[Samba] Happy to Pay for Ubuntu/Active Directory Help

Andy Liebman andyliebman at aol.com
Sun Oct 27 09:23:20 MDT 2013


My company, EditShare (based in Boston, MA, USA) is looking for an 
expert in configuring Ubuntu Server 12.04 LTS to work with Active 
Directory/Windows Server 2008 R2.  We need somebody who has done this 
many times before and who does not need time for research.

We already hired a reasonably experienced freelance system 
administrator to get us going, and we seem to be most of the way 
towards getting what we need.  However, we are stuck on the last part 
and rather than just asking people here on this list to volunteer their 
time to help us, I want to say we would be happy to pay somebody to 
help us finish what the first system administrator started.

As I said above, we already have working most of what we need:

-- Required winbind, pam and kerberos packages installed on Ubuntu
-- Can create Organization Unit in Active Directory and add user 
accounts to it, including a privileged user who can add computers to 
the domain
-- Can join Ubuntu to the Active Directory domain OU
-- Can see AD users’ UIDs and GIDs in Ubuntu with “getent” command
-- “kinit” and “klist” commands working
-- AD domain users can log into Windows (and Mac OS X) with their 
domain credentials
-- AD domain users can browse and mount Ubuntu Samba shares from 
Windows or OS X without having to supply any additional username and 
password credentials (and users can only see the shares they are 
supposed to see, as defined in each smb{ActiveDirectoryUserName}.conf 
files -- we use an “include” line in the smb.conf file to have a 
separate smb.{ActiveDirectoryUserName}.conf files for each user)

BUT the one thing we are not able to do yet is to mount Ubuntu shares 
on the Windows or Mac workstations when the Active Directory server is 
disconnected or down.  Jeremy Allison from Samba.org kindly answered my 
recent emails to this list (see thread “Mounting Linux Samba Shares on 
Windows when Active Directory Server is down”) and confirmed that 
mounting Ubuntu shares when the Active Directory server is unreachable 
should work in cases where the user has cached tickets.  However, 
looking at the logs from the Ubuntu Samba server, we can see that when 
Windows users browse and mount Ubuntu shares, NTLM is being used 
instead of Kerberos, meaning Ubuntu has to be able to contact the 
Active Directory server to get a “yes” or “no”.  It seems our Ubuntu 
Samba is not using the Kerberos tickets.  The question is, where is the 
problem, and what do we need to do to fix it?

We are very short on time to find a solution, and all of our developers 
are very busy with other projects.  For this reason, we would be very 
happy to hire somebody else to help us get to the finish line as 
quickly as possible.   Hopefully, we are just missing some small detail 
and it’s a quick fix.

If you are interested, please contact me at “work // at // 

We also have a related bonus project.  We are looking for somebody who 
can help us figure out how to get two standalone Windows and Mac 
“client applications” (one written in C++, the other in Python) to take 
advantage of the Single Sign On system to authenticate to our Ubuntu 
server applications. We have an okay workaround for this so it’s not 
mission critical, but it would be better to do this the right way if 
there is a reasonable solution.

Hopefully, I have not committed some terrible offense by advertising a 
job like this on the Samba list.  If somebody wants to help us gratis, 
that’s fine too.  But I realize that people are busy and most people 
can only help out for free as time permits, and we are running out of 
time to solve this problem.

Thanks for your attention.  I’m looking forward to hearing back from 
somebody who is interested.


Andy Liebman
CEO, EditShare

More information about the samba mailing list