[Samba] Samba + Active Directory

Cedric Puddy cedric at cadence.thinkers.org
Wed Jan 7 00:42:27 GMT 2004

On Tue, 6 Jan 2004, samba_list wrote:

> Hi,
> I´m having much trouble on configuring Samba to work on an Active
> Directory
> environment.
> Using getent password I´m able to see AD´s users. wbinfo -u and wbinfo -g
> also work fine.
> When someone from a Windows try to access my Samba server, the smd
> password
> window is shown (I think that the autehntication would be transparent,
> wouldn't it ?), any password I provide is rejected: I tried AD users using
> either the plain username and the DOMAIN\username form. I tried also using
> my root password, without any success.
> The logs are saying:
> [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> Failed to verify incoming ticket!
> [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> Failed to verify incoming ticket!
> Is there any special configuration I have to do on Active Directory to
> become AD authentication available to Samba ?

Almost certainly, you are running version 3.0.1, which as best
I've been able to determine breaks kerberos ticket handling
in the case of a Win2k/XP box trying to access SAMBA.

I've reported the problem to the list, and several others have
as well in recent times, but as yet, I haven't noticed a clear
answer as to what is broken.  One fellow said that he was
testing 3.0.1 with the libads code changes reverted to 3.0.0, but
I don't believe he's reported back yet.  (I'd be *very* interested
in beta testing that! :)

What works for me is going to back to version 3.0.0.
The reason that's not good for me is becuase I have
a whole bunch of existing unix users that I want to
map properly to existing windows users of the same
names, and 3.0.1 is supposed to do that automaticly.
If that's not a concern for you, then you might not
have any reason to care which version you are running.

I'm using the redhat RPMS, and doing this sequence
successfully downgrades me from 3.0.1 -> 3.0.0:

	<ensure that you have an admin ticket with
		kinit, if you do the net ads leave/join
	net ads leave
	cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
	/etc/rc.d/init.d/smb stop
	/etc/rc.d/init.d/winbind stop
	rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm
	cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
	/etc/rc.d/init.d/smb start
	/etc/rc.d/init.d/winbind start
	net ads join

The above process assumes that you've got the rpm file
downloaded in /usr/src/rpms, that you have the right
rpms for your system (in my case, rh9), and guarentees that
your smb.conf file doesn't get accidentally wiped out.

I'm don't believe that the "net ads leave/join" part is
strictly necessary.  I've just been doing it whenever I
upgrade/downgrade out of pedantdry.  My understanding
is that it shouldn't be necessary, because the shared
secrets/etc should be stored in the Samba TDB databases

In my case, simply changing to 3.0.0 immediately makes
everything work, and going to 3.0.1 immediately mades
everything break.

If you want further confirmation that you are having
the same problem I am, increase the logging level to
something like 5, and look for "unknown key table type"
errors shortly before the "Failed to verify ticket"
error in your /var/log/samba/log.<workstation> file
(assuming that you put your logs in the default linux
location :)

	I hope that helps,

	Best Regards,

	-Cedric Puddy

> I´ve already installed PAM and followed all intructions at samba.org,
> but is
> not working.
> Could someone please help me ?
> Thanks in advance,
> Lindolfo
> P.S.: I´ve already checked both servers´ time, they are syncronized.

|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
   Cedric Puddy, IS Director		cedric at thinkers.org
     PGP Key Available at: 		http://www.thinkers.org/cedric

More information about the samba mailing list