[Samba] Re: Authentication against AD?

Ernest Keller Ernest.Keller at arivia.co.za
Fri Sep 16 05:51:51 GMT 2005 

Hi,

I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:

 wbinfo -u just gives me "Error looking up domain users."
 wbinfo -g gives me a listing of all the ADS groups  <-- working 100%?

 'getent passwd' gives me a listing of all local users, but no domain /
ADS users
 'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)

I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username =
[DOMAIN]/[domain username]) and using 'username map =
/etc/samba/smbusers' in smb.conf .

Here is my config:

[global]
   realm = COMPANY.COM
   security = ADS
   password server = kdc.company.com
   idmap uid = 10000-1000000
   idmap gid = 10000-1000000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind separator = /

   unix password sync = yes

   workgroup = COMPANY-COM
   interfaces = eth0 lo
   bind interfaces only = yes
   netbios name = SERVER

   name resolve order = wins hosts bcast
   dns proxy = no

   domain logons = no
   preferred master = no
   domain master = no
   local master = yes

   os level = 33

   max log size = 1024
   log level = 2
   log file = /var/log/samba/samba-new.log
   syslog = 1

   guest account = smbguest
   username level = 50
   username map = /etc/samba/smbusers
   encrypt passwords = yes
   password level = 20

   client use spnego = yes

   wins server = x.x.x.x

   preserve case = yes
   short preserve case = yes
   case sensitive = no
   hide dot files = yes
   hide unreadable = yes
   hide special files = yes

   map to guest = never

I also repeatedly get the following in
/var/log/samba/log-wb.COMPANY-COM:

   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
     cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
     cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer

Service smb status gives:

   smbd (pid 21371 21233) is running...
   nmbd (pid 14018) is running...

Service winbind status gives:

   winbindd (pid 8991 8370 8367 8366) is running...

I'm running Samba 3.0.20 on Linux Fedora Core 4

Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.

TIA

Ernest

> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem.  I need to find a way to map 
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  
> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to

> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty 
> >straightforward  set-up, right?  You want to join this Samba box to a

> >Win2k3 server for
> > file- or print-serving purposes?  I've always felt that you get a 
> >basic  set-up working first, then start to get fancy.
> >
> >AFAIK:
> >
> >1. kinit Administrator at MYDOMAIN.COM
> >(You'll be prompted for a password.  My systems simply return me to a

> >prompt if I'm successful.) 2. net ads join -U 
> >Administrator at MYDOMAIN.COM (Again, you'll be prompted for a password.

> >Info about the machine joining  the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
>
> Yeah this works, I can get my krb creds:
>
> jason at odin-newb:~> kinit Admin at DOMAIN.COM Password for 
> Admin at DOMAIN.COM:
> jason at odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin at DOMAIN.COM
>
> Valid starting     Expires            Service principal
> 09/15/05 14:12:30  09/16/05 00:11:16  krbtgt/DOMAIN.COM at DOMAIN.COM
>         renew until 09/16/05 14:12:30
>
>
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
>
> And this works as well:
>
> Admin at DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for odin-newb already exists - 
> modifying old account Using short domain name -- DOMAIN.COM Joined 
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
>
> But when testing, using wbinfo -u or getent I am getting only the 
> local passwd accounts.
>
> jason at odin-newb:~> wbinfo -u
> Error looking up domain users
>
> And here is where my accounts need to be authenticted from
>
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
>
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I 
> can get more info on this.

So, you're not authenticating against ADS?  If you are, are you sure the
winbind daemon is running?

Dimitri
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list