = ads.example.com:88

        admin_server = ads.example.com:749

        #kdc = kerberos.example.com:88

        #kdc = kerberos2.example.com:88

        #admin_server = kerberos.example.com:749

        }

[domain_realm]

        .example.com = EXAMPLE.COM

        example.com = EXAMPLE.COM

[kdc]

        profile = /etc/krb5kdc/kdc.conf

[logging]

        kdc = FILE:/var/log/krb5kdc.log

        admin_server = FILE:/var/log/kadmin.log

        default = FILE:/var/log/krb5lib.log

[appdefault]

        pam = {

        debug = false

        ticket_lifetime = 36000

        renew_lifetime = 36000

        forwardable = true

        krb4_convert = false

        }

```

smb.conf:

```

[global]

   workgroup = EXAMPLE

   server string = Samba Server %v

   log file = /var/log/samba3/log.%m

   max log size = 50

hosts allow = 102.168.1.

  map to guest = bad user

   security = ads

   password server = *

  winbind uid = 10000-20000

  winbind gid = 10000-20000

  winbind separator = +

  winbind use default domain = yes

  realm = EXAMPLE.COM

  template homedir = /home/%D/%U

  obey pam restrictions = yes

  template shell = /bin/bash

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no

[homes]

   comment = Home Directories

   browseable = no

   writable = yes

```

I changed my PDC with EXAMPLE. I got the smb.conf by "cat smb.conf | grep -v '#' | grep -v ';'"

I don't believe I'm using nscd. I didn't see it using "ps auxf". It's there, just not started.

----------

## Diezel

 *KsE wrote:*   

> I've been following the posts here, and getting info from www.samba.org and I can't get it to work.
> 
> All I need is for users logging in to a linux box to be authenticated via an active directory server.
> 
> I can connect with kerberos and I can join the domain, but I get an error when I do this:
> ...

 

Did you find an sollution to this? I'm having the same problem.

----------

## Diezel

This i REALLY wierd. I got tired of trying so I shut down the computer. Tried to sleep but this kept bothering me, came back booted up and now it works. Don't have a clue why.

Anyway thanks.

//Diezel

----------

## Frozensun

```
[/]> wbinfo -u

Error looking up domain users

```

EDIT:  This is a win2003 domain controller

still doesn't work for me  :Sad: 

/etc/krb5.conf

```
[libdefaults] 

   default_realm = SPARKS.CITY

  

   [realms] 

   SPARKS.CITY = { 

        kdc = CityNT1.SPARKS.CITY

   }
```

/etc/samba/smb.conf

```
# Separate domain and username with '+', like DOMAIN+username 

[global] 

        netbios name = cwit2

 # I recommend the same name as the server. 

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 

   # Tweak this to get the best speed out of your connection 

        idmap uid = 10000-20000

    # This is for mapping uids between linux server and AD 

        winbind enum users = yes 

   # This allows you to bind users. 

        winbind gid = 10000-20000 

   # This is for mapping gids between linux server and AD 

        workgroup = LANGROUP

   # Change to match the NETBIOS name of the AD domain. 

        os level = 20 

   # This is for the master browser priority. 

        winbind enum groups = yes 

   # This allows you to use the Active Directory groups 

   #        socket address = 1.2.3.4 

   # Change this to match the IP address or remove it to listen to all addresses. 

        password server = *

   # I recommend this if you have more than one server; I do in my case. 

        preferred master = no 

   # You do NOT want to be a master browser. 

        winbind separator = + 

   # See the first line comment. 

        max log size = 50 

   # In K 

        log file = /var/log/samba3/log.%m 

   # This allows logging activities for each machine. 

        encrypt passwords = yes 

   # Active directory does NOT accept plaintext passwords. 

        dns proxy = no 

   # You don't want anything to do with DNS. 

        realm = SPARKS.CITY

    # This is for kerberos. 

        security = ADS

   # Active directory server provides security for the shared resources. 

        #wins server = 1.2.3.4 

   # Change to IP address of your installed WINS server 

        wins proxy = no 

   # You don't want to proxy WINS either. 

# Shares section 

[downloads]  # Name of the share. 

        comment = downloads 

   # A comment... 

        writeable = yes 

   # If you want users to update the directory 

        path = /home/jason/Downloads 

   # Where is the share on the linux server 

        force user = jason 

   # Should be the name of the user who is responsible for the share.

```

 :Sad: 

----------

## arkane

Shame samba 3.x can't be an AD server on it's own  :Sad: 

----------

## kiko555

When I follow the step .....

do this command :kinit Administrator@mail.hcp.com

I got  this:

 *Quote:*   

> kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

 

Anything I do wrong??

I had modify the /etc/krb5.conf like below:

 *Quote:*   

> [libdefaults]
> 
>         ticket_lifetime = 600
> 
>         default_realm = EXAMPLE.COM
> ...

 

----------

## rinacabj

I'm having an error when I do

```
ldapsearch -D "o=<top level of active directory>" -W "uid=Administrator" -h <IP address of the Active Directory server>
```

after I enter the correct password, I get

```
ldap_bind: Invalid credentials (49)

        additional info: 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece
```

----------

## ElCondor

I'm stuck at Step 3 (trying if krb5 works) with the following error:

```
backup1 samba # kinit Administrator@MYCOMPANY.COM

kinit(v5): KRB5 error code 68 while getting initial credentials

```

Does anyone know how I can solve this? I googled around but found no solution that works here  :Sad: 

* ElCondor pasa *

----------

## Martz

I had problems getting this working too.

However, I changed in smb.conf:

password server = * 

to

password server = CHOICE2K

(CHOICE2K being the NETBIOS name of the Windows 2000 domain controller). Also make sure you have a DNS entry in your /etc/hosts file.

I set mine to pa55w0rd (thinking that this entry was a PASSWORD for accessing the server.. or something.. obviously not  :Smile: )

So yesterday I installed Gentoo from a stage 1, and today I have got Samba working using winbind against our existing Windows 2000 domain  :Smile: 

----------

## ElCondor

Thanks for the hint, but the error happens with kinit, so it's not (yet) a samba problem, something with kerberos seems to be wrong. as far as I found at google, something with the "principals" - but I got no idea what I should enter there

* ElCondor pasa *

----------

## GenTimJS

I followed the directions as best I could in the original post.

I successfuly created a share, which is accessible via active directory.

I have admin access on both the linux box, the AD servers, and AD clients.

However, on the linux box running samba, the winbindd stuff doesnt seem to work, and doesnt generate any errors.

Furthermore, no winbindd script was created in /etc/init.d/ 

??

----------

## bdraw

 *ElCondor wrote:*   

> I'm stuck at Step 3 (trying if krb5 works) with the following error:
> 
> ```
> backup1 samba # kinit Administrator@MYCOMPANY.COM
> 
> ...

 

I am getting the same error, the funny thing is that mine was working but now it's not.

Ben

----------

## bdraw

 *bdraw wrote:*   

>  *ElCondor wrote:*   I'm stuck at Step 3 (trying if krb5 works) with the following error:
> 
> ```
> backup1 samba # kinit Administrator@MYCOMPANY.COM
> 
> ...

 

I had the wrong domain name duh! Now it works

----------

## ElForesto

I found this out the hard way.

If you didn't edit your make.conf to add ldap and kerberos and you run an emerge world, expect things to break. FAST. Just finished rebuilding it after I couldn't figure out what I did.

----------

## Martz

 *GenTimJS wrote:*   

> 
> 
> Furthermore, no winbindd script was created in /etc/init.d/ 
> 
> ??

 

What is the best way to get winbind to startup with samba? I have to run prompt# winbindd from the shell each time from boot  :Sad: 

Looking in /etc/conf.d/samba it has the following lines:

```

smbd_start_options="-D"

smbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/smbd -- ${smbd_start_options}"

smbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/smbd.pid"

smbd_reload="killall -HUP smbd"

nmbd_start_options="-D"

nmbd_start="start-stop-daemon --start --quiet --exec /usr/sbin/nmbd -- ${nmbd_start_options}"

nmbd_stop="start-stop-daemon --stop --quiet --pidfile /var/run/samba/nmbd.pid"

nmbd_reload="killall -HUP nmbd"

winbind_start_options=""

winbind_start="start-stop-daemon --start --quiet --exec /usr/sbin/winbindd -- ${winbind_start_options}"

winbind_stop="start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/winbindd"

winbind_reload="killall -HUP winbindd"

```

Is there anything I can tweak to make winbindd start from this script?

----------

## Martz

OMG I'm an idiot..

winbind can be started automagically by looking at the second line of /etc/conf.d/samba

Change:

```
daemon_list="smbd nmbd"
```

To:

```
daemon_list="smbd nmbd winbind"
```

And thats it, it works!  :Smile: 

----------

## theonlymcc

Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.

----------

## Martz

 *theonlymcc wrote:*   

> Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question.

 

The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc.  You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.

So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik.

----------

## maalth

 *Martz wrote:*   

> OMG I'm an idiot..
> 
> winbind can be started automagically by looking at the second line of /etc/conf.d/samba
> 
> Change:
> ...

 

You can have winbind start automagically by typing this simple command....

/etc/init.d/winbind add default

Much much simpler.

----------

## maalth

 *Martz wrote:*   

>  *theonlymcc wrote:*   Ok. I setup this according to the nice setup guide at the beginning of this thread. I have joined the domain. Now, what is the point of it? I mean can I map drives now? What is the advantage of setting this whole thing up. Sorry for the n00b question. 
> 
> The advantage is that your Gentoo machine now is a pretend Windows NT/2000 server which can let all of your domains users save their files etc.  You do not have to create a linux username and password which is identical to the one in the domain - authentication is passed through the Gentoo samba server to your existing Windows Active Directory Server. 1 centralised place for authentication, 1 set of user/passwords.
> 
> So the more people in your organisation - the greater the benefit. You also do not require a licence for each user connecting to the Samba server afaik.

 

Couldn't have said it better myself.

----------

## Martz

 *maalth wrote:*   

> 
> 
> You can have winbind start automagically by typing this simple command....
> 
> /etc/init.d/winbind add default
> ...

 

Hrm, for some reason I cannot add it though rc-update, On my home machine I can, but for some reason on my work Gentoo box I can't (which is why I spent some much time figuring out the work around!  :Smile: )

```
jupiter root # rc-update add winbind default

 * /sbin/rc-update: /etc/init.d/winbind not found; aborting.

jupiter root # ls /etc/init.d/w* -lha

-rwxr-xr-x  1 root root 859 Jul 19 11:04 /etc/init.d/webmi

```

```

jupiter root # rc-update -s

             apache2 |      default

            bootmisc | boot

          bootsplash |

             checkfs | boot

           checkroot | boot

               clock | boot

         consolefont | boot

         crypto-loop |

               cupsd |

        dansguardian |      default

          domainname | boot default

              hdparm |

            hostname | boot

             hotplug |      default

            iptables |      default

             keymaps | boot

               local |      default nonetwork

          localmount | boot

     mit-krb5kadmind |

         mit-krb5kdc |

             modules | boot

               mysql |      default

              nagios |

            net.eth0 |      default

              net.lo | boot

            netmount |      default

                nrpe |

                nsca |

                nscd |

          ntp-client |

                ntpd |      default

             numlock |      default

           rmnologin | boot

              rsyncd |      default

               samba |      default

              serial | boot

               slapd |

              slurpd |

               snmpd |

               squid |      default

                sshd |      default

           syslog-ng |      default

             urandom | boot

          vixie-cron |      default

              webmin |      default

```

----------

## Smilez:)

i have a problem. I followed the guide and got most computers mapping the samba shares using ADS. however, only win2k and prior work, my winxp pro machines don't authenticate. I get

Failed to verify incoming ticket! 

in the log for the machine.

I've checked everything over 3 times and I can't see anything wrong. Is there something I have to do different for the winxp pro machines to work?

SMilez:)

----------

## lord_ph

I'm getting this error, what can i be doing wrong?

kinit(v5): KDC reply did not match expectations while getting initial credentials

any ideas?

thanks

----------

## GenTimJS

Everything configured exactly as described. kinit works, samba is up.

bash-2.05b$ sudo net ads join -U Administrator

Administrator's password:

[2004/08/16 11:13:06, 0] libads/kerberos.c:ads_kinit_password(136)

  kerberos_kinit_password Administrator@DOMAIN.NET failed: KDC has no support for encryption type

? any tips?

----------

## annunaki2k2

Hi,

I've followed these instructions to the word, and haven't had a single error related to the process. I can list users and groups in the directory and have no errors returned using kinit. I can even mapped network drives.

But I can't browse them. Using gnome I get an error "The attempt to log in failed", and from the prompt you just get permission denied, regardless what user you try to access them with.

Is there anything I am doing wrong?

Thanx in advance   :Smile: 

----------

## lord_ph

i found out the answer to my own question... and to anybody else who is getting the error i had:

 *Quote:*   

> 
> 
> kinit(v5): KDC reply did not match expectations while getting initial credentials 
> 
> 

 

The solution is really simple... so simple that you'll hit yourself on the head. When doing your kinit, make sure you do the realm in UPPER CASE.

```

kinit lord_ph@EXAMPLE.COM

```

i hope this helps more people than me.   :Wink: 

----------

## thisboyiscrazy

does anyone know how can I get samba to set the DNS Name property in AD to the FQDN instead of just the hostname when I do a "net join"?

Thanks

----------

## m4chine

I thought Id document that I got this error because the time difference between my samba server and domain server was greater than 5min.

```
kinit(v5): Clock skew too great while getting initial credentials
```

hope it helps someone.

----------

## zurd

In the middle of setting a Gentoo box with Samba/ldap/kerberos/winbind with a Windows 2000 Server acting as a PDC.  Followed the guide and here's what I think should be updated in the How-to :

Step 2

In /etc/krb5.conf, the How-to doesn't say what to do about the [domain_realm] section.

Step 4

In /etc/samba/smb.conf the "socket address" field says "to match the IP address" but doesn't tell which IP address we're talking about.  More clarification would be much appreciated about this option.

Step 6

After running the "net ads join -U Administrator" command, it took use 15 minutes here to see our samba server in the Active Directory Server, would be nice to say in the How-to that it might take some time to see it.

I also found the reason : "If your network has backup domain controllers, it will take up to 15 minutes for the new computer account to propagate to the BDCs." at this URL http://us3.samba.org/samba/docs/using_samba/ch09.html

Step 8

if "rc-update add winbind default" fails saying :

"/sbin/rc-update: /etc/init.d/winbind not found; aborting" just change /etc/conf.d/samba to show : daemon_list="smbd nmbd winbind"

I'm still struggling to make it all work, I just want 1 share where only 1 specific group from the Windows 2000 Active Directory can access, so maybe I'll find more updates.  But in overall, great how-to, I love it   :Cool: 

----------

## zurd

So, everything has been setup properly (I think so).

I can set in /etc/samba/smb.conf in the Share section the "valid users = " option to give access to the share to only 1 user and this has work just fine.

But I want to give access to the share to groups, not a user.

So I have set "valid users = TEST+My Group" in the Share section.  But, in Windows XP when trying to access the share, even though I am in the  group it keeps asking for a password.  Since I am in the group, it shouldn't ask for a password, right?  Because there is no password for groups, only for users !

Any help ?

[EDIT]

Ok found the solution, if you want to give access to group, use this syntax :

valid users = @WORKGROUP+"Your group here"

You have to use the "" after the + sign !  

And do not forget the @ sign !

That would also be great to include in the How-to !  :Smile: Last edited by zurd on Tue Feb 01, 2005 8:15 pm; edited 2 times in total

----------

## magnesium

I used this guide as my main information as to how to share a directory on my linux box to AD users, but I've hit several issues. Here's what I'd appreciate clarification on.

1) Is the PAM stuff listed out in other people's posts vital to getting this work, or is this just another way of getting this to work?

2) How do I get this box to register with the AD DNS so that I can find this server through FQDN requests?

3) In my syslogs I see winbindd output the following which I think may be why this guide is not working for me:

 *Quote:*   

> Ignoring unknown parameter "encrypt password"

 

4) In my syslogs I also see the following which makes me think that stuff is wrong:

 *Quote:*   

> Unable to open new log file /var/log/samba3/log.winbindd: No such file or directory
> 
> winbindd: idmap gid range missing or invalid
> 
> nsswitch/winbindd_util.c:winbindd_param_init(567)
> ...

 

5) Does the MP3 user in this example exist in AD or local to the linux box? Do I even need a local account to manage the share? Does the "shared" directory need a certain chmod group set?

6) When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?

Help with these 6 questions would greatly be appreciated.

----------

## zurd

I'm not an expert yet with all of this Samba+AD, but here's what I would try if I were you :

1) I guess you have to modify PAM, I didn't try if it would work if you don't modify it, but it would be a good thing to include the kerberos modules in some of the PAM file.

2) No idea on what is FQDN ... sorry

3) There is a password server string or encrypt password string in /etc/samba/smb.conf, make sure the syntax is right.  In any case you have "encrypt password" written somewhere and causing this bug.

4) do a "touch /var/log/samba3/log.winbindd"

Also in /etc/samba.smb.conf you have options about GID and UID, you sure you got them right in the configuration file, because it says missing or invalid range.

5) If the user is call "mp3" then it is hosted on the Linux box.  But if it is "WORKGROUP+mp3" then you can be sure it is hosted on the WIndows PDC machine.  As shown by wbinfo -g and wbinfo -u which is all the user and group from the Windows PDC. 

And yes for now do a chmod 777 on your directory, after it is working, you just chmod something else more secure.

6) Might be anything, of course the password is wrong would be the first answer if the usrename/password box just keeps popping up.  But yes it also means that your linux box is not handling the authentication right, maybe you just need to modify the PAM file to include the kerberos module since Windows is using kerberos.

Hope it helps...

----------

## magnesium

Thanks for the response zurd.

Basically my issues were that I screwed up following the guide. I had "encrypt password" instead of "encrypt passwords", I was missing the line for 

