[Samba] Samba 3 & ADS current capabilities [adr]
Rick Segeberg
rick.segeberg at waterford.org
Sat Feb 1 00:57:50 GMT 2003
Andrew,
Thanks for your response. This reply is actually not a request for
additional help. After much searching throught the lists and Google
along with a lot of experimentation, I think I've got it (mostly) figure
out. This post is just an effort to help others who might be struggling
with the same issues as I was. I'm sure it's far from perfect and if
anyone has suggestions on improving something, I'd like to hear them.
Server Information:
Redhad 8.0 w/ kernel 2.4.28-18.8.0
Samba 3.0 alpha 21
Just to be sure, I've started at the beginning and double checked
everything to make sure it matches the documentation I have. Also, I
apologize for the wordiness, but hopefully this will help someone else.
Here's what I've done so far:
I successfully joined the domain (actually this shows me re-joining):
# /usr/local/samba/bin/net ads join
[2003/01/30 15:30:04, 0] libads/ldap.c:ads_join_realm(1325)
Host account for lintest already exists - deleting old account
Joined 'LINTEST' to realm 'MYDOMAIN.ORG'
Then to make sure I could actually authenticate up to the w2k ads
server:
# ../bin/smbclient //postoffice/c\$ -k
added interface ip=10.1.46.5 bcast=10.1.47.255 nmask=255.255.240.0
Doing spnego session setup (blob length=113)
Doing kerberos session setup
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \>
At the prompt, I was able to traverse all directories, etc.
In following the winbind documentation, I tried joining the domain again
after configuring my smb.conf file (figuring this wouldn't work since
it's quite a bit different than the 1st join command):
# bin/net rpc join -s PDC -U john.doe
[2003/01/30 16:06:41, 0] param/params.c:OpenConfFile(532)
params.c:OpenConfFile() - Unable to open configuration file "PDC":
No such file or directory
[2003/01/30 16:06:42, 1] utils/net.c:net_find_server(224)
no server to connect to
Unable to find a suitable server
[2003/01/30 16:06:43, 1] utils/net.c:net_find_server(224)
no server to connect to
Unable to find a suitable server
Figuring I've already joined the domain, I proceeded in following the
documentation. I started up winbindd (which shows as running after
issuing "ps ax"), then tried:
# bin/wbinfo -u
MYDMN+Administrator
MYDMN+Guest
MYDMN+krbtgt
MYDMN+john.doe
MYDMN+jane.smith
MYDMN+george
<snip>
Which finally worked. Then I tried:
#wbinfo -g (this worked also)
Then I tried:
#wbinfo -t
got this:
[root at lintest samba]# bin/wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
Logs show:
[2003/01/31 08:34:05, 1]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(300)
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2003/01/31 08:34:05, 0] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(936)
error connecting to domain password server: NT_STATUS_ACCESS_DENIED
Windows event viewer shows this:
The session setup from the computer LINTEST failed to authenticate. The
name of the account referenced in the security database is LINTEST$.
The following error occurred:
Access is denied.
I finally found a fix for this. My nsswitch.conf file had the shadow
line incorrect. It was:
==============================
## nsswitch.conf
## created by Rick
passwd: files winbind
shadow: files winbind
group: files winbind
==============================
It is now:
==============================
## nsswitch.conf
## created by Rick
passwd: files winbind
shadow: files
group: files winbind
=============================
Amazing how such a small oversight can effect things.
Now this works:
[root at lintest samba]# bin/wbinfo -t
checking the trust secret via RPC calls succeeded
Since this fix, my log now show:
[2003/01/31 09:23:52, 1]
nsswitch/winbindd_util.c:add_trusted_domain(140)
Added domain MYDMN
[2003/01/31 09:24:02, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:24:12, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:24:22, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:24:34, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:24:44, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:24:54, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:25:06, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
[2003/01/31 09:25:16, 1] nsswitch/winbindd_util.c:init_domain_list(220)
Retrying startup domain sid fetch for MYDMN
<snip>
As you can see, this continues about every 10 seconds.
