[TriLUG] Samba and Active Directory
Brian Blater (BBList)
bblist at ridetta.org
Fri Sep 1 09:45:19 EDT 2006
I have setup an OpenSUSE 10.1 box running samba that I would like our
windows users to attach to various shares. These users have no account
on the SUSE box, just an AD account and I don't want them to actually
login to the box. I would like to have samba use the AD credentials of
the logged in windows user and authenticate them to access the shares.
I have followed several how-tos and several things I've found with
Google, but it just isn't working. The user is still asked for username
and password.
Here is what I have so far:
I've installed Samba, winbind and KRB5. I've added the server to AD and
it shows in the AD computer container.
I configured /etc/krb5.conf as follows:
[libdefaults]
default_realm = TTA.RIDETTA.ORG
[realms]
TTA.RIDETTA.ORG = {
kdc = tta-tw-w02.tta.ridetta.org
kdc = tta-6p-w01.tta.ridetta.org
kdc = tta-bus-w02.tta.ridetta.org
admin_server = tta-tw-w02.tta.ridetta.org
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
I can then authenticate a user against AD:
susetest:~ # kinit ituser
Password for ituser at TTA.RIDETTA.ORG:
susetest:~ #
I have modified /etc/samba/smb.conf as follows:
[global]
unix charset = LOCALE
workgroup = TTA
realm = TTA.RIDETTA.ORG
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printing = cups
printcap name = cups
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = +
domain logons = No
domain master = No
password server = tta-tw-w02.tta.ridetta.org
auth methods = winbind
...
[testing]
comment =
;;inherit acls = Yes
path = /home/testing/
writeable = yes
force create = 0775
create mask = 0775
directory mask = 0775
browseable = yes
guest ok = no
printable = no
read only = No
valid users = @"TTA+sambausers"
Winbind is started and running and I can run the following:
susetest:~ # wbinfo -u | grep ituser
TTA+ituser
susetest:~ #
susetest:~ # wbinfo -g | grep sambausers
TTA+sambausers
susetest:~ #
I've modified /etc/pam.d/samba as follows:
susetest:~ # more /etc/pam.d/samba
#%PAM-1.0
auth include /lib/security/pam_winbind.so
account include /lib/security/pam_winbind.so
and I've modified /etc/nsswitch.conf as follows:
susetest:~ # more /etc/nsswitch.conf
...
passwd: files winbind
shadow: files
group: files winbind
...
I am then able to list the accounts and groups as follows:
susetest:~ # getent passwd | grep ituser
TTA+ituser:*:10100:10000:IT User:/home/TTA/ituser:/bin/bash
susetest:~ #
susetest:~ # getent group | grep sambausers
TTA+sambausers:x:10026:TTA+ituser
susetest:~ #
Now for a test using the samba server as a linux client this is what I
get:
susetest:~ # kinit ituser
Password for ituser at TTA.RIDETTA.ORG:
susetest:~ # smbclient //susetest/testing -k -d 3 -l
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
added interface ip=10.5.2.7 bcast=10.5.255.255 nmask=255.255.0.0
Client started (version 3.0.22-13.18-SUSE-CODE10).
Connecting to 127.0.0.2 at port 445
Doing spnego session setup (blob length=121)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/susetest.tta.ridetta.org at TTA.RIDETTA.ORG
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0]
expiration Fri, 01 Sep 2006 19:27:17 EDT
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
susetest:~ #
If the users logs into a windows workstation and tries to connect to
the share it just prompts for a username and password and even then
won't grant access.
I've googled the "session setup failed: NT_STATUS_LOGON_FAILURE" error
and the only thing I get is it is an incorrect username or password.
I've checked the various log files in /var/log/samba and this what I
see there:
[2006/09/01 04:32:07, 1] libsmb/clikrb5.c:ads_krb5_mk_req(488)
ads_krb5_mk_req: krb5_get_credentials failed for
tta-bus-w02$@TTA.RIDETTA.ORG (Requested effective lifetime is
negative or too short)
[2006/09/01 09:05:30, 0]
nsswitch/winbindd_dual.c:child_read_request(49)
Got invalid request length: 0
[2006/09/01 09:28:47, 0] auth/auth_util.c:make_server_info_info3(1297)
make_server_info_info3: pdb_init_sam failed!
[2006/09/01 09:19:14, 0] smbd/server.c:main(805)
smbd version 3.0.22-13.18-SUSE-CODE10 started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
[2006/09/01 09:19:14, 0] param/loadparm.c:map_parameter(2691)
Unknown parameter encountered: "force create"
[2006/09/01 09:19:14, 0] param/loadparm.c:lp_do_parameter(3436)
Ignoring unknown parameter "force create"
[2006/09/01 09:22:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(303)
Username TTA+TTA160C$ is invalid on this system
[2006/09/01 09:22:19, 0] lib/util_sock.c:write_data(557)
write_data: write failure in writing to client 10.5.2.4. Error
Connection reset by peer
[2006/09/01 09:22:19, 0] lib/util_sock.c:send_smb(765)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2006/09/01 09:22:29, 0] lib/util_sock.c:write_data(557)
write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer
[2006/09/01 09:22:29, 0] lib/util_sock.c:send_smb(765)
Error writing 4 bytes to client. -1. (Connection reset by peer)
So, there it is. I am totally at a loss as to what the problem is. Can
anybody see anything wrong here and point me in the right direction?
Sorry this is so long, I just wanted to make sure I had all the
information here for troubleshooting.
Thank you for any help you can give me.
Brian
More information about the TriLUG
mailing list