```
winbind enum users = yes

winbind gid = 10000-20000 
```

 and I had samba3 instead of samba in my log file path (the guide said samba3 but I should have checked before posting).

I included minimal pam support and the above changes and now users can authenticate by mapping to \\netbiosname\sharename but still can't get there by \\server.full.domain.name\sharename because this server is not registering in AD DNS. This form of binding is said to use FQDN (a.k.a. Fully qualified domain names).

I also noticed that I was unable to authenticate to the samba share until my samba box became a local master browser.

Thanks all

----------

## zurd

let's say the name of your PDC is test

can you do "ping test" instead of "ping 192.168.x.x" to ping it ?

If not modify /etc/hosts to make it working, seems like it is the issue here.

----------

## magnesium

What I want to accomplish is to register my linux box into an AD DNS. I've been doing some reading and was hopeing that addind a line dhcpcd_eth0="-h myhostname" to the /etc/conf.d/net file would register my box in the AD DNS, but no dice.

I want other computers to be able to ping my linux box by using 

```
ping mylinuxhostname.my.dnsdomain.name
```

I've got the domain name I want to register into in my /etc/dnsdomanname and I am a member server now in the domain. I don't know what else to do to register this server and was hopeing someone else here would know (or perhaps it's a samba configuration that I don't know about).

----------

## CopterGuy85

I'm still trying to go through MartinSt's guild to settings things up, so I can't report personal success/failure reports just yet.

But magnesium, I've set up a couple Samba boxes to work with AD, and the only way I was able to get the FQDN to work is to manually set them up in the server's DNS.  Just go to Administrative Tools->DNS->$yourdnsserver->Forward Lookup Zones->$yourdomain and you should see a list of current entries in DNS (you should have at least 1 entry, the domain controller itself).  Right click either on the domain name in the tree view or in the background behind the host list, select "New Host (A)...", and fill in the short name of your box (it lists the FQDN right below so you can check that) and the IP address (probably a good idea to use static IP on your Samba box, because if your IP changes you have to update it in the DNS settings again), and when you're all done click "Add Host."

EDIT: IIRC, my domain controller would sometimes take 15-20 minutes before the DNS service would reflect the changes, so it make take a bit before you'll be able to ping it, or have it show up in the Windows network browser.

Let me know how it turns out  :Smile: 

----------

## erratic

it might be worth pointing out that winbind is not built by default these days, and you need to add 'winbind' to your USE list to get it.

the build does mention that winbind is not enabled by default, which is fine, but as I was using it, and was just updating samba, I expected that the in-place upgrade would work fine.  I didn't expect the winbind binarys going AWOL.

maybe a message stating that you should add the USE entry and a beepy pause drawing your attention and giving you the time to cancel would save you having fileserver downtime?...  ;-/

----------

## cuban

Worked on the first try!

----------

## cuban

Well it almost worked on my first try. When any users try to access the server by doing a \\server_name from their PC, they get a username/pw prompt.

Any idea why?

EDIT: This appears to be only from a Windows 2000 machine. From Win2k3 and XP it works great!

----------

## Deathscythe

I still can't get any windows machine to browse the Samba server. I have already logged into the domain, everytime I try to access the Samba serve, it ask for the username and password. No matter what username and password I try, it still not authorising it.

 *Quote:*   

> We can get a username from both the local linux server and the Active Directory server by typing in this command:
> 
> ```
> 
> getent passwd
> ...

 

This supposted to print out a list of username from both linux server and AD. For some reason, it only print out username from the linux server.

----------

## unix

Hi,

Nice documentation THX. But i had no winbind. The new samba need winbind as useflag

```

USE="kerberos ldap winbind" emerge samba

```

regards,

UNIX

----------

## lhurgoyf

 *GenTimJS wrote:*   

> Everything configured exactly as described. kinit works, samba is up.
> 
> bash-2.05b$ sudo net ads join -U Administrator
> 
> Administrator's password:
> ...

 

I got this to, but after using another account which is also an administrator in the AD it worked

----------

## senzacionale

kinit Administrator@EXAMPLE.COM

kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials

and i use maalth howto

what i did wrong

----------

## Martz

 *senzacionale wrote:*   

> kinit Administrator@EXAMPLE.COM
> 
> kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials
> 
> and i use maalth howto
> ...

 

It looks like the same error as on page 3:

 *lord_ph wrote:*   

> i found out the answer to my own question... and to anybody else who is getting the error i had:
> 
>  *Quote:*   
> 
> kinit(v5): KDC reply did not match expectations while getting initial credentials 
> ...

 

----------

## dannycpw

According to http://mailman.mit.edu/pipermail/kerberos/2002-May/000835.html

 *Quote:*   

> You need to change the Administrator password at least once after DC
> 
> promotion.
> 
> Any account that is present before an "upgrade" requires that the
> ...

 

Others, I get error as shown when I do wbinfo -u.

 *Quote:*   

> # wbinfo -u
> 
> Error looking up domain users

 

And only build-in group can be shown when I do wbinfo -g.

 *Quote:*   

> # wbinfo -g
> 
> BUILTIN+System Operators
> 
> ...

 

any idea of which part may going wrong (e.g pam, smb.conf)?

yours,

Danny

----------

## solomonHk

When using net ads join,... I get ADS support not compiled in.  I cant resolve to the ADDC, and I am able to authenticate.  Any ideas why net ads join fails?

----------

## solomonHk

On my problem:

Found out gentoo would not emerge samba correctly.  It would not, even with modified ebuild, compile in kerberos for ads support.  

Building from binaries atm.

[EDIT]

Everything is operational, with computer added to AD.  Now, when I try to smbmount, I get:

```
23779: session setup failed: ERRDOS - ERRnoaccess (Access denied.)

SMB connection failed

```

Any Suggestions?

----------

## solomonHk

Some more helpful things I found along the way:

If you want to map a win machine to a mount on your nix.  To see if there is an available share out there use smbclient.

So 

```
 smbclient //NETBIOS_NAME/Share
```

Just hitting enter will give you anonymous access.   