I changed my smb.conf file back (I had been experimenting with the
difference in the security = domain vs. = ADS and password = * vs. =
<server name>). I am now able to connect to the samba server from the
domain logged in w2k workstation (without asking for a password).
Yahoo!!!
BUT - then it occurred to me that the user I'm using is in the
/etc/passwd file (but not in the smbpasswd file). I commented this user
out (using #). After this, the user could not connect to the samba
server. In the documentation, it appears that I need to use "getent
passwd" and "getent group" to pull down the user list and groups from
the server. This doesn't seem to work. Here's what I get:
#getent passwd
This seemed to only list the current contents of my /etc/passwd file.
It's my understanding that it should list this and then follow it with
the domain users with their new uids, gids, home direcoties and default
shells. All I got was the /etc/passwd file.
Log shows:
[2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620)
process_loop: Invalid request size from pid 10640: 1304 bytes sent,
should be
1564
[2003/01/31 11:22:35, 0] nsswitch/winbindd.c:process_loop(620)
process_loop: Invalid request size from pid 10640: 1304 bytes sent,
should be
1564
As I would expect, "getent group" works the same.
I found a posting from 2002-05-06 with a similar error in which you
thought the winbindd libraries did not match. I'm using the version
that came with the alpha21 package (I thought).
Then I found a posting that showed the libnss_winbind.so libraries are
not created by make (although it didn't say how to do that). Found a
posting via Google
(http://samba.cadcamlab.org/lists/samba-technical/Apr2002/00059.html)
which also indicated that the libnsswitch_winbind.so library is not
created by make. Followed his instructions "make
nsswitch/libnss_winbind.so" from the source directory, then copied it to
/lib and another problem resolved. No more "Invalid request size...."
errors.
#getent passwd (now works)
#getent group (now works)
Now my workstation will successfully login to samba server without
asking for a password and without a user/passwd in /etc/passwd or
smbpasswd. However, no other machine can seem to log in (even when
using the same account). No errors or logs on the samba box or the dc.
This seemed odd, so I relogged into my w2k workstation, and now it will
not log in either. Interesting.
Then I noticed this in the logs:
[2003/01/31 13:10:12, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(127)
user 'IP-RSEGEBE50172$' does not exist
However, I have found that this does not seem to matter. What mattered
were the directory permissions (right now I only have [homes] shared
out). By using getent group, I was able to find the group number of a
group that my user belonged to. All I have to do is chown and chmod the
directory to which I want that share available to and it works.
Here's an example:
In my ADS, I have group called IT. Using "getent group|grep IT" I find
my group number is 12345. I create a directory on my samba box called
"it_dudes", then issue the following commands as root:
#chown 12345 it_dudes
#chmod 770 it_dudes
If you do an ls -l, you'll see a pretty cool listing, like this:
drwxrwx--- 2 root DOMAIN+IT 4096 Dec 16 10:39 it_dudes
Now everyone in the "it_dudes" group has full permission to whatever is
there.
Of course, the above directory has to be shared out appropriately in
smb.conf. My configs (below) only show basic configurations, but you
really should add to it such entries as the umask, default permissions
(of the share that is), etc.
Notes:
1) My Windows 2000 ADS domain name is MYDOMAIN.ORG, however my NT domain
name is MYDMN. Anything that shows ADS listings (such as getent group)
always shows the NT domain name.
2) I did all of my work via telnet windows (actually ssh). It was
helpful to have one of the windows open with "tail -f log.winbindd
|more" running as I could see cause and effect related problems and
successes. Also, my ssh session has a nice big buffer so I can scroll
back and see things I might have missed.
3) Somewhere in all of this, I added root to the smbpasswd file. I know
it helped, but now I don't remember what it was.
4) There is a smb startup/stop/restart script at the end of this also.
Very helpful with all the restarts I had to do when making changes.
5) If I think of or discover anything else, I will post it.
