[Samba] Re: Authentication against AD?

Ernest Keller Ernest.Keller at arivia.co.za
Fri Sep 16 05:51:51 GMT 2005


I get exactly the same.
'kinit -U[username]%[password] works 100%; 'klist' shows my kerberos
ticket(s); I set up my krb5.conf as per the examples in Samba 3 by
Example-HOWTO; I joined the domain 100% with 'net ads join -U
[username]%[password]', but:

 wbinfo -u just gives me "Error looking up domain users."
 wbinfo -g gives me a listing of all the ADS groups  <-- working 100%?

 'getent passwd' gives me a listing of all local users, but no domain /
ADS users
 'getent group' gives me the local groups, but no ADS groups (just hangs
a while after local groups and then probably times out)

I only have a small office file & print server (about 12 users), so I
got around this by using local accounts and manually mapping them to the
corresponding domain users (/etc/samba/smbusers - local username =
[DOMAIN]/[domain username]) and using 'username map =
/etc/samba/smbusers' in smb.conf .

Here is my config:

   realm = COMPANY.COM
   security = ADS
   password server = kdc.company.com
   idmap uid = 10000-1000000
   idmap gid = 10000-1000000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   winbind separator = /

   unix password sync = yes

   workgroup = COMPANY-COM
   interfaces = eth0 lo
   bind interfaces only = yes
   netbios name = SERVER

   name resolve order = wins hosts bcast
   dns proxy = no

   domain logons = no
   preferred master = no
   domain master = no
   local master = yes

   os level = 33

   max log size = 1024
   log level = 2
   log file = /var/log/samba/samba-new.log
   syslog = 1

   guest account = smbguest
   username level = 50
   username map = /etc/samba/smbusers
   encrypt passwords = yes
   password level = 20

   client use spnego = yes

   wins server = x.x.x.x

   preserve case = yes
   short preserve case = yes
   case sensitive = no
   hide dot files = yes
   hide unreadable = yes
   hide special files = yes

   map to guest = never

I also repeatedly get the following in

   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
     cli_rpc_open failed on pipe \lsarpc to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer
   [2005/09/16 07:33:32, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767)
     cli_rpc_open failed on pipe \NETLOGON to machine [ADS_DC_NAME].
Error was Write error: Connection reset by peer

Service smb status gives:

   smbd (pid 21371 21233) is running...
   nmbd (pid 14018) is running...

Service winbind status gives:

   winbindd (pid 8991 8370 8367 8366) is running...

I'm running Samba 3.0.20 on Linux Fedora Core 4

Although we can work, any help to get the proper domain authentication
working would be greatly appreciated.



> Dimitri Yioulos wrote:
> >On Thursday 15 September 2005 3:32 pm, you wrote:
> >></snip>
> >>
> >>Ok I think I have found my problem.  I need to find a way to map 
> >>Samba to an active directory common name:
> >>
> >>%> net ads join -U"Administrator" "cn=users,dc=domain,dc=com"  
> >>(example, I know the syntax is incorrect)
> >>
> >>As far as I can tell it is hard coded in the net ads join routine to

> >>tack on the ou=users vs. cn=users, anyone shed some light on this?
> >
> >Uh, I must be missing something here. This is a pretty 
> >straightforward  set-up, right?  You want to join this Samba box to a

> >Win2k3 server for
> > file- or print-serving purposes?  I've always felt that you get a 
> >basic  set-up working first, then start to get fancy.
> >
> >
> >1. kinit Administrator at MYDOMAIN.COM
> >(You'll be prompted for a password.  My systems simply return me to a

> >prompt if I'm successful.) 2. net ads join -U 
> >Administrator at MYDOMAIN.COM (Again, you'll be prompted for a password.

> >Info about the machine joining  the AD is returned)
> >
> >Beyond this, someone else will have to help out.
> >
> >Best,
> >
> >Dimitri
> Yeah this works, I can get my krb creds:
> jason at odin-newb:~> kinit Admin at DOMAIN.COM Password for 
> Admin at DOMAIN.COM:
> jason at odin-newb:~> klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: Admin at DOMAIN.COM
> Valid starting     Expires            Service principal
> 09/15/05 14:12:30  09/16/05 00:11:16  krbtgt/DOMAIN.COM at DOMAIN.COM
>         renew until 09/16/05 14:12:30
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
> And this works as well:
> Admin at DOMAIN.COM's password:
> [2005/09/15 14:13:25, 0] libads/ldap.c:ads_add_machine_acct(1405)
>   ads_add_machine_acct: Host account for odin-newb already exists - 
> modifying old account Using short domain name -- DOMAIN.COM Joined 
> 'ODIN-NEWB' to realm 'DOMAIN.COM'
> But when testing, using wbinfo -u or getent I am getting only the 
> local passwd accounts.
> jason at odin-newb:~> wbinfo -u
> Error looking up domain users
> And here is where my accounts need to be authenticted from
> LDAP://server.domain.com/CN=Users,DC=server,DC=domain,DC=com
> Note the CN=Users, vs. OU=Users, I will go read the RFC to see if I 
> can get more info on this.

So, you're not authenticating against ADS?  If you are, are you sure the
winbind daemon is running?

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list