```
smbclient //NETBIOS_NAME/Share -U username%password
```

where username and password are from the Windows Network give you whatever access that username has.

I found it easier to create a credentials file called .smbpw that looks like this

```

username = johndoe

password = allstars

```

Then all you need to do to smbclient is:

```
smbclient //NETBIOS_NAME/SHARE -A ~/.smbpw
```

As you can guess the -A make smbclient access the file.

To actually mount the share,  make sure smbfs is enabled in your kernel.

Usually under Filesystems > Network Filesystems.

If you created the .smbpw file, to mount the drive all you need to do is create a directory to mount it to:

```
mkdir /Share
```

Then use smbmount

```
smbmount //NETBIOS_NAME/SHARE /Share -o "credentials=/.smbpw,uid=username,gid=username,fmask=644,dmask=755"
```

And if you want to automatically mount on boot, edit your /etc/fstab to include this:

```

//NETBIOS_NAME/SHARE     /Share      smbfs     credentials=/.smbpw,uid=username,gid=password,fmask=664,dmask=775 0 0
```

Just make sure that all of that is on one line in fstab!  

 :Wink: 

Hope this adds some additional support.

----------

## sirlark

Hi there,

Thanks for the great HOWTO, only I can't access my shares...

I can see my Samba Server in the list, but when I try to access it, I am asked for a username and password. I've tried my AD username/password combo, my linux username/password combo, my samba username/password combo, and even the windows administrator and linux root logins. No matter which one I try, I get an error message saying I don't have permission to access the share in question.

"\\SYBILL is not accessbible. You may not have permission to access this network resource."

What have I done wrong??

Thanks

James

----------

## solomonHk

@sirlark

What did you name your shares in the smb.conf?  

For example  my share is setup as

```

[data]

     comment=blah

     path=/test

```

In order to access the share, you should have \\NETBOISNAME\SHARENAME.  So in my case, it is \\o2_mk_72\data.

I too, get the UID/PID request if I try to connect to just the samba server without the share included.  So try that, and see if it works.  If it is still unreachable, if you could, post you share section of your smb.conf.

Thanks

----------

## sirlark

Howdy,

Sorry, should have thought to do this before...

Here is an excerpt of my smb.conf

 *Quote:*   

> 
> 
> [global]
> 
>         netbios name = TEST
> ...

 

I have replaced my actual config with EXAMPLE/TEST, but othwerwise this is the whole thing. The problem is not that it asks to authenticate when I try to look at the share, but that it won't authenticate ANYTHING. I have tried every conceivable username/password combo that might be involved and I get diddly. I have also tried to access //TEST/MYSHARE directly... but the same thing happens... I've tried from a win2k box, and a win XP pro box, and a Win2003 Server box, if that makes a difference.

----------

## zurd

```

[myshare]

path = /mnt/baracuda200/mysahre

valid users = root 

```

myshare or mysahre?   :Wink: 

----------

## solomonHk

```
[myshare]

path = /mnt/baracuda200/mysahre

valid users = root 
```

If you want, you can try to see if it will at least connect with a basic configuration:  This will mean setting it to read only = no and making the folder public.

```
[myshare]

     path=/mnt/baracuda200/myshare

     ready only = no

     browseable = yes

     create mode = 0770

     public = yes

     writable = yes

```

Should work.  As zurd stated,  if that is indeed your share,  is the path correct?  That may also cause issues, if it is not mysahre, and when you try to access a non exiting folder for a share over a network, the share tries to access the closest related folder, that being /mnt/baracuda200, since that folder is not setup in the smb.conf as a shared resource, then it will deny access much the same way it will deny access to the entire machine.  

If you were wanting access to the entire filesystem,  you could share path = /,  but that poses serious security issues.

Let me know how things go via thread or PM.

----------

## likid0

I get this double checking of the domain name:

[1702]<<GeN@BoX>>~]$ S net ads join -U administrador

[2005/02/01 17:07:32, 0] libads/kerberos.c:get_service_ticket(335)

  get_service_ticket: kerberos_kinit_password GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM failed: Preauthentication failed

my config files are just the same.

[libdefaults]

        default_realm = DEIMOS.TV

[realms]

        DEIMOS.TV = {

        kdc = newphobos.deimos.tv

        }

any idea why a get that error, the kinit test works fine.

thnx!!

----------

## zurd

@ likid0

```

[1702]<<GeN@BoX>>~]$ S net ads join -U administrador 

```

Instead, try this and watch for uppercase and typos !

```

net ads join -U Administrator

```

If it's still ain't working and you have another user which has Administrator status and privileges try :

```

net ads join -U your_user

```

----------

## likid0

yep i use administrador because the server is in spanish, but i also tried  with Administrador, and with users with privilages but its the same answer:

ibads/kerberos.c:get_service_ticket(335)

  get_service_ticket: kerberos_kinit_password GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM failed: Client not found in Kerberos database

doest have to put to domain names at the end?

GENTOOBOX$@DEIMOS-SPACE.COM@DEIMOS-SPACE.COM looks strange...

duh

Thnx for da help!!

----------

## solomonHk

@ likido

Could you post your /etc/samba/smb.conf and your /etc/krb5.conf?

Looks like there might be an error in one of those files.  If not it may be in your domainname setup locally.

----------

## likid0

yeah i got it w0rking OK now, but when i try to acces a share in my linux box from a windows domain computer i get the password prompt, i dont get transparent access, i can do: wbinfo -u and S wbinfo -g they work fine, my  config files:

```

# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18

 19:39:22 azarah Exp $

passwd:      compat winbind

shadow:      compat

group:       compat winbind

 more /etc/pam.d/samba 

#%PAM-1.0

# pam_smbpass.so authenticates against the smbpasswd file

auth       required     pam_smbpass.so nodelay

auth       sufficient   /lib/security/pam_winbind.so try_first_pass

account    required     /lib/security/pam_winbind.so

account    required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

```

any ideas why i get asked for the password??

thnx!!!!

----------

## solomonHk

@likid0

This may sound redundant,  but are you trying to access just the machine, or the actual share.

In other words,

is it \\LINUX_BOX  or is it \\LINUX_BOX\NAME_OF_SHARE_IN_SMB.CONF?

----------

## likid0

Im am triying BOth, but the result is the same   :Sad: 

winbind is runing ok;

```

ps aux | grep win

root      6724  1.0  0.5   8104  3272 ?        Ss   08:11   0:00 winbindd

root      6725  0.0  0.3   7848  2184 ?        S    08:11   0:00 winbindd

```

mf mf i can see my linux box in the AD computers OU, but the authentication is not working duh.

What i see isnt w0rking is:

getent passwd

i only get the output of the local unix users no AD users get listed here.

and i also dont get a ticket:

```

$ S kinit Administrador

Password for Administrador@DEIMOS-SPACE.COM: 

[0950]<<GeN@BoX>>~]$ S klist tickets

klist: No credentials cache found (ticket cache FILE:tickets)

```

thnx once more.

----------

## lhurgoyf

I have set up the Samba server properly by using this document and its working as I expected it would. its in the domain, shares are visible and usable. but now I want to go one step further and allow windows security. According to the Samba site you should enable ACLs on the linux filesystem to allow windows Security. but im wondereing if there maybe is another way to accomplish this maybe by enabling LDAP or so.

Any input would be nice so I can set this up and maybe give an update on the document on the first page.

----------

## likid0

Just to keep you updated:

 getent passwd now w0rks ok i can see the maping of thew users and groups from the AD domain to the linux box, but i still get asked for a password Argg!

----------

## smouge

Thanks a lot for the howto!  Got it working, after some initital errors:

net ads join -U Administrator

Feb  8 11:50:30 lnx-netmon2 net:   get_service_ticket: kerberos_kinit_password LNX-NETMON2$@DWNET.HQ.APPLE.NL@DWNET.HQ.APPLE.NL failed: Preauthentication failed

This error I resolved by setting the ntp server same as the one that the AD server is using, and I did a reboot. After this I could join the AD.

# getent passwd  doesn't show the AD users

and logging in from other windows machine kept on asking for username/password

This one is solved by updating the /etc/nsswitch as stated in the howto and restarting samba/winbindd:

 *Quote:*   

> 
> 
> You need to edit the file /etc/nsswitch.conf You need to change two lines to look like this (other lines removed to keep this post short as possible):
> 
> Code:
> ...

 

----------

## exklusve

First off thanks for the great how to!

I've got everything working great right of the bat.

But i've run into one problem.

I cant control what group/user can access the share i have created.  I dont want to make the share public and writeable to everyone.  

Here's my smb.conf

```
[global]

        netbios name = Intranet

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-20000

        winbind enum users = yes

        winbind gid = 10000-20000

        workgroup = MYDOMAIN

        os level = 20

        winbind enum groups = yes

        socket address = 192.168.1.23

        password server = 192.168.1.9

        preferred master = no

        winbind separator = +

        max log size = 500

        log file = /var/log/samba3/log.%m

        encrypt passwords = yes

        dns proxy = no

        realm = MYDOMAIN.COM

        security = ADS

        #wins server = 1.2.3.4 <- Change to IP address of your installed WINS server

        wins proxy = no

# Shares section

[web]

        comment = Web

        writeable = yes

        path = /var/www/localhost/htdocs/

        force user = me

        valid users = @MYDOMAIN+"tech"

        public = no

```

I can run 

```
getent passwd
```

 and 

```
getent passwd
```

I can browse to the samba server and see the 'web' share, but when I try to access that share I get an Access Denied error.   I've even tried a chmod 777 on the dir.  :Sad: 

Under the valid users i've tried @tech (tech is the group i want to use) @MYDOMAIN+tech and @MYDOMAIN+"tech"   no luck on any of those.

Any help is greatly appreciated!

Thanks!!

----------

## sirlark

Hi there

I'm still having issues with samba and AD. I can join to the domain without problems.

--edit--

hmm, actually since rebooting a while back, it appears that I can't...

 *Quote:*   

> 
> 
> root@sybill ~ # net ads join EPWORTH
> 
> [2005/03/03 16:05:36, 0] libads/ldap.c:ads_add_machine_acct(1368)
> ...

 

Firstly: I'm trying to share some directories to selected users, using 'valid users = ...' in smb.conf. This will not work at all unless I include 'smbusermap = ...'. I thought joining to the domain was meant to obviate the use of usermaps.... Including the usermap entry allows the win2k3 administrator account to see the share, but they are requested for a password, which must be the samba password of the root account (the directory being shared is owned by root, and can only be read by root) Trying to share a user's home directory so they can see it from a windows machine doesn't work, although everything is set up exactly as I have for the root share:

 - the user has a samba account/password

 - the user has a usermap entry from their windows username to their linux username

 - the valid users entry on the actual share has their linux username

The user can browse to the share, but when the password is requested nothing works

 - tried samba password for the user

 - tried windows password for the user

 - tried linux password for the user

Something to note is that the user is unable to change their own samba password. The root account has to do it for them. So there seems to be something only root can do that is allowing access to the administrator/root share.

 *Quote:*   

> 
> 
> jmcg@sybill ~ $ smbpasswd
> 
> Old SMB password:
> ...

 

--edit--

Still haven;t figured out why users can't change their own smb passwords, but suddenly their shared directories started working, for no apparant reason. Apart from having restarted samba several times without config changes, and one reboot... which seems to have 'dejoined' me from the domain.... really weird

--------

Secondly: I am trying to mount an administrative ($) share on another comupter (XP Pro). I can mount administrative shares on other computers on the network, but not any XP machines. I can use smbclient to see available shares on each of the XP machines in question, so the username and password are being validated correctly when using smbclient, but mounting yields

 *Quote:*   

> 
> 
> root@sybill ~ # mount -t cifs -o user=administrator //bursar/c$ /mnt/temp/
> 
> Password: 
> ...

 

 - I have tried mounting normal shares with the same problem, so it's not the fact that the share is administrative.

 - I have tried with the firewall turned on and turned off, no visible difference

 - I have read the man page in question (and numerous others) and can't find a description of the error

Can anyone suggest something to try here.. is there some windows registry setting I should be (un)setting?

--edit--

AHA!!!!! finally got it!

So having realised that I no longer appear able to join the domain, I figured trying the following

 *Quote:*   

> 
> 
> root@sybill ~ # mount -t cifs -o user=administrator,domain=EPWORTH //bursar/c$ /mnt/temp/
> 
> Password:
> ...

 

and whaddayaknow ... JACKPOT!

Hope this helps everyone else out there

--------

smb.conf

 *Quote:*   

> 
> 
> # Samba config file created using SWAT
> 
> # from 127.0.0.1 (127.0.0.1)
> ...

 

smbusers

 *Quote:*   

> 
> 
> # Unix_name = SMB_name1 SMB_name2 ...
> 
> # $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/smbusers,v 1.4 2004/07/18 03:55:05 dragonheart Exp $
> ...

 

----------

## exklusve

bump?

----------

## exklusve

Ok I think I found the solution to my problem with specifying permissions from Active Directory Groups..

Here's what I put into my smb.conf

```
valid users = @"Domain Admins",@"Global IS"
```

This allowed all domain admins and the global is group to access the share. 

Hope this helps anyone else having problems.

----------

## cpdsaorg

I had the same problem and I solved it like this...

```

[mp3]

     writable = yes

     browsable = yes

     path = /home/mp3

     valid users = @"EXAMPLE+Domain Admins", @"EXAMPLE+Linux Admins"

```

Above "EXAMPLE" is my short domain name. like YAHOO or GOOGLE  :Smile: 

"Domain Admins" and "Linux Admins" are the groups that I want to have access to the share.

Dont forget the + in between. group names are seperated by a comma (,)

----------

## cpdsaorg

Next question, 

is there a way for the "Linux Admin" group to be able to ssh into the box without having to create a local user for each admin?

----------

## cuban

This is odd. I emerged samba as instructed but winbindd is not anywhere to be found.

----------

## cuban

It appears there is a new use flag to add winbind it's called "winbind" it does not create an init.d script though.

----------

## cpdsaorg

found this for you in the instructions posted here:

NOTE: If rc-update add winbind default fails, you could add winbind to /etc/conf.d/samba under deamon_list:

File: /etc/conf.d/samba

```
daemon_list="smbd nmbd winbind"
```

----------

## cuban

Out of no where I'm starting to get the below... Anyone have any ideas?

```
[2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!
```

----------

## Skywacker

Thanks for howto, but I have one problem.

Everything works great for 10 minutes, then starts to fail. I can map a drive on a Windows XP box and access the files on the Samba share. However, after about 10 minutes if I re-map the drive it will ask for a password. 

Different form of same problem- I can 'cd ~TESTDOM+testuser' and it works fine. But after a while it will tell me "-bash: cd ~TESTDOM+testuser: No such file or directory". If I run 'getent passwd', it shows me all the correct users from my PDC, and then 'cd ~CMRLDOM+testuser' will result in changing me to /home/TESTDOM/testuser

I know that my kerberos ticket is set to last 600 seconds, and I could raise this number, but whats the correct way to fix this problem?

TESTDOM is my domain name and testuser is my test user. 

Thanks

-Skywacker

----------

## Radi

Hello There,

I'm Using a Linux Box with Samba as active directory client, login with AD user works perfectly but for the most Users the Homedirectory has been named in uppercase characters, like "SomeUser". Samba itselfs resolvs the username as "someuser" and everytime i login with an account that has such named home directorys Samba fails to cd into the directory because Linux is case sensitive. Is there a way of going around it without changing every homedir?

Thanks, Radi

----------

## mgladding4423

I'm having the same problem other people are having with all of this. When I attempt to get to the network share (\\<server name>\<share name> From any system I get a invalid username and password prompt and I can't get in.

winbind is up and running, as in samba, I can use smbclient to connect to a windows share, I'm joined to the domain, and can query ad with wbinfo, so I have no clue what to do now. Any ideas?

edit side note:

When I try to connect via smbclient/mount on another linux box (we have tons in my company) I get the following:

 *Quote:*   

> tmp # smbmount //<server name>/root$ /tmp/smbtest -o username=root
> 
> Password:
> 
> 29178: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
> ...

 

Doesn't matter what username I use, I tried root, administrator, mine, all of em same thing.

Here is my smb.conf:

```
[global]

        netbios name = backup

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-20000

        winbind enum users = yes

        winbind gid = 10000-20000

        workgroup = <workgroup name>

        os level = 20

        winbind enum groups = yes

        password server = *

        preferred master = no

        winbind separator = +

        max log size = 50

        log file = /var/log/samba3/log.%m

        encrypt passwords = yes

        dns proxy = no

        realm = <realm name>

        security = ADS

        wins server = 192.168.1.2

        wins proxy = no

        username map = /etc/samba/smbusers

[root$]

        comment = Root share

        writeable = yes

        path = /

        valid users = @"<short domain name>+<group name>"
```

and in case you ask it does the same thing when I remove the valid users part and make it public and such.

here is my nsswitch.conf:

```
# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      compat winbind

shadow:      compat

group:       compat winbind

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

Anyone got any ideas?