Here's my config files:
*********smb.conf*****************
[global]
workgroup = MYDMN
netbios name = LINTEST
realm = MYDOMAIN.ORG
ads server = 10.1.30.39
server string = %L running Samba %v
security = ADS
password server = postoffice
passwd program = /usr/bin/passwd %u
encrypt passwords = yes
unix password sync = Yes
log file = /var/log/samba/log.%m
preferred master = No
local master = No
#added 1/31/03
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = No
dns proxy = no
ldap ssl = no
# Winbind stuff
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = No
template homedir = /home/%U
template shell = /bin/bash
[homes]
guest ok = no
read only = no
[users]
path=/home
guest ok = no
read only = no
***********krb5.conf************
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYDOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.ORG = {
kdc = 10.1.30.39
default_domain = mydomain.org
}
# admin_server = postoffice.mydomain.org
[domain_realm]
.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
*******nsswitch.conf************
## nsswitch.conf
## created by Rick
passwd: files winbind
shadow: files
group: files winbind
********ldap.conf (condensed to show only what I changed or
added)**************
# @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
host 10.1.30.39
# The distinguished name of the search base.
base dc=mydomain,dc=org
<snip>
# The port.
# Optional: default is 389.
#port 389
# The search scope.
scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
<snip>
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
nss_base_passwd dc=mydomain,dc=org?sub
nss_base_shadow dc=mydomain,dc=org?sub
nss_base_group dc=mydomain,dc=org?sub
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
<snip>
******* smb startup file ***********
#!/bin/bash
#start/stop/restart samba
samba_start() {
echo "starting smbd"
/usr/local/samba/sbin/smbd -D:
echo "starting nmbd"
/usr/local/samba/sbin/nmbd -D
echo "starting winbind"
/etc/init.d/winbind.init start
}
samba_stop() {
echo "stopping smbd nmbd"
killall smbd nmbd
echo "stopping winbind"
killall winbindd
}
samba_restart() {
samba_stop
sleep 1
samba_start
}
case "$1" in
'start')
samba_start
;;
'stop')
samba_stop
;;
'restart')
samba_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
********************************
I hope this helps someone somewhere.
Rick Segeberg
Provo Site Manager, IT Department
The Waterford Institute
rick.segeberg at waterford.org
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Wednesday, January 29, 2003 3:04 AM
To: Rick Segeberg
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba 3 & ADS current capabilities [adr]
On Wed, 2003-01-29 at 07:39, Rick Segeberg wrote:
> I have been working to get a Samba 3 (alpha 21) on Red Hat 8.0 to work
> with our current Windows 2000 ADS. This is "pure" ADS (ie. no
compatibility
> mode). Our desire is to have various samba servers join the domain
> and use the domain to authenticate users to the samba servers. It's
> my understanding that winbind is necessary.
>
> I've followed lots of HOWTO's and various articles as well as search
the
> list archives and have not gotten it to work and have not found quite
what
> I am looking for (although much has still been very helpful). I was
able to
> successfully have the samba server join the domain (it shows up in
> ADS), and I can authenticate to the w2k box from the samba box just
> fine. But, I cannot authenticate back to samba box from a windows
> workstation (which is logged into the domain) unless I also have the
> login name and password in the smbpasswd file. Also, when I try any
> of the wbinfo tests, they fail.
Which tests - and what exactly do you mean by 'fail'. Are you really
sure you correctly joined the domain?
> I understand it's still in alpha and just to make sure I'm not trying
> something that's not available/working yet, I need to know if this is
> possible. So the question is:
>
> Can a workstation in the ADS domain be authenticated to a samba 3
server
> via W2K ADS (with no compatibility mode)?
Yes - shipping products are based on exactly this functionality.
You are going to need to give some more info on the join, and any
particular errors in the logs.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
*************************************
This email may contain privileged or confidential material intended for the named recipient only.
If you are not the named recipient, delete this message and all attachments.
Any review, copying, printing, disclosure or other use is prohibited.
We reserve the right to monitor email sent through our network.
*************************************
More information about the samba
mailing list