# Samba 3.0.1, Active Directory (Win2003), access denied

## cbreaker

Okay, I've been pulling my hair out over this problem for hours.

Maybe someone can help me.

I've got an active directory, native Windows 2003 mode.   I've installed samba 3.0.1 on my Gentoo box.

I've configured samba to use security = ADC.   I've managed to join the AD domain, and winbind is working; I can SSH and login to X with a windows user account.   I *thought* this would be the difficult part.

wbinfo -u and -g both work, as well as getent passwd and group.   I can use smbclient from my other linux box, which has samba 2.2.8a.

I cannot browse to the Linux box, or access any shares, from a windows box.   If I do a "net view \\LINUX" from a Windows box, I get the "System error 5 occured, access denied" error.   If I do it from explorer, it prompts me for a username and password.    It will not take any usernames or passwords.   On any of the windows boxes I've tried from (windows 2000, 2003, and XP) I am logged into the domain, using various accounts.

I get no errors in the log files.   I've tried both the "debug level = 3" and "log level = 3" in smb.conf, but neither of these seem to do anything.

If I had some log entry to follow, maybe I could figure it out.   But as it stands now, I'm at a complete loss.

If anyone has a working configuration, with samba using Active Directory, please please help me out, post your config files, anything.   I'm about to throw all the linux machines out the window.

----------

## cbreaker

Aww c'mon guys, nobody has a working samba3 configuration with Active Directory?

----------

## Lightspeed

Hey, I am trying to do the same thing - Samba 3.0.1 with native 2003 Active Directory, also using winbind for user authentication.

However I am stuck earlier on, I can't get winbind working yet. wbinfo -u and wbinfo -g give me "error looking up domain users / groups". I think my problem is related to kerberos at the moment. If you could help me get my setup to the stage you are at then we could try to solve your problem together. Maybe you could post some of your config files? Also what version of mit-krb5 are you using? Thanks!

Oh, and I thought smb.conf needs "security = ADS" not "security = ADC". Or maybe that was a typo in your post, but I thought I should mention it.

----------

## Lightspeed

Ok, well I got too frustrated and decided to setup a totally clean gentoo system under VMware so that I could figure this out properly. Somehow, winbind etc seems to have all worked straight off! I have yet to work out what the difference is between the configuration of this clean gentoo install with samba and nothing else, and my main system that was refusing to work, but hopefully I should do soon.

I will also test out setting up a share on samba and browsing to it from windows to see if I get the same issue that you have or not.

----------

## Lightspeed

Right, unfortunately I have the exact same problem that you described with accessing a share on the samba machine from windows. I changed the pam config for samba to reference system-auth-winbind, and added my domain user to the "valid users" entry for the share, but it isn't working  :Sad: 

----------

## Lightspeed

It turns out that access to share works fine if the windows clients use the IP address of the samba machine to access it. Using the name it fails. No idea why though. Doesn't help me much as I use DHCP so the IP address won't always be the same (and I want to create a persistent drive mapping from windows to a share on samba).

One other thing that I can't get working is su. The domain users can't su to root. I know that for ordinary linux users they need to be added to the wheel group, but I can't figure out how to add domain users to the wheel group (or better still add a domain group to the wheel group).

----------

## cbreaker

I have still had no progress on this, you?   I haven't actually had a lot of time the last few days to work on this, but I really need it to work at some point.

Ohh yea, I do have ADS, not ADC.   Just a typo like you suspected =)

I just tried connecting to the linux box using the IP address, and it worked just like you said.   This sucks =)

We've got to be missing something here!   Maybe we should both seek out samba mailing lists and then report back here if we come up with anything.

About adding windows groups to the wheel group, we may be able to use the group number in order to do it.   I understand that each NT user and group that is visible by winbind is assigned a number just like a unix one, and they should stay the same on that machine unless the winbind data files are deleted.   I could be wrong but I think I read this somewhere.

