[Samba] AD Integrated authentication

Michael Cleghorn michaelc at rmt.com.au
Wed Jun 6 00:13:38 GMT 2007

Hi all,

thanks for your responses.  It's now over a week later and i've re-installed to make sure it's not a RedHat magical if-you-don't-install-it-at-install-time-you-don't-get-the-right-config-files-setup issue.  It's still not working, but i've found a new wall to bang my head against and its name is Kerberos.

i may be back  :)


-----Original Message-----
From: mikee [mailto:mikee at mikee.ath.cx]
Sent: Wednesday, 6 June 2007 4:13 AM
To: Michael Cleghorn
Subject: Re: [Samba] AD Integrated authentication

On Mon, 28 May 2007, Michael Cleghorn might have said:

> Hello list,
> i'm going to try very hard not to rant here, but i've been trying to get Samba working for 3 days, and it's just not happening.  Let me start from the beginning.  i'm just a lowly Windows admin but i've been doing this for 10 years, so i'm pretty sure i know what i'm doing (present situation excepted, clearly).  i've got RedHat AS4 and a primarily Windows 2000 domain.  i want to be able to transparently browse to the shares on the RH server from a Windows client without having to authenticate again, which is exactly what the AD integrated authentication is for, right?
> If i do "wbinfo -u" i get a list of AD objects, but without the AD domain name prepended which is my first clue that something isn't right.  If i do "wbinfo -a username%password" both plaintext and challenge response authentication work.  If i do "getent passwd" i get only local usernames.  Same for "getent group" except i get local groups, obviously.  From everything i've read in the man pages and god only know how many online troubleshooting and/or help docs, this just doesn't happen.  Everything that mentions using wbinfo and getent for testing just says "and you can try this and oh, look it works".  i'm paraphrasing slightly.
> i have joined the RH server to the domain.  i can get a Kerberos ticket issued if i want one.  i have been through smb.conf, nsswitch.conf and /etc/pam.d so often, i no longer remember what my originals looked like.  i'm happy to post excerpts from any or all of these of they will help (i'm not going to do it now in case 1 - it's an easy fix, in which case i'm not sure if i'll laugh or cry and 2 - to keep things relatively short).  The logs have been less than ideally helpful since i already know that authentication isn't working... somewhere.
> Can someone help?  Please?

I authenticate my users with OpenLDAP on my Fedora Core box.
The FC box uses samba and samba does authenticate the remote
share access. Below is a snippet of my current configuration.


    security = USER
    client plaintext auth = Yes
    client lanman auth = Yes
    encrypt passwords = Yes
    lanman auth = No
    ntlm auth = Yes
    password level = 0
    guest account = nobody
    admin users =
    hosts allow = .pointwise.com, 10.1.2., 10.1.3., 192.168.100.
    cups options = raw
    wins support = yes
    name resolve order = wins lmhosts host bcast
    dns proxy = no
    usershare allow guests = yes
    time server = yes

    workgroup = XXXX
    netbios aliases = loghost, mailhost, backuphost, ldaphost
    server string = Samba Server (%h)
    logon drive = L:
    logon home = \\%N\%U
    logon path = \\%N\%U\profile
    logon script = /etc/samba/login.bat
    ldap delete dn = Yes
    ldap suffix = dc=pointwise,dc=com
    ldap admin dn = cn=manager,dc=pointwise,dc=com
    ldap user suffix = ou=people
    ldap group suffix = ou=groups
    ldap machine suffix = ou=machines
    ldap ssl = off
    ldapsam:trusted = Yes
    ldap timeout = 15
    utmp directory = /var/run
    wtmp directory = /var/log
    utmp = Yes

    password server = ldaphost.pointwise.com
    passdb backend = ldapsam:ldap://ldaphost.pointwise.com
    ldap passwd sync = Yes
    #unix password sync = Yes
    #passwd program = /usr/sbin/smbldap-passwd %u
    #passwd chat = "Changing * password*for*\nNew password*" %n\n "*Retype new password*" %n\n"
    #passwd chat debug = Yes

    os level = 66
    preferred master = Yes
    local master = Yes
    domain master = Yes
    domain logons = Yes
    allow trusted domains = Yes

More information about the samba mailing list