samba domain authentication

aueddonline · March 2009

I've been taked with setting up a samba server that will hold home directories for users within the building and there will also be shared folders that some people will have access to and other won't.

The one catch is our building connects to a very large domain with domain contollers to which I can't administer.

so I need a way to configure this samba server to authenticate user accounts with the domain contoller but also be able to create groups on the samba server so that I can manage permissions for the shares.

Any ideas if this is possible? where do I start.

I'm not a linux guy really but willing to suffer

tiersten · March 2009

Will they allow you to join your Samba server to the domain?

aueddonline · March 2009

tiersten wrote: »

Will they allow you to join your Samba server to the domain?

yeah, of cause

undomiel · March 2009

This is possible but a bit tricky. It also seems to be different for every system so you may need to tweak the settings that I am giving you. First off make sure you have the krb5 client installed along with samba and winbind. Edit your /etc/krb5.conf as follows and remember the capitalization is important.

[libdefaults]
default_realm = YOUR.DOMAIN
[realms]
YOUR.DOMAIN = {
        kdc = dc.your.domain
        default_domain = YOUR.DOMAIN
}

Now for your /etc/samba/smb.conf

[global]
       security = ads
       netbios name = ServerName
       realm = YOUR.DOMAIN
       password server = dc.your.domain
       workgroup = YOURDOMAIN
       idmap uid = 1000-29999
       idmap gid = 1000-29999
       winbind enum users = yes
       winbind enum groups = yes
       winbind use default domain = yes
       client use spnego = yes
       domain master = no

Edit your /etc/nsswitch.conf and add "winbind" to passwd and group. Now let's join it to the domain.

kinit administrator@YOUR.DOMAIN

Running a klist should show your krb ticket. If it does not then some tweaking may need to be done.

net ads join -U YOURDOMAIN\\administrator

Your server should now be joined to the domain. To verify run wbinfo -u and wbinfo -g and you should see users and groups listed respectively. Make sure your samba and winbind services are running if you see any failures. Check here for more info: Chapter 6. Domain Membership

Don't be too surprised if it doesn't work on the first try. It took me a while to tweak things to work back when I first set things up at that job.

aueddonline · March 2009

that's mega helpful undomiel, thank you

I'll post some progress tomorrow

aueddonline · March 2009

Ok followed your instructions and had sucess untill trying wbinfo -u, -g

At first it gave the error 'Error looking up domain users' and then after starting the winbind service it hanges for a while and then gives then error

with the /etc/nsswitch.conf should hte section you mention look like this

passwd: files nis winbind
shadow: files nis winbind
group: files nis winbind

aueddonline · March 2009

Is it a good idea to either edit the config in the GUI or from the CLI, I've been doing a mixture of both.

undomiel · March 2009

Yes, that's how nsswitch.conf is supposed to look. No idea on the editing from the GUI. I've always written my configs from the CLI.

The first thing to try is restarting your services. Shutdown your winbind service and your samba service. Then specifically bring up winbind and then samba. I found it to be very touchy about these things so that is always worth a shot first. If that fails then run wbinfo -D domain. Once that finishes then check and see if wbinfo -g and -u works. Still no go? Then try explicity putting in the name of your DC in your /etc/hosts file by both host name and fqdn. Restart and then test things again. As I mentioned joining a Samba machine to the domain is a touchy beast.

aueddonline · March 2009

undomiel wrote: »

Yes, that's how nsswitch.conf is supposed to look. No idea on the editing from the GUI. I've always written my configs from the CLI.

The first thing to try is restarting your services. Shutdown your winbind service and your samba service. Then specifically bring up winbind and then samba. I found it to be very touchy about these things so that is always worth a shot first. If that fails then run wbinfo -D domain. Once that finishes then check and see if wbinfo -g and -u works. Still no go? Then try explicity putting in the name of your DC in your /etc/hosts file by both host name and fqdn. Restart and then test things again. As I mentioned joining a Samba machine to the domain is a touchy beast.