Let me give it a shot. .....   okay.  Well that doesn't really seem to work with numbers.   I can put windows users' names and it works, as long as there's no spaces.   DOMAIN+jsmith works okay for me, but DOMAIN+Domain Users doesn't.   Perhaps I'll try creating a windows group called "WheelUsers" and that could work.   You'd be able to enter DOMAIN+WheelUsers.

I have another annoyance with winbind.   Maybe you can help me out with it =)    I have system-auth set up like this:

```
#%PAM-1.0

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_winbind.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_winbind.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

```

When I authenticate to the machine with a windows account, for SSH, X, anything, it will accept my password.    If I use a UNIX account, it will reject the password, but allow it the second time.

If I switch around:

```
auth       sufficient   /lib/security/pam_winbind.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok
```

to 

```
auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       sufficient   /lib/security/pam_winbind.so
```

the same happens in reverse; unix accounts work first try but windows accounts require you to enter the password twice.

Is there a way for the pam thing to automatically try the username and password on all of them without having to enter the password twice?   Did I set this up wrong?

I think Winbind is a great thing but the documentation is too simple for it, it seems like there's a lot of little things the docs miss.

----------

## fleed

Maybe adding  use_first_pass to the end of "auth       sufficient   /lib/security/pam_unix.so likeauth nullok ", like this (from /etc/pam.d/system-auth-winbind) 

```
auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_winbind.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok use_first_pass

auth        required      /lib/security/pam_deny.so

```

----------

## cbreaker

Ohh nice, that works.   Thanks Fleed!

Now I just need to figure out why I can only access the box via samba by using the name!

----------

## lord_ph

change up some of the wins flags in your smb.conf file, i put in the IP adderess in these flags and i have no problem access another box by its name, or getting my samba box accessed by its name.

remote browse sync

remote announce

wins server

----------

## frilled

Well, I spent some time figuring it out.

First of all you should get kerberos working. I switched from heimdal to mit-krb5 (both in portage) since there were problems with heimdal in older versions, but both /should/ be working by now.

Secondly, you should get OpenLDAP working, which is pretty straightforward - build it, edit /etc/openldap/ldap.conf and you're set.

Winbind gave me some troubles. I had it working with Samba 3.0.0 but neither with 3.0.1 nor 3.0.2a. I got the same problem with being able to connect to IP addresses, but not hostnames. After fiddling with Netbios resolutions and everything I bailed out.

In lack of anything better to do I started playing with the (few  :Smile:  ) options I had not yet touched. One of those was "WINBIND USE DEFAULT DOMAIN", which I had set to "yes". I disabled it and now it works like a charm.

I have no explanation for this except that it might be a bug. I found lots of people on various forums having this problem, but no solution.

Whatever. I disabled "winbind use default domain" on all machines and all of them work flawlessly since with the 3.0.2a ebuild. The drawback is that you have to write usernames in the form of DOMAIN+user (or whatever your separator character is). But I am willing to trade this inconvenience for a working ADS-integrated Samba  :Very Happy: 

----------

## frilled

A little addition: There still is a minor annoyance in that the "Domain Users" Group seems to contain no more than one user. All other groups and users seem to be complete. Maybe a Windoze quirk, I don't really care, since *if* you can authenticate, you're either a local or a domain user, which is good enough for me.

----------

## cbreaker

I've given up on Samba for now.

There's too many problems in the AD code for it to be non-beta in my opinion.   Each time I work around some new problem, another one pops up.   Always problems that are very difficult to track down.

I'm no samba newbie.    I've used samba for many years, in different ways.  I've been using Active Directory for years as well, and it really doesn't need to be THIS difficult to get it working.

There's no good structure for Samba.   *real* questions go unanswered in the mailing lists, or you get "did you ping the box?" responses.       Now, I know that you don't pay for Samba.   However, I have found that most free software I have installed on any of my linux boxes have really fantastic support systems in place..

It's far too much hassle for me to consider it a stable solution to sharing files with Windows clients in a domain structure.   Maybe next version.

----------

