[Samba] Debian AD member server setup with winbind idmap_rid - us ers prompted for password - solved

Geoffrey Scott geoffs at guestshire.com
Fri Jan 6 00:37:07 GMT 2006

Geoffrey Scott wrote:
> Geoffrey Scott wrote:
>> Question:
>> How can I stop users from being prompted for a password?

This was when they accessed their own homes share.  I found that when the
user accessed other shares everything was fine.  So this morning I finally
realized that it had to be my home shares stanza.  It *seems* that valid
users = %S is not enough that it has to be valid users = DOMAIN\%S .  I
doubt that anyone reads my posts - to correct me, so you'll have to try this
yourself to see if I am right (that's if you happen to be someone searching
the archives down the track, and you have a similar problem)

> The logs repeatedly show this:
> [2005/12/30 15:00:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(180)
>   Failed to verify incoming ticket!

OK.  Despite SBE chapter 7.3 not pointing you to chapter 12 and stating that
you need to have a correctly configured /etc/krb.conf file for Ads Domain
member server, it certainly seems that you have to have one. It won't hurt
to do it anyway.  See the debian howto at the bottom.

>> These things work:
>> root# net ads testjoin
>> Join is OK
>> wbinfo -t or -u or -g  all show what they are supposed to show.

My working smb.conf for a debian sarge ADS domain member server using
winbind idmap_rid:
# This was an NT4 domain that was upgraded to ADS

        workgroup = DYNOHIRE

# So the shortname can be different to the realm name
# by that I mean that the FQDN can be server.DYNAMITEHIRE.COM.AU
# not server.dynohire.DYNAMITEHIRE.COM.AU

        realm = DYNAMITEHIRE.COM.AU
        server string = Dyno_NSW File & Print server
        security = ADS
        allow trusted domains = No
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        printcap name = CUPS
        panic action = /usr/share/samba/panic-action %d
        idmap backend = idmap_rid:DYNOHIRE=5000-1000000
        idmap uid = 5000-1000000
        idmap gid = 5000-1000000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind nested groups = Yes
        printer admin = "@DYNOHIRE\Domain Admins"
        printing = cups
        print command =
        lpq command = %p
        lprm command =

        comment = Home Directories
        path = /home/%U
        valid users = DYNOHIRE\%S
        admin users = "@DYNOHIRE\Domain Admins"
        read only = No
        browseable = No

        comment = Profile Share
        path = /home/samba/profiles
        read only = No
        profile acls = Yes

        comment = Profile Data Share
        path = /home/samba/profdata
        read only = No
        profile acls = Yes

        comment = All Printers
        path = /var/spool/samba
        guest ok = Yes
        printable = Yes
        browseable = No

        comment = Printer Drivers
        path = /var/lib/samba/printers

Debian specific howto from here:

Included Below:

Using Samba on Debian Linux to authenticate against Active Directory
>From WikiRoland

This document will show you how to install Samba 3.X on Debian Linux 3.1
(Sarge) and make it authenticate against a Windows server using Active
Directory. It is not intended on replacing the actual official Samba 3
manual - which is a quite good read anyway.

Core software

Make sure apt's package index files are synchronized:

apt-get update
apt-get upgrade 

This section will show you two ways of installing Samba, using apt or
directly from source. To install from apt run:

apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config

If you for some reason want to compile Samba yourself, then you need to have
the latest versions of MIT Kerberos and OpenLDAP installed:

apt-get install libkrb53 libcupsys2-gnutls10 libldap2 libldap2-dev
libkrb5-dev krb5-doc krb5-user krb5-config

Then grap the latest version of the Samba source (for this manual we will
use samba-3.0.9.tar.gz), and do:

tar zxvf samba-3.0.9.tar.gz -C /tmp/
cd /tmp/samba-3.0.9/source
./configure \
--prefix=/usr \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-fhs \
--with-quotas \
--with-smbmount \
--with-pam \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=/usr/share/swat/using_samba \
--with-swatdir=/usr/share/swat \
--with-shared-modules=idmap_rid \
--with-libsmbclient \
--with-automount \
--with-msdfs \
--with-ads \
--with-winbind \
--with-winbind-auth-challenge \
--with-manpages-langs=en \
--with-idmap \
--with-acl-support \
make install

