[Samba] Samba 3.0.x in ADS mode in a Windows Krb AD forest domain, does it work?

Thu Dec 16 11:45:49 GMT 2004

Hi,

 With some luck someone on this list can tell me if what I'm trying to
do is possible with Samba 3, and if I'm really lucky how to get it
working.  As I'm pretty stuck at the moment and have hit the limits of
my
 knowledge.

 At present in my environment we are running numerous Samba 2 servers in
server and domain level security (I know server level security is a bad
idea), and everything works fine. However as time moves on we are
looking to migrate our servers off Samba 2 and onto Samba 3 and switch
all servers over to ads mode. However during testing (on Debian and 
HP-UX machines) we appear to have hit a problem that I can't resolve, 
namely I can't connect to any shares, as the servers don't appear to
 recognize the login domain. For this to make any sense I will attempt
to  explain our environment.

 At present we have an old legacy domain which is all based around NT
trusts, and a new domain which uses Kerberos AD forest trusts. Now in
our new domain we have central domain, with other sub domains hanging
off it for users (one per geography) and organisational units (again one
 per OU unit). Now the way the domain has been configured is that user
accounts live in the the user domains, and machine accounts live in the
organisational units domains, all pretty simple.

 However when connecting to a Samba 3 host configured in ads mode that
has successfully joined the OU domain we hit a problem that the server
doesn't seem to recognise the login domain, and remaps the domain to the
local OU and hence the login fails, as this logfile extract shows.

 [2004/12/16 11:02:27, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user
 [LOGINDOMAIN]\[ricc]@[CARDWELL-R-3] with the new password interface
 [2004/12/16 11:02:27, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is:
 [OUDOMAIN.HPL.HP.COM]\[ricc]@[CARDWELL-R-3]
 [2004/12/16 11:02:27, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 [2004/12/16 11:02:27, 3] smbd/uid.c:push_conn_ctx(365)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
 [2004/12/16 11:02:27, 3] smbd/sec_ctx.c:set_sec_ctx(288)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
 [2004/12/16 11:02:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2004/12/16 11:02:28, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [ricc] -> [ricc] FAILED
 with err
 or NT_STATUS_ACCESS_DENIED

 However if I try and connect to an admin account that lives in the
 OUDOMAIN, everything works as Samba appears to recognize the domain as
 valid.

 As an additional test, I have tried to connect to the share using an
old
 account in the Legacy domain which uses the old NTLM NT trust
 mechanisms, and this appears to work as the Samba server recognizes the
 domain, and hence leaves the domain prefix alone, as this logfile
 extract shows.

 [2004/12/16 11:26:47, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user
 [LEGACYDOMAIN]\[ricc]@[CA
 RDWELL-R-3] with the new password interface
 [2004/12/16 11:26:47, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is:
 [LEGACYDOMAIN]\[ricc]@[CARDWELL-R-3]
 [2004/12/16 11:26:47, 3] smbd/sec_ctx.c:push_sec_ctx(256)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 [2004/12/16 11:26:47, 3] smbd/uid.c:push_conn_ctx(365)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0

 So I guess my question is: Has anyone else managed to get samba to work
 in this kind of domain? or alternatively does anyone know if Samba 3
 supports this kind of domain structure using Forest AD trusts yet?

 Thanks in advance, for any help you can provide, as this has been
 driving me (not so) slowly nuts.

 Rich Cardwell

 --

 smb.conf for testhosts is as follows:

 #======================= Global Settings =======================

 [global]

 ## Browsing/Identification ###

 # Change this to the workgroup/NT-domain name your Samba server will
 part of
    workgroup = OUDOMAIN.HPL.HP.COM
    debug level = 4

 # server string is the equivalent of the NT Description field
    server string = %L server (Samba %v)

 # Windows Internet Name Serving Support Section:
 # WINS Support - Tells the NMBD component of Samba to enable its WINS
 Server
    wins support = no

 # WINS Server - Tells the NMBD components of Samba to be a WINS Client
 # Note: Samba can be either a WINS Server, or a WINS Client, but NOT
 both
    wins server = XX.XX.XX.net