----------

## mgladding4423

I'm bumping in hopes that someone will have some clue.

I've also checked my logs and found this in the log.winbindd

```

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:42, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-7122

[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639

[2005/05/16 10:43:43, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50)

  error getting user id for sid S-1-5-21-1708537768-1580818891-1957994488-1639
```

I'm assuming that this is my problem but I can't find anything as to what it means. or how to fix it.

And this shows up in my /var/log/samba3/log.<machine name>

```
[2005/05/16 10:26:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)

  Username <Short domain name>+<me> is invalid on this system

[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)

  Username <Short domain name>+<me> is invalid on this system

[2005/05/16 10:26:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)

  Username <Short domain name>+<me> is invalid on this system

[2005/05/16 10:26:29, 0] lib/util_sock.c:get_peer_addr(1000)

  getpeername failed. Error was Transport endpoint is not connected

[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket_data(430)

  write_socket_data: write failure. Error = Connection reset by peer

[2005/05/16 10:26:29, 0] lib/util_sock.c:write_socket(455)

  write_socket: Error writing 4 bytes to socket 23: ERRNO = Connection reset by peer

[2005/05/16 10:26:29, 0] lib/util_sock.c:send_smb(647)

  Error writing 4 bytes to client. -1. (Connection reset by peer)
```

----------

## njcwotx

This question is in reguards to using Samba+AD after its installed and working.

I am currently reading through man pages, this forum and other LDAP, Kerberos, Samba docs and the like; however, I am posting the question now in case somebody can assist me before any research is complete.

Problem:

Samba+AD is working and in production.  We have 2 problems that are resolved the same way.  First issue,  every once in a while a user will not be able to authenticate directly to shares.  Other users can connect just fine except this one user.  Second issue, we have an intranet website that uses AD accounts to access shares on another samba server.  If we restart samba on this server, we need to perform the command below on the intranet box as well. We resolve this issue by perfroming the following command:

```
kinit administrator    #followed by the appropriate password
```

The Date and Time are correct and the same on all servers, we just need to occaisionally reset the ticket.

Solution needed:

Obviously, re-initializing the kerberos ticket makes everyone happy.  However, this is a manual proceedure that needs to be done automatically whenever this occurs.  My problem is partly a lack of understanding of Kerberos and LDAP and I am trying to correct this problem via RTFM.  However, any insight to speed up this process would help.

I have seen examples of putting kinit in a cron job but need some more insight about what it is I am actually doing and how this works before I modify production servers.

Additional Info:

I am reading through this forum and found this info above, however, I need some clarification on some of it if anyone cares to try.

 *Quote:*   

> 
> 
> Automatic updating of the Kerberos ticket 
> 
> Let's now create a script for automatic update of the Kerberos ticket for the LDAP. After the command execution, the root's Kerberos ticket cache (/tmp/krb5cc_0) will be updated. 
> ...

 

I have a keytab file but I want to be clear on the particulars of 

```
kinit -k -S ldap/sfusrv.sfu.acme.com nssldap/gent 

chmod 600 /tmp/krb5cc_0 
```

plus any other comments concerning this.

----------

## mikec49

 *maalth wrote:*   

> How to integrate Samba (file sharing) using Active Directory for authentication (basic stuff).- Updated 13 Apr 2004.
> 
> Alright, I'll have to go on my notes,  I did this on Thanksgiving Day, so I may not remember everything I did.  Anyway, here goes:
> 
> Active Directory should already be implemented and working.  If you need help, there's plenty of help on the net.
> ...

 

Small problem, all of the above works (sort of!!)

each command in turn works fine ie wbinfo -u and genent passwd, returning as expected.

but, I edited the login within /etc/pam.d using all of the available info that I could find, but .. when you logon as an AD user, the error 'User not known to the Underlying Authentication Module'

yet, if you run a getent passwd |grep (for that user) and then go back to the console,it does login!!

any ideas?

anyone have a working /etc/pam.d/login ? (its a start maybe!?)

thanks in advance

----------

## njcwotx

can you post your configs?

----------

## mikec49

 *njcwotx wrote:*   

> can you post your configs?

 

Since my posting, I set up SWAT to look at the samba config, and in the advanced settings there were some interesting winbind options that i had never seen before, I messed around with a few of these, and I managed to get console login working with ad users, but other things were still broken.

So, early next week I will go through all of my configs and see where I'm at.

I know I could use help with the /etc/pam.d/sshd as this is (was) working, but as root (a non ad user) it asked for the password twice, now I know I need to put use_first_pass somewhere, just unsure where, so anybody that has a working sshd pam file for use with winbind , this would be useful.

Thanks

----------

## JDStone

I'm confused, is the Active Directory server a Windows machine or is it a Linux machine?  Is it even possible to make a Linux machine a Active Directory server?

----------

## njcwotx

in my case its a windows server domain with linux boxes becoming memebers that need windows domain users having access to samba shares.

----------

## Martz

 *JDStone wrote:*   

> I'm confused, is the Active Directory server a Windows machine or is it a Linux machine?  Is it even possible to make a Linux machine a Active Directory server?

 

In this case, it should always be a Windows AD server (Domain Controller). There are other how-to's for building your own Samba/AD/LDAP style servers. This thread is for people who have existing Windows Domain Controllers and want to extend linux services to them.

----------

## Gendal

Just an FYI, I spent the past few hours banging my head against the wall trying to get it to join a domain. Finally traced it back to the ISA (Internet Security Server) 2004 firewall. It's the debil, it kept blocking port 464 no matter what I did. Once I removed ISA viola, worked with out a hitch.

----------

## NightMonkey

EDIT: Er, never mind. I fixed this problem. Lots of Kerberos voodoo... Also, I found that this cryptic error comes from Kerberos - a password mismatch... Must have been with the machine account, I guess. I also checked "Trust this computer for delegation" on the Win2K server - dunno, that might have fixed it too. I'll break everything down over the next few days to see if I can replicate the problem.

 *cuban wrote:*   

> Out of no where I'm starting to get the below... Anyone have any ideas?
> 
> ```
> [2005/04/06 16:09:31, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
> 
> ...

 

I get this to, after getting *everything* else working. Turned up logging, here's the result:

```
[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)

  switch message SMBnegprot (pid 3846) conn 0x0

[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)

  Requested protocol [PC NETWORK PROGRAM 1.0]

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)

  Requested protocol [LANMAN1.0]

[2005/07/25 02:44:35, 3]

 smbd/negprot.c:reply_negprot(461)

  Requested protocol [Windows for Workgroups 3.1a]

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)

  Requested protocol [LM1.2X002]

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)

  Requested protocol [LANMAN2.1]

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(461)

  Requested protocol [NT LM 0.12]

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_nt1(333)

  using SPNEGO

[2005/07/25 02:44:35, 3] smbd/negprot.c:reply_negprot(555)

  Selected protocol NT LM 0.12

[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)

  Transaction 2 of length 1368

[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)

  switch message SMBsesssetupX (pid 3846) conn 0x0

[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)

  wct=12 flg2=0xc807

[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)

  Doing spnego session setup

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)

  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 48018 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 113554 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 3 6 1 4 1 311 2 2 10

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)

  Got secblob of size 1166

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)

  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 

integrity check failed

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)

  ads_verify_ticket: krb5_rd_req with auth failed (Success)

[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)

  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)

  Transaction 3 of length 1368

[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)

  switch message SMBsesssetupX (pid 3846) conn 0x0

[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)

  wct=12 flg2=0xc807

[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)

  Doing spnego session setup

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)

  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 48018 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 113554 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 3 6 1 4 1 311 2 2 10

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)

  Got secblob of size 1166

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)

  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 

integrity check failed

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)

  ads_verify_ticket: krb5_rd_req with auth failed (Success)

[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)

  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

[2005/07/25 02:44:35, 3] smbd/process.c:process_smb(1091)

  Transaction 4 of length 1368

[2005/07/25 02:44:35, 3] smbd/process.c:switch_message(886)

  switch message SMBsesssetupX (pid 3846) conn 0x0

[2005/07/25 02:44:35, 3] smbd/sec_ctx.c:set_sec_ctx(288)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)

  wct=12 flg2=0xc807

[2005/07/25 02:44:35, 2] smbd/sesssetup.c:setup_new_vc_session(608)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 

resources.

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)

  Doing spnego session setup

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)

  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 48018 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 2 840 113554 1 2 2

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)

  Got OID 1 3 6 1 4 1 311 2 2 10

[2005/07/25 02:44:35, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)

  Got secblob of size 1166

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)

  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 

integrity check failed

[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_verify_ticket(347)

  ads_verify_ticket: krb5_rd_req with auth failed (Success)

[2005/07/25 02:44:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)

  Failed to verify incoming ticket!

[2005/07/25 02:44:35, 3] smbd/error.c:error_packet(129)

  error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_

FAILURE
```

Running samba 3.0.14a (problem occours with 3.0.10, too). This line looks suspicious:

```
[2005/07/25 02:44:35, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(235)

  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt 

integrity check failed
```

I googled around, and found that this "enc type" is for md4-hmac. I set this in /etc/krb5.conf explicitly (though I think this should "just work" with mit-krb5-1.4.1) and no change. This is a connection from a Win2K Pro client -> a Samba Domain Member server, authenticating against a Win2K AD DC.