That is it, you will now have a running Samba installation.
Windows server setup

Install a Windows server and make it act as a domain controller, running
Active Directory in mixed mode (this document explains that proces). For the
rest of this document I will asume you have a server setup as described

    * Domain administrator acount on Windows server: administrator
    * Domain name: testdomain
    * Fully qualified domain name: testdomain.local
    * Hostname of Windows domain controller: win2003test
    * IP address of Windows domain controller: 

You should familate yourself with what these cororsponds to, in your local
domain, before continuing with this guide.
Network setup

First we need to make sure that DNS is working properly on the server
running Samba, this is done by making the Windows Domain controller the
default DNS server. To do this substitute your DNS configuration in
/etc/resolve.conf with the folowing:

search testdomain.local

If you have more than one DNS server in your domain, then also add them
here. Test DNS using:

nslookup win2003test
Name:   win2003test.testdomain.local

Test reverse lookup using:

host domain name pointer win2003test.testdomain.local.

If for some reason any of the two test fails, then go through your network
setup, and this section again. Your DNS has to be working, in order to
succesfully run Samba using Active Directory.
Kerberos setup

Given that we are trying to connect with a Windows domain running Active
Directory, we will have to configure Kerberos to our need (you could avoid
this by setting the password server in /etc/samba/smb.conf, to the server
holding the PDC emulator but then you would be talking old school NTLM (RPC)
with the domain controller). To get real AD working add the folowing lines
to /etc/krb5.conf:

       kdc = win2003test.testdomain.local
       admin_server = win2003test.testdomain.local

Then do:

kinit administrator at TESTDOMAIN.LOCAL

The syntax is kinit user at REALM, where REALM is your Active Directory domain
name and must be all uppercase. If you do not use all uppercase for the
realm, you'll receive this error: kinit(v5): Cannot find KDC for requested
realm while getting initial credentials or this error: kinit(v5): KDC reply
did not match expectations while getting initial credentials. You can test
your kerberos setup by issuing


If it reports that you have no keys in the cache then somthing is wrong. In
the event that you recive: kinit(v5): Clock skew too great while getting
initial credentials then make sure that the clock synchronisation between
your Windows Server and your Linux server is within five minutes. If the
time is off by more than five minutes, the two servers will be able to
communicate, but no ticket information will work.
Optional: Using a NTP Server

One way to solve this above clock synchronisation problem is to use a time
server (you might even want to use your active directory server(s) - this
makes the syncronization a no brainer). Using a NTP server is optional and
not strictly required in order to run a Samba in an AD, but anyway here is
how it is done. First you need to install the required ntp packages:

apt-get install ntpdate

Then add your favorite time server(s) to /etc/ntp.conf, and execute:

/etc/init.d/ntpdate restart

Samba setup

First we will create the /etc/samba/smb.conf file, to connect up to our

security = ads
password server = win2003test
encrypt passwords = yes
workgroup = testdomain
netbios name = temporay
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes

In workgroup insert the domain name, in realm set the fully qualified domain
name as uppercase. In password server insert the name of a Windows server to
authenticate against. Then start smbd and nmbd:


Join the domain in the default organisation unit:

net ads join -W testdomain -S win2003test -U administrator

or use another unit like this:

net ads join Denmark\/Copenhagen\/Computers -W testdomain -S win2003test -U

Now check if everything works by issuing the folowing commands:

    * Test domain computer account: net ads testjoin.
    * Test winbindd: wbinfo -u to list AD users and wbinfo -g for groups.
    * Test kerberized Samba: net ads user and net ads group should show you
your AD users and groups (i.e. same as above).
    * Test kerberized connection to a remote Windows server: smbclient -L
//WINSERVER -k from the Samba server. While you're at it, connect locally to
the Samba server the same way.
    * Finally, test connectivity from a Windows box: Start -> Run ->
    * Run wbinfo -t it should return: checking the trust secret via RPC
calls succeeded, otherwise you have done somthing wrong (use the command
testparm -v to check your samba configuration). 

More information about the samba mailing list