[Samba] Samba + Active Directory
Cedric Puddy
cedric at cadence.thinkers.org
Wed Jan 7 00:42:27 GMT 2004
On Tue, 6 Jan 2004, samba_list wrote:
> Hi,
>
> I´m having much trouble on configuring Samba to work on an Active
> Directory
> environment.
>
> Using getent password I´m able to see AD´s users. wbinfo -u and wbinfo -g
> also work fine.
>
> When someone from a Windows try to access my Samba server, the smd
> password
> window is shown (I think that the autehntication would be transparent,
> wouldn't it ?), any password I provide is rejected: I tried AD users using
> either the plain username and the DOMAIN\username form. I tried also using
> my root password, without any success.
>
> The logs are saying:
> [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> Failed to verify incoming ticket!
> [2004/01/05 18:42:30, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> Failed to verify incoming ticket!
>
> Is there any special configuration I have to do on Active Directory to
> become AD authentication available to Samba ?
Almost certainly, you are running version 3.0.1, which as best
I've been able to determine breaks kerberos ticket handling
in the case of a Win2k/XP box trying to access SAMBA.
I've reported the problem to the list, and several others have
as well in recent times, but as yet, I haven't noticed a clear
answer as to what is broken. One fellow said that he was
testing 3.0.1 with the libads code changes reverted to 3.0.0, but
I don't believe he's reported back yet. (I'd be *very* interested
in beta testing that! :)
What works for me is going to back to version 3.0.0.
The reason that's not good for me is becuase I have
a whole bunch of existing unix users that I want to
map properly to existing windows users of the same
names, and 3.0.1 is supposed to do that automaticly.
If that's not a concern for you, then you might not
have any reason to care which version you are running.
I'm using the redhat RPMS, and doing this sequence
successfully downgrades me from 3.0.1 -> 3.0.0:
<ensure that you have an admin ticket with
kinit, if you do the net ads leave/join
bits...>
net ads leave
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
/etc/rc.d/init.d/smb stop
/etc/rc.d/init.d/winbind stop
rpm -Uvh --force /usr/src/rpms/samba-3.0.0-2_rh9.i386.rpm
cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
/etc/rc.d/init.d/smb start
/etc/rc.d/init.d/winbind start
net ads join
The above process assumes that you've got the rpm file
downloaded in /usr/src/rpms, that you have the right
rpms for your system (in my case, rh9), and guarentees that
your smb.conf file doesn't get accidentally wiped out.
I'm don't believe that the "net ads leave/join" part is
strictly necessary. I've just been doing it whenever I
upgrade/downgrade out of pedantdry. My understanding
is that it shouldn't be necessary, because the shared
secrets/etc should be stored in the Samba TDB databases
somewhere...
In my case, simply changing to 3.0.0 immediately makes
everything work, and going to 3.0.1 immediately mades
everything break.
If you want further confirmation that you are having
the same problem I am, increase the logging level to
something like 5, and look for "unknown key table type"
errors shortly before the "Failed to verify ticket"
error in your /var/log/samba/log.<workstation> file
(assuming that you put your logs in the default linux
location :)
I hope that helps,
Best Regards,
-Cedric Puddy
> I´ve already installed PAM and followed all intructions at samba.org,
> but is
> not working.
>
> Could someone please help me ?
>
> Thanks in advance,
>
> Lindolfo
>
> P.S.: I´ve already checked both servers´ time, they are syncronized.
>
>
--
-
| CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
| 118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-741-2157
\____________________________________________________________________
Cedric Puddy, IS Director cedric at thinkers.org
PGP Key Available at: http://www.thinkers.org/cedric
More information about the samba
mailing list