Went though those steps, still no cigar, I think I might start again with a clean install tomorrow, that domain membership chapter is really good, spent all day reading that between other things,

After changing the host file it wasn't giving me anythig with wbinfo -D (domain) but after the reboot it was working again, could any config on the PDC be stopping me getting a respnce for wbinfo -u, might try sniffing that link tomorrow see what's happing down under, anyway off home now, might catch simpsons on C4+1

undomiel · March 2009

Something else you could try it lowering the firewall on your Linux server to be certain that isn't interfering. Nothing should need changing, though I do recall with older Samba versions that it had problems with SMB signing but that just interferes with authentication on accessing a share, not with integrating the machine into AD. Let me know how the rebuild goes and if still no dice then I'll see what else we can try. I can't find my documentation from when I did this before.

aueddonline · March 2009

I appeciate the help, I will probably post again monday as after thinking about it, it doesn't make sence killing my install today before the weekend, gonna have another look through smb.conf today

aueddonline · March 2009

I have some progress!

I am now getting a respnce to the wbinfo -u command, but here's the funny thing, we have like 20 domains and the wbinfo -u output is giving me all the users for 2 of those domains, neither of the 2 are my domain

I have also tried wbinfo -u (domain) but I get the same result,

and also now the net ads join and kinit commands that was working now is not, this is freakin weird

aueddonline · March 2009

I have pretty much exactly the config you gave above, getting this message when using net join, after using kinit sucessfully.

[root@MACHINE ~]# net ads join -U *****
[2009/03/06 15:00:47, 0] param/loadparm.c:map_parameter(2772)
Unknown parameter encountered: "winbind enum user"
[2009/03/06 15:00:47, 0] param/loadparm.c:lp_do_parameter(3512)
Ignoring unknown parameter "winbind enum user"
[2009/03/06 15:00:47, 0] param/loadparm.c:map_parameter(2772)
Unknown parameter encountered: "winbind enum group"
[2009/03/06 15:00:47, 0] param/loadparm.c:lp_do_parameter(3512)
Ignoring unknown parameter "winbind enum group"
*****'s password:
Using short domain name -- *****
Joined '*****-****' to realm 'DOMAIN.UK'
[root@MACHINE ~]#

aueddonline · March 2009

aueddonline wrote: »

I have pretty much exactly the config you gave above, getting this message when using net join, after using kinit sucessfully.

[root@MACHINE ~]# net ads join -U *****
[2009/03/06 15:00:47, 0] param/loadparm.c:map_parameter(2772)
Unknown parameter encountered: "winbind enum user"
[2009/03/06 15:00:47, 0] param/loadparm.c:lp_do_parameter(3512)
Ignoring unknown parameter "winbind enum user"
[2009/03/06 15:00:47, 0] param/loadparm.c:map_parameter(2772)
Unknown parameter encountered: "winbind enum group"
[2009/03/06 15:00:47, 0] param/loadparm.c:lp_do_parameter(3512)
Ignoring unknown parameter "winbind enum group"
*****'s password:
Using short domain name -- *****
Joined '*****-****' to realm 'DOMAIN.UK'
[root@MACHINE ~]#

I put user and group instaed of users and groups

aueddonline · March 2009

A few of funny things going on with the server.

1) after a reboot the server doesn't get an IP address until I log in via the GUI.

2) The wbinfo commands work for 5 minutes after a reboot and then stop working.

Also a later query is that i'm using the option 'winbind separator = \' in smb.conf hoping to be able to chnage ownership of folders to domain users, this doesn't seem to be working but that could have something to do with issue (2). But I was wondering when sharing a folder via samba how do you control access,

- do you still need samba users?
- can you use local groups and add domain users to those groups (does that allow access to samba shares)

rwwest7 · March 2009

Have you tried just using LDAP?

aueddonline · March 2009

rwwest7 wrote: »

Have you tried just using LDAP?

