[Samba] Integrating samba with existing AD

Thibaut POUZET thibaut.pouzet at lyra-network.com
Thu Jul 21 01:49:35 MDT 2011


I found an interesting thing this morning, just look at the commands :

# wbinfo -a alfred%Password1234
plaintext password authentication succeeded
challenge/response password authentication succeeded
# smbclient -L localhost -Ualfred%Password1234 -d 2> debug.log
session setup failed: NT_STATUS_LOGON_FAILURE

Gives me this output (I removed the useless beginning of the output).
http://pastebin.com/ScCVGsBK

But, I have this line in smb.conf :
hosts allow = 192.168.206., 127.

So, where is the trick ?

Thibaut POUZET

-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Thibaut POUZET
Envoyé : mercredi 20 juillet 2011 17:13
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD

Well thank you for noticing this error Jonathan, I didn't paid attention to
my samba version. We have quite a lot of centos machines on the network and
a poor internet connexion additionned with strong security policy.
Therefore, we have a rpm proxy and I did not noticed that the samba packages
available were out of date. Anyway, I fixed this issue and ran some more
tests. 

I still can observe my problem though : I can connect to the server with
smbclient or windows clients, but cannot parse my folders. I also created a
dummy user named Alfred in my active directory, but he cannot connect in any
way.

But now that I made this change, "# getent groups" does not gives me all my
local + ad groups (just some of them). 
I managed to connect to one of my folder by having "valid users = thibaut"
in my settings, but I don't really like this solution since I have a lot of
users which will have access to this server.

[2011/07/20 16:59:01.751433,  1] smbd/service.c:1070(make_connection_snum)
  192.168.206.145 (192.168.206.145) connect to service commercial initially
as user thibaut (uid=2032, gid=1500) (pid 3039)
[2011/07/20 16:59:02.771747,  1] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

And when accessing to another folder with "valid users = %S" :
[2011/07/20 16:58:53.584947,  2]
smbd/service.c:598(create_connection_server_info)
  user 'thibaut' (from session setup) not permitted to access this share
(dummy)

I use ldap to identify myself to the server, so I think that the iud+gid
numbers for the user thibaut comes from my logins to the server and might
have nothing to do with samba. 

I think I am a bit confused with all this and that I mix some different
concept.

Thibaut POUZET.


-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Jonathan Buzzard
Envoyé : mercredi 20 juillet 2011 12:26
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD


On Wed, 2011-07-20 at 10:44 +0200, Thibaut POUZET wrote:

> The software involved : 
> 
> Server Linux CentOS 5.6
> 
> Windows 2003 Serveur R2 with working AD and another DNS server working
just
> fine.
> 
> # rpm -qa | grep samba
> 
> samba-3.0.33-3.29.el5_6.2
> 
> samba-common-3.0.33-3.29.el5_6.2
> 
> samba-client-3.0.33-3.29.el5_6.2
> 

Stop right there remove the samba packages and install the samba3x
packages. Then take a look at my previous post made yesterday.

[SNIP]

> So where am I going wrong ? L 
> 

You are persisting on using a woefully out of date version of Samba when
your distribution comes with a much more recent prepackaged version. Why
anyone would want to use the plain samba packages in RHEL/CentOS when
trying to intergrate to the AD is utterly beyond me.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list