[Samba] Two problems with Samba in AD realm

Guillaume Rousse Guillaume.Rousse at inria.fr
Wed Nov 12 18:23:52 GMT 2008 

Hello list.

I recently moved to an AD environment. I'm still keeping a samba servers 
to make my cups-managed printers available to windows users, rather than 
duplicating configuration with a Windows print service. But I'm facing 
two problems, probably due to the way we manage AD.

First, all my host belong to a Unix-managed DNS domain 
(msr-inria.inria.fr), not to the windows-managed one corresponding to 
the AD realm (msr-inria.idf). It means resolving their IP address result 
in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a 
secondary server for the foo.msr-inria.idf, meaning SRV record lookup 
still works. But all CIFS kerberos authentication attempt for the host 
unqualified, or realm-qualified fails: I can't use \\foo, nor 
\\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr

I know this is probably due to kerberos DNS-based hostname 
canonicalisation, and not samba-specific (it also occurs with netapp 
filers), but I initially understood it with my samba server. Is there 
anything I could do there to make user's life easier ?

Second, when kerberos autentication fails, my samba server (and I guess, 
any CIFS server) fallbacks into password-based autentication. But there 
is an issue with the way we manage users account. We sync our unix ldap 
account into AD, meaning each 'bar' user exists in LDAP as 
'MSR-INRIA.IDF\bar', but with a random password, and we authenticate 
them through their Unix-managed kerberos account 
'MSR-INRIA.INRIA.FR\bar'. It means trying to authenticate them as 
'MSR-INRIA.IDF\bar' won't work, and I get those error messages:
[2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260)
   domain_client_validate: unable to validate password for user rousse 
in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error 
was NT_STATUS_WRONG_PASSWORD.
[2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260)
   domain_client_validate: unable to validate password for user rousse 
in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error 
was NT_STATUS_WRONG_PASSWORD.
[2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260)
   domain_client_validate: unable to validate password for user rousse 
in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error 
was NT_STATUS_WRONG_PASSWORD.

(I guess the windows client cached my credentials when I initially 
logged in).

There is a user mapping option in samba, but it is primary meant for 
mapping Windows users to Unix users, whereas I'd need there to map 
Windows unqualified users to kerberos-realm users, instead of ad-realm 
users. Is this possible someway ?
-- 
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Ile de France
Tel: 01 69 35 69 62

More information about the samba mailing list