Anyone else get this too, and have a solution? Thanks in advance!

----------

## m4chine

I have had samba up and running for some time now with AD integration, nothing changed on the linux side that I know of, there were updates applied to our AD server (Windows2003 SP1 iirc). So out of no where I get these errors in /var/log/samba3/log.%u for each username:

```
[2005/08/02 10:03:23, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161) user 'USERNAME' does not exist
```

I was able to fix them by adding the following to my /etc/samba/smb.conf file:

```
client schannel = no
```

I then noticed that I got this error:

```
[2005/08/02 10:46:14, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 1 requested.

[2005/08/02 10:46:15, 0] rpc_server/srv_pipe.c:api_pipe_bind_req(993) api_pipe_bind_req: unknown auth type 9 requested.

```

I was able to fix this error by upgrading to samba-3.0.14a-r2. 

cheers,

----------

## cyphz0r

Two questions:

How can you authenticate a single user against a share?

And how can you still use local users in addition to AD users?

Thanks!

----------

## m4chine

 *cyphz0r wrote:*   

> Two questions:
> 
> How can you authenticate a single user against a share?
> 
> And how can you still use local users in addition to AD users?
> ...

 

What do you mean by authenticate a single user? You want only a single user to have access to a share? When you try to access a samba share, various authentications are attempted that are specified in /etc/samba/system-auth-winbind. By setting these auth lines up accordingly, you setup the order in which the user attempts to authenticate, meaning you local user can be authenticated before or after winbind attempts to authenticate your AD user.

There is also /etc/samba/smbusers which allows you to map local users to AD users.

```

# Unix_name = SMB_name1 SMB_name2 ...

root = DOMAIN+Administrator administrator admin

nobody = guest pcguest smbguest

```

Elaborate on your question and I'll try to give a more detailed answer.

----------

## cyphz0r

 *m4chine wrote:*   

>  *cyphz0r wrote:*   Two questions:
> 
> How can you authenticate a single user against a share?
> 
> And how can you still use local users in addition to AD users?
> ...

 

What I am looking for is to have local users still be able to authenticate, I only have a few, I use them for service accounts like Nagios monitoring and such. And then also be able say that "aduser" has access to this share without defining an entire group. I will play with the system-auth-winbind tomorrow while at work and see what I come up with.

Thanks.

edit, adding system-auth-winbind

```

#%PAM-1.0

# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.2

2004/07/18 03:55:05 dragonheart Exp $

auth        required      /lib/security/pam_env.so

#auth        sufficient    /lib/security/pam_winbind.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pa

ss

auth        sufficient    /lib/security/pam_winbind.so

auth        required      /lib/security/pam_deny.so

#account     sufficient    /lib/security/pam_winbind.so

account     required      /lib/security/pam_unix.so

account     sufficient    /lib/security/pam_winbind.so

password    required      /lib/security/pam_cracklib.so retry=3

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0022

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

```

I tried moving the order, still tries to do NT login via the domain first

----------

## cyphz0r

anyone????

still can't figure out how to make it check both AD and local users.

I want it to default to AD, but also be able to fall back onto local users.

And I still can't figure out how to permit a single AD user to a share, I can only do groups?

----------

## BigBeer

I had this working, but after an emerge -upD world I have seem to broken my setup.

I have gone back and followed the steps again from scratch and still can not get it to work.

Here is that I am getting in log.winbindd

```

[2005/08/23 10:26:17, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain ATL failed: Preauthentication failed

[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)

  Kinit failed: Preauthentication failed

[2005/08/23 10:26:17, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)

  Kinit failed: Preauthentication failed

[2005/08/23 10:26:28, 0] libads/kerberos.c:ads_kinit_password(146)

  kerberos_kinit_password host/UNICRON@ATL.MYDOMAIN.COM failed: Preauthentication failed

[2005/08/23 10:26:28, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain ATL failed: Preauthentication failed

```

Anyone have any ideas as to what I am doing wrong ??!?!

--BigBeer

----------

## christsong84

 *magnesium wrote:*   

> When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?
> 
> 

 

Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<

I can't browse to it (I see it but I get a "you're not authorized to access..." etc message)...but connecting directly (via map network drive in windows xp) I get a continuous password prompt.  Linux nor AD users work.

----------

## thrashed

 *christsong84 wrote:*   

>  *magnesium wrote:*   When I try to map a drive to the server using a windows machine, I get prompted for username and password continuously, even though the information I provide is correct. Does this mean that access is denied, or does this mean that my linux box is not handling the authentication properly?
> 
>  
> 
> Did this ever get fixed? I get it too, followed the guide and everything appears to have happened successfully, except I can't get to the share >.<
> ...

 

I have got exactly the same problem!

i can access the share when i take the ip adress of the share

\\sambaserver\share doesn't work

\\192.168.10.5\\share works fine

any idea???

i found this with the help of google, but i dont know if this is the answer to our problem(there is no newer kerberos verision in portage :/

http://archive.netbsd.se/?ml=samba&a=2004-07&t=302942

 *Quote:*   

> I have been having the very same problem and managed to solve this. I'm
> 
> posting an answer to this question so that others can find this if
> 
> needed. (I'm not subscribed to the list, so please CC follow-ups if
> ...

 

best wishes from austria

thrashed  :Smile: 

----------

## Martz

Make sure you have the following use flags - if you dont have winbind (from an old setup of this) then winbindd will fail to work (and may not even exist on your system anymore)

```
samba kerberos winbind
```

The winbind flag is new.

----------

## Martz

*phew* - I am now up and running again on:

- Windows 2000 AD

- Kernel 2.6.12-gentoo-r9

- Samba 3.0.14a-r2 

- USE flags I mentioned above: 

```
ldap kerberos winbind samba 
```

The errors I was getting in my log.winbindd:

```

[2005/10/20 09:39:00, 1] libsmb/clikrb5.c:ads_krb5_mk_req(389)

  ads_krb5_mk_req: krb5_get_credentials failed for dc$@DOMAIN.CO.UK (Ticket expired)

[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)

  spnego_gen_negTokenTarg failed: Ticket expired

[2005/10/20 09:39:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain DOMAIN failed: Cannot read password

[2005/10/20 09:39:00, 1] nsswitch/winbindd_util.c:init_domain_list(322)

  Could not fetch sid for our domain DOMAIN

[2005/10/20 09:39:00, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)

  spnego_gen_negTokenTarg failed: No credentials cache found

[2005/10/20 09:39:16, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain DOMAIN failed: Cannot read password

[2005/10/20 09:39:16, 1] nsswitch/winbindd_util.c:init_domain_list(322)

  Could not fetch sid for our domain DOMAIN

[2005/10/20 09:39:16, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(539)

  spnego_gen_negTokenTarg failed: No credentials cache found

[2005/10/20 09:40:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain DOMAIN failed: Cannot read password

```

Make sure you got the USE flags, emerge Samba again

```
emerge samba
```

and then check that you /etc/conf.d/samba has:

```
daemon_list="smbd nmbd winbind"
```

Stop the daemon: 

```
/etc/init.d/samba stop
```

Make sure that winbindd has been properly stopped:

```
 ps aux | grep winbind
```

And kill any processes before starting Samba again

```
/etc/init.d/samba start
```

I think did:

```
kinit
```

And entered the password

Then klist which returned:

```

jupiter ~ # klist 

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: Administrator@DOMAIN.CO.UK

Valid starting     Expires            Service principal

10/20/05 09:42:34  10/20/05 19:42:35  krbtgt/DOMAIN.CO.UK@DOMAIN.CO.UK

        renew until 10/21/05 09:42:34

```

Et voila! It now works for me! 

