[Samba] Integrating samba with existing AD
Thibaut POUZET
thibaut.pouzet at lyra-network.com
Thu Jul 21 01:49:35 MDT 2011
I found an interesting thing this morning, just look at the commands :
# wbinfo -a alfred%Password1234
plaintext password authentication succeeded
challenge/response password authentication succeeded
# smbclient -L localhost -Ualfred%Password1234 -d 2> debug.log
session setup failed: NT_STATUS_LOGON_FAILURE
Gives me this output (I removed the useless beginning of the output).
http://pastebin.com/ScCVGsBK
But, I have this line in smb.conf :
hosts allow = 192.168.206., 127.
So, where is the trick ?
Thibaut POUZET
-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Thibaut POUZET
Envoyé : mercredi 20 juillet 2011 17:13
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD
Well thank you for noticing this error Jonathan, I didn't paid attention to
my samba version. We have quite a lot of centos machines on the network and
a poor internet connexion additionned with strong security policy.
Therefore, we have a rpm proxy and I did not noticed that the samba packages
available were out of date. Anyway, I fixed this issue and ran some more
tests.
I still can observe my problem though : I can connect to the server with
smbclient or windows clients, but cannot parse my folders. I also created a
dummy user named Alfred in my active directory, but he cannot connect in any
way.
But now that I made this change, "# getent groups" does not gives me all my
local + ad groups (just some of them).
I managed to connect to one of my folder by having "valid users = thibaut"
in my settings, but I don't really like this solution since I have a lot of
users which will have access to this server.
[2011/07/20 16:59:01.751433, 1] smbd/service.c:1070(make_connection_snum)
192.168.206.145 (192.168.206.145) connect to service commercial initially
as user thibaut (uid=2032, gid=1500) (pid 3039)
[2011/07/20 16:59:02.771747, 1] smbd/sesssetup.c:332(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
And when accessing to another folder with "valid users = %S" :
[2011/07/20 16:58:53.584947, 2]
smbd/service.c:598(create_connection_server_info)
user 'thibaut' (from session setup) not permitted to access this share
(dummy)
I use ldap to identify myself to the server, so I think that the iud+gid
numbers for the user thibaut comes from my logins to the server and might
have nothing to do with samba.
I think I am a bit confused with all this and that I mix some different
concept.
Thibaut POUZET.
-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Jonathan Buzzard
Envoyé : mercredi 20 juillet 2011 12:26
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD
On Wed, 2011-07-20 at 10:44 +0200, Thibaut POUZET wrote:
> The software involved :
>
> Server Linux CentOS 5.6
>
> Windows 2003 Serveur R2 with working AD and another DNS server working
just
> fine.
>
> # rpm -qa | grep samba
>
> samba-3.0.33-3.29.el5_6.2
>
> samba-common-3.0.33-3.29.el5_6.2
>
> samba-client-3.0.33-3.29.el5_6.2
>
Stop right there remove the samba packages and install the samba3x
packages. Then take a look at my previous post made yesterday.
[SNIP]
> So where am I going wrong ? L
>
You are persisting on using a woefully out of date version of Samba when
your distribution comes with a much more recent prepackaged version. Why
anyone would want to use the plain samba packages in RHEL/CentOS when
trying to intergrate to the AD is utterly beyond me.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list