[Samba] Problems with Samba and Windows 2003 Active Domain Server
Mark A. Holm
markh at infoarch.com
Wed Jun 8 08:04:39 GMT 2005
Can somebody with experience making a RedHat Fedora Core 3 server with Samba installed work in a Windows 2003 Active Domain please
give me some pointers? I have a small installation with one Windows 2003 Server running as a domain controller for about 10 Windows
XP machines. This is working just fine. I decided that I wanted to add a RedHat Fedora Core 3 server as a Mail server, running Cyrus
IMAP and Open Group Ware. The first thing that I wanted to do was get the Fedora machine working as a member of the domain and
authenticating users from the domain for local login for mail and SSH access. I found several different tutorials on the web,
including the one in the documentation on the samba.org site, about doing this and followed as close as I could to their
instructions. For the file samples included below, I have started with the files as supply by RedHat and for the most part stripped
out the comments for brevity here. Also changed some names to protect the innocent.
My smb.conf file looks like the following:
Smb.conf
[global]
log file = /var/log/samba/%m.log
load printers = yes
idmap gid = 16777216-33554431
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
winbind trusted domains only = yes
realm = PORTLAND-INT.CLIENT.COM
winbind use default domain = yes
template primary group = "Staff"
template homedir = /home/%U
template shell = /bin/bash
dns proxy = no
netbios name = mail
cups options = raw
server string = Mail Linux Samba Server
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
password server = server.portland-int.client.com
workgroup = SKYLINE
os level = 20
os level = 20
printcap name = /etc/printcap
security = ads
preferred master = no
max log size = 50
[homes]
comment = Home Directories
browseable = no
writeable = yes
; [netlogon]
; comment = Network Logon Service
; path = /home/netlogon
; guest ok = yes
; writable = no
; share modes = no
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
[public]
comment = Public Stuff
path = /home/samba
public = yes
read only = no
; write list = @staff
EOF
The KRB5.conf file contains:
Krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = PORTLAND-INT.CLIENT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
PORTLAND-INT.CLIENT.COM = {
kdc = server.portland-int.client.com:88
admin_server = server.portland-int.client.com:749
default_domain = portland-int.client.com
}
[domain_realm]
.portland-int.client.com = PORTLAND-INT.CLIENT.COM
portland-int.client.com = PORTLAND-INT.CLIENT.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
EOF
After doing "/etc/init.d/smb restart; /etc/init.d/winbind restart", I was able to issue a "net ads -U administrator join CLIENT"
command and received the Welcome to the CLIENT domain message. At this point I can do either of:
wbinfo -a "CLIENT\\markh%MYPASSWD"
wbinfo -a "markh%MYPASSWD"
And receive the response:
plaintext password authentication succeeded
challenge/response password authentication succeeded
The next steps I tried, was to do a wbinfo -u and a wbinfo -g. These looked close to the examples given, but lacked the Domain
specifier for the users that the other examples gave. Example output given below:
Wbinfo -u:
taaron
pfraser
DEBRA-DESKTOP$
markh
SALES-MGR$
ROGER-PC$
WAREHOUSE2$
kaycee
WAREHOUSE$
seanj
seane
amy
mail$
Wbinfo -g:
BUILTIN#System Operators
BUILTIN#Replicators
BUILTIN#Guests
BUILTIN#Power Users
BUILTIN#Print Operators
BUILTIN#Administrators
BUILTIN#Account Operators
BUILTIN#Backup Operators
BUILTIN#Users
Domain Admins
Domain Users
Domain Guests
Sales
QuickBooks Users
Act Users
QuoteWerks Users
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Next step it said to do was to issue a "getent passwd" and a "getent group". The Passwd version only shows what is on the local
Linux server, while the Group version shows the local groups and the BUILTIN groups from the active directory. None of the Active
Directory users or local groups are shown. Example output below:
Getent passwd:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
gdm:x:42:42::/var/gdm:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
marktest:x:500:500:Mark Test Login:/home/marktest:/bin/bash
clamav:x:501:501:CLAM AV User:/home/clamav:/bin/bash
dspam:x:502:502:DSPAM User:/home/dspam:/bin/bash
Getent group:
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
disk:x:6:root
lp:x:7:daemon,lp
mem:x:8:
kmem:x:9:
wheel:x:10:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
man:x:15:
games:x:20:
gopher:x:30:
dip:x:40:
ftp:x:50:
lock:x:54:
nobody:x:99:
users:x:100:
dbus:x:81:
floppy:x:19:
vcsa:x:69:
nscd:x:28:
rpm:x:37:
haldaemon:x:68:
utmp:x:22:
netdump:x:34:
slocate:x:21:
sshd:x:74:
rpc:x:32:
rpcuser:x:29:
nfsnobody:x:65534:
mailnull:x:47:
smmsp:x:51:
pcap:x:77:
apache:x:48:
squid:x:23:
webalizer:x:67:
xfs:x:43:
ntp:x:38:
gdm:x:42:
named:x:25:
mailman:x:41:
mysql:x:27:
marktest:x:500:
clamav:x:501:
dspam:x:502:
BUILTIN#System Operators:x:16777216:
BUILTIN#Replicators:x:16777217:
BUILTIN#Guests:x:16777218:
BUILTIN#Power Users:x:16777219:
BUILTIN#Print Operators:x:16777220:
BUILTIN#Administrators:x:16777221:
BUILTIN#Account Operators:x:16777222:
BUILTIN#Backup Operators:x:16777223:
BUILTIN#Users:x:16777224:
Until I can get past that last step and see more than the BUILTIN groups and actually see users from the domain, I know that I
cannot get authorization to work. Can somebody point out what I missed or help walk me through what is needed to make this work?
The one thing I have noted is that the profile file defined for the kdc in krb5.conf doesn't exist. Should it and if so what should
it contain?
Any and all help greatly appreciated. It shouldn't be this hard to make Windows and Linux work together. sigh!
markh
====================================================
Mark A. Holm President
InfoArch, Inc.
7456 SW Baseline, PMB#123. Phone: (503) 750-9741
Hillsboro, OR 97123 Fax: (503) 591-8584
http://www.infoarch.com <mailto:markh at infoarch.com>
More information about the samba
mailing list