YMMV - just keep on restarting services and get the tickets, and you should be back in business.

----------

## giant

Thanks for this great howto  :Smile: 

I was able to add my samba fileserver to our ads in minutes  :Smile: 

----------

## TheJester

Hi all, 

We have a linux data server here, which used to be a workgroup member. Everything was fine then. Now we hav a new sbs server here, so the data server had to be made into a domain member. To do that i followed this manual.

The thing is now, that the samba shares on the data server are slow as h**l 

What can be the problem ? Any ideas are welcome.... !

```

[global]

        netbios name = DATASVR

        server string = DATASVR

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind gid = 10000-20000

        workgroup = GOVALOKAAL

        os level = 20

        winbind enum groups = yes

        socket address = 10.0.0.200

        password server = *

        preferred master = no

        winbind separator = +

        max log size = 50

        log file = /var/log/samba3/log.%m

        encrypt passwords = yes

        dns proxy = no

        realm = GOVA.LOKAAL

        security = ADS

        wins server = 10.0.0.201

        wins proxy = no

        workgroup = govalokaal

       

[ariston]

        comment = All Ariston software, cc files

        path = /raid/ariston

        writable = yes

```

and the krb5 config : 

```

datasvr etc # cat krb5.conf

[libdefaults]

        default_realm = GOVA.LOKAAL

[realms]

   GOVA.LOKAAL = {

        kdc = adserver.gova.lokaal

   }

datasvr etc #

```

the hosts file : 

```

datasvr etc # cat hosts

127.0.0.1       localhost

10.0.0.201      adserver.gova.lokaal adserver

```

thanks a lot !

----------

## DingbatCA

Just got my 6 gentoo clients up and bound to AD.  Ran into a major bug.  My UID is different on every box.

```

atalbot@cslinux6:~$ id

uid=24488(atalbot) gid=10000(domain users) groups=10000(domain users)

atalbot@cslinux4:~$ id

uid=10000(atalbot) gid=10000(domain users) groups=10000(domain users)

```

Any ideas?

----------

## Arne

Hi,

first thx for the nice howto  :Exclamation: 

I have a question about the keytab encryption type. Is it possible to use arcfour-hmac-md5? I try it, but it didn't work. Maybe I make a mistake. The single DES keys works and with kinit I can get rc4 tickets, so my linux box must have rc4 support. I don't why its not working.   :Sad: 

RC4 is working:

```

# kinit Administrator

Administrator@MY.EXAMPLE.COM's Password:

# klist -e

Valid starting     Expires            Service principal

06/17/06 10:00:01  06/17/06 19:59:55  krbtgt/MY.EXAMPLE.COM@MY.EXAMPLE.COM

        renew until 06/17/06 20:00:01, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

```

keytap export:

```

C:\Dokumente und Einstellungen\Administrator\Desktop>"c:\Programme\Support Tools \ktpass.exe" -mapuser linux_http -princ  HTTP/my.example.com@MY.EXAMPLE.COM +DesOnly -pass <PASSWORD>  -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT -out  "linux_keytab_http"

Targeting domain controller: server.my.example.com

Successfully mapped HTTP/linux.my.example.com to linux_http.

Key created.

Output keytab to linux_keytab_http:

Keytab version: 0x502

keysize 96 HTTP/my.example.com@MY.EXAMPLE.COM ptype 1

 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x058f7c3320c8e994b11dd010f8d6c7ff)

Account linux_http has been set for DES-only encryption.

```

check the exported keytab

```

# ktutil

ktutil:  rkt linux_keytab_http

ktutil:  l -e

slot KVNO Principal

---- ---- ---------------------------------------------------------------------

   1    3 HTTP/my.example.com@MY.EXAMPLE.COM (ArcFour with HMAC/md5)

ktutil:

```

using the keytab failed:

```

kinit  -k -t linux_keytab_http HTTP/my.example.com@MY.EXAMPLE.COM

kinit(v5): Key table entry not found while getting initial credentials

```

PS: It's a Windows Server 2003 R2.

Any idea what caused this?

arne

----------

## andysamuel

Hi All !

Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?

I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server.  Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.

With this newer system, somehow, I can not authenticate my Windows machine to access Samba's sharing, although I tried to follow the example in this forum.

'wbinfo -u' works just fine, so as 'wbinfo -g', my ADS username, computers, groups are displayed correctly.

'getent passwd' seems only display my /etc/passwd file.

But when I tried to access from a Windows machine, it keeps on asking for password.

My log.winbindd seems ok, no error.  Log.smbd also seems fine, only complaining about cups witch I dont use.  Log.nmbd seems fine.  

Anybody can confirm if there is nothing to do with shadow vs pam-login conflict ( because of /etc/pam.d/samba ) ?  My suspicion is my previous system using pam-login while newer system using shadow.

Thank you so much.

Andy

----------

## andysamuel

 *andysamuel wrote:*   

> Hi All !
> 
> Is there any chance the conflict between shadow and pam-login effecting the authentication to ADS and Samba server ?
> 
> I have an old machine with already working ADS Samba integration, but when I emerge world, it says shadow is conflict with pam-login, so I unmerge pam-login, then after that, emerge shadow, then...I can not login to my server.  Since this is just a testing server, I don't mind to reinstall everything again from the beginning, so I reformat and reinstall Gentoo.
> ...

 

Hmmm...it turns out that I don't have /lib/security/pam_winbind.so.

Add the 'winbind' to USE inside /etc/make.conf, recomplie Samba, and voila ! Authentication to ADS works !

Case closed.

----------

## maalth

I apologize that I haven't been around in the last few years.  I wound up moving and getting a new job which unfortunately I had to go offline for quite a while.  I intend to update this doc (sometime soon) to integrate with Windows 2003 and the latest version of Samba.

----------

## ali3nx

Good howto but the only problem is using winbind which limits your options and can cause problems with ldap consistancy in some situations.

http://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP

----------

## maalth

Samba's been updated many times in the last 7 years so I'd have to update the howto anyway.

----------

## Majed17

 *ritjobbie wrote:*   

> WORD UP!  I got it working.  I had to add winbind to the /etc/pam.d/samba config file, duh.
> 
> *whew*

 

i didn't find any information about adding windbind to /etc/pam.d/samba however i did find this:

https://forums.gentoo.org/viewtopic-t-445968-start-0.html

which is adding windbind to /etc/pam.d/system-auth

but that was not what solved my problem of windows constantly asking for logins and usernames and paswords. what solved was:

Disable NSCD

The service NSCD (Name Service Caching Daemon) seriously interferes with Winbind authentication and must be completely disabled before enabling Winbind.

To do this, edit /etc/nscd.conf. Edit these three lines:

enable-cache            passwd          yes

enable-cache            group           yes

enable-cache            hosts           yes

They should read:

enable-cache            passwd          no

enable-cache            group           no

enable-cache            hosts           no

This disables all NSCD caching.

taken from : http://www.stuartellis.eu/articles/linux-with-active-directory/

----------

## VinzC

Hi guys.

Is it possible that two samba servers that have joined the same AD domain (e.g. "MYCOMPANY") do not map domain users and groups to the same [numeric] ID's? For instance, I have a Debian server that maps a group to GID 10243 and the same group is mapped to GID 10007201 on a QNAP network attached storage that was joined to the domain. It goes even further for domain groups are listed (using getent) without the domain part (e.g. "IT") on the Debian server while the QNAP shows domain groups with the domain name as a prefix (i.e. "MYCOMPANY+IT"). That clearly causes troubles for backup in my case for I need to backup/copy files onto a remote machine with the same security attributes so that the users owning their data can retrieve copies from the backup machine.

Can anyone confirm this? How's the best and trouble-less way to get to that point?

Thanks a lot in advance for any hint/suggestion.

----------