 # This will prevent nmbd to search for NetBIOS names through DNS.
    dns proxy = no

 # What naming service and in what order should we use to resolve host
 names
 # to IP addresses
 ;   name resolve order = lmhosts host wins bcast

 #### Debugging/Accounting ####

 # This tells Samba to use a separate log file for each machine
 # that connects
    log file = /var/log/samba/log.%m

 # Put a capping on the size of the log files (in Kb).
    max log size = 1000

 # If you want Samba to only log through syslog then set the following
 # parameter to 'yes'.
 ;   syslog only = no

 # We want Samba to log a minimum amount of information to syslog.
 Everything
 # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to
 log
 # through syslog you should set the following parameter to something
 higher.
    syslog = 0

 # Do something sensible when Samba crashes: mail the admin a backtrace
    panic action = /usr/share/samba/panic-action %d

 ####### Authentication #######

 # "security = user" is always a good idea. This will require a Unix
 account
 # in this server for every user accessing the server. See
 # /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
 # package for details.
    security = ads
    realm =  OUDOMAIN.HPL.HP.COM
    password server = support-br1.XX.XX.XX.XX
    username map = /etc/samba/smbusers

    client use spnego = yes
    ldap ssl = start tls

 # You may wish to use password encryption.  See the section on
 # 'encrypt passwords' in the smb.conf(5) manpage before enabling.
    encrypt passwords = true

 # If you are using encrypted passwords, Samba will need to know what
 # password database type you are using.
    passdb backend = tdbsam guest

    obey pam restrictions = yes

 ;   guest account = nobody
    invalid users = root

 # This boolean parameter controls whether Samba attempts to sync the
 Unix
 # password with the SMB password when the encrypted SMB password in the
 # passdb is changed.
 ;   unix password sync = no

 # For Unix password sync to work on a Debian GNU/Linux system, the
 following
 # parameters must be set (thanks to Augustin Luton
 <aluton at hybrigenics.fr> for
 # sending the correct chat script for the passwd program in Debian
 Potato).
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
 *Retype\snew\sUNIX\spassword
 :* %n\n .

 ########## Printing ##########

 # If you want to automatically load your printer list rather
 # than setting them up individually then you'll need this
 ;   load printers = yes

 # lpr(ng) printing. You may wish to override the location of the
 # printcap file
 ;   printing = bsd
 ;   printcap name = /etc/printcap

 # CUPS printing.  See also the cupsaddsmb(8) manpage in the
 # cupsys-client package.
 ;   printing = cups
 ;   printcap name = cups

 # When using [print$], root is implicitly a 'printer admin', but you
can
 # also give this right to other users to add drivers and set printer
 # properties
 ;   printer admin = @ntadmin

 ######## File sharing ########

 # Name mangling options
 ;   preserve case = yes
 ;   short preserve case = yes

 ############ Misc ############

 # Using the following line enables you to customise your configuration
 # on a per machine basis. The %m gets replaced with the netbios name
 # of the machine that is connecting
 ;   include = /home/samba/etc/smb.conf.%m

 # Most people will find that this option gives better performance.
 # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
 # for details
 # You may want to add the following on a Linux system:
 #         SO_RCVBUF=8192 SO_SNDBUF=8192
    socket options = TCP_NODELAY

 # machine will be configured as a BDC (a secondary logon server), you
 # must set this to 'no'; otherwise, the default behavior is
recommended.
 ;   domain master = auto

 # Some defaults for winbind (make sure you're not using the ranges
 # for something else.)
 ;   idmap uid = 10000-20000
 ;   idmap gid = 10000-20000
 ;   template shell = /bin/bash

 winbind separator = +
 idmap uid = 10000-200000
 idmap gid = 10000-200000
 winbind enum users = yes
 winbind enum groups = yes
 template homedir = /home/%D/%U
 template shell = /bin/bash
 winbind use default domain = no

 #======================= Share Definitions =======================

 [homes]
    comment = Home Directories
    browseable = yes

 # By default, the home directories are exported read-only. Change next
 # parameter to 'yes' if you want to be able to write to them.
    writable = no
 # File creation mask is set to 0700 for security reasons. If you want
to
 # create files with group=rw permissions, set next parameter to 0775.
    create mask = 0700
    valid users = %S
-- 

Richard Cardwell