[Samba] Integration with MS Active Directory

Rutger Beyen sylvester_rutger at hotmail.com
Fri Feb 15 10:38:55 GMT 2008 

Hello all,
 
I'm following the howto
<http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO>
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO to
integrate FreeRadius with Microsoft's AD. The first steps are to make the
linux box integrate with MS Active Directory, using some of the samba tools.
While working on this, I experienced some troubles.
 
My disto is Debian 4. I had to install some packages, like krb5-kdc,
krb5-user and krb5-config, to have the file /etc/krb5.conf (It wasn't there
in the first place).
When I want to do a net join, I get a message saying that I have errors in
my krb5.conf file. I removed the lines "dns_lookup_realm = false" and
"dns_lookup_kdc = false" and then it worked.
At least I think it did. I got the message: joined "PROJECT" to realm
"PROJECT.LOCAL".
 
When I then wanted to test this using wbinfo, I get the error code
"NT_STATUS_NO_SUCH_USER" (should be normal according to the howto) and
another one: "NT_STATUS_ACCESS_DENIED" Could not authenticate user myuser
with challenge/response. A try with ntlm_auth is also negative
"NT_STATUS_NO_SUCH_USER".
 
Can somebody please help me with my problem? Am I overlooking something or
what am I doing wrong?
 
 
Thanks a million,
Rutger
 
 
 
Here are the 2 config files:
 
smb.conf
[global]
 
## Browsing/Identification ###
 
workgroup = project
server string = %h server
dns proxy = no
 
#### Debugging/Accounting ####
 
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
 
####### Authentication #######
 
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = ads
 
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
 
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using. 
passdb backend = tdbsam
 
obey pam restrictions = yes
 
; guest account = nobody
invalid users = root
 
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
 
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no
 
############ Misc ############
 
# Most people will find that this option gives better performance.
# See smb.conf(5) and
/usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
 
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind use default domain = no
password server = project-ad.project.local
realm = project.local
 
 
#======================= Share Definitions =======================
 
[homes]
comment = Home Directories
browseable = no
 
# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes
 
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
 
# Directory creation mask is set to 0700 for security reasons. If you want
to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
 
# Restrict access to home directories 
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
valid users = %S
 
# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
 
krb5.conf
 
[logging]
default =  <file:///war/log/krb5libs.log> FILE:/war/log/krb5libs.log
kdc =  <file:///var/log/krb5kdc.log> FILE:/var/log/krb5kdc.log
admin_server =  <file:///var/log/kadmind.log> FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = PROJECT.LOCAL
# dns_lookup realm = false
# dns_lookup_kdc = false
 
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
 
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
 
[realms]
 
PROJECT.LOCAL = {
kdc = project-ad.project.local:88
admin_server = project-ad.project.local
default_domain = project.local
}
 
[domain_realm]
project.local = PROJECT.LOCAL
project.local = PROJECT.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
 
[login]
krb4_convert = true
krb4_get_tickets = false

More information about the samba mailing list