No, I was under the impression for what I wanted to do I'd need the majic of winbind

undomiel · March 2009

Is your winbind service still running after those 5 minutes? You might also want to check the start up order for the services. The winbind separator default is \ so you shouldn't need that line for your config. I haven't tried it but I see no reason why you wouldn't be able to add domain users to local groups since they are all mapped to an id.

aueddonline · March 2009

undomiel wrote: »

Is your winbind service still running after those 5 minutes? You might also want to check the start up order for the services. The winbind separator default is \ so you shouldn't need that line for your config. I haven't tried it but I see no reason why you wouldn't be able to add domain users to local groups since they are all mapped to an id.

Yeah winbind is still running after 5 miuntes. I sniffed the link and and this netbios is sent by the server just before the wbinfo -u commands stops working, I replaced the domain with MYDOMAIN, one of these netbios messages then gets sent for every domain that existes in my network,

NetBIOS Name Service
Transaction ID: 0x6f84
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Name query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... ...1 .... = Broadcast: Broadcast packet
Questions: 1
Answer RRs: 0
Authority RRs: 0
Queries
MYDOMAIN<1d>: type NB, class IN
Type: NB
Class: IN

, what startup script do you mean, the paper I have says I might need to edit /etc/init.d/smb? I altered that sciprt today with the help of http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html .
It sayes you should have smbd running before nmbd and winbindd but wasn't sure if that was right?

undomiel · March 2009

In my experience you needed winbind running before samba. You could try it both ways though and see which one is more effective for you. I'll see if I can find some time today and run through a simulation in my lab with CentOS and see if I'm missing anything in my directions.

aueddonline · March 2009

undomiel wrote: »

In my experience you needed winbind running before samba. You could try it both ways though and see which one is more effective for you. I'll see if I can find some time today and run through a simulation in my lab with CentOS and see if I'm missing anything in my directions.

Yeah I think you way is working better, I just changed the order of the services to, winbind, smb then nmb. And that is getting the bet result as when I reboot I can see the admins on the login screen.

I'm still getting the wbinfo -u command stopping working at 5 minutes though, winbind is still running, I just looked at the log file getting a winbind async_request_timeout_handler

[root@MACHINE-NAME ~]# tail /var/log/messages -v
==> /var/log/messages <==
Mar 11 07:58:54 MACHINE-NAME avahi-daemon[2033]: New relevant interface eth0.IPv4 for mDNS.
Mar 11 07:58:54 MACHINE-NAME avahi-daemon[2033]: Registering new address record for (IP) on eth0.IPv4.
Mar 11 07:58:55 MACHINE-NAME NetworkManager: <info> Activation (eth0) successful, device activated.
Mar 11 07:58:55 MACHINE-NAME NetworkManager: <info> Activation (eth0) Stage 5 of 5 (IP Configure Commit) complete.
Mar 11 07:58:57 MACHINE-NAME avahi-daemon[2033]: Registering new address record for (IPv6) on eth0.*.
Mar 11 08:01:35 MACHINE-NAME winbindd[2034]: [2009/03/11 08:01:35, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(181)
Mar 11 08:01:35 MACHINE-NAME winbindd[2026]: [2009/03/11 08:01:35, 0] nsswitch/winbindd_dual.c:async_request_timeout_handler(181)
Mar 11 08:01:35 MACHINE-NAME winbindd[2034]: async_request_timeout_handler: child pid 1886 is not responding. Closing connection to it.
Mar 11 08:01:35 MACHINE-NAME winbindd[2026]: async_request_timeout_handler: child pid 1886 is not responding. Closing connection to it.
Mar 11 08:07:50 MACHINE-NAME kernel: nscd[2607]: segfault at cfd6ceec eip 00307275 esp afd6cebc error 7
[root@MACHINE-NAME ~]#

aueddonline · March 2009

nothing is working now, I only changed the range of the uid, gid in the smb.conf, and before that is was giving me different outcomes after rebooting a good few time with no changes made.

undomiel · March 2009

Yup, sounding a lot like my first experiences of getting this working.

Looking around about that error it looks like it is related to a bug. Have you made sure samba is up to date?

aueddonline · March 2009

I've been reading a lttle today on this but non of it is making much sence.

What is the relationship between winbind and LDAP? can they co-exist? should I be looking into the LDAP configuration to

do I sound confused!

samba domain authentication

Comments