Samba and Active Directory

From: Tim Child at work (timc3_at_timc3.com)
Date: 04/20/05

  • Next message: Michael Satterwhite: "Re: A little apt help" 
    Date: Wed, 20 Apr 2005 06:32:35 -0700
To: debian-user@lists.debian.org

    Hi,

    I have a problem with getting Samba talking to my Active Directory
    running on Win2K3. Running Debian testing at the moment, I am
    getting the following entries in my log:

    uklinux01:/var/log/samba# tail 10.10.10.250

    [2005/04/20 13:45:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
      Username Domain\timc is invalid on this system
    [2005/04/20 13:45:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
      Username Domain\timc is invalid on this system

    And I have set it up like the following:

    I setup an entry in my Active Directory for the DNS of the machine.
    NTP so that times are the same.

    I installed Samba from aptitude (I am on testing - it installed Version
    3.0.10-Debian) then tested that I had the right features installed:
    smbd -b | grep KRB (Should show the links to Kerberos)
    smbd -b | grep LDAP (Should show the features linked to LDAP)

    I did the following to my smb.conf:

    # Global parameters
    [global]
    unix charset = LOCALE
    workgroup = Domain
    realm = Domain.local
    server string = Samba 3.0.10-Debian

    security = ads
    encrypt passwords = yes
    username map = /etc/samba/smbusers
    log level = 1
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 50
    printcap name = CUPS
    ldap ssl = no
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    template primary group = "Domain Users"
    template shell = /bin/bash

    #[homes]
    #comment = Home Directories
    #valid users = %S
    #read only = No
    #browseable = No
    #[printers]
    #comment = SMB Print Spool
    #path = /var/spool/samba
    #guest ok = Yes
    #printable = Yes
    #browseable = No
    #[print$]
    #comment = Printer Drivers
    #path = /var/lib/samba/drivers
    #admin users = root, Administrator
    #write list = root

    [fileshare]
    comment = IT fileshare
    path = /srv/fileshare
    valid users = %S
    public = yes
    writable = yes
    browseable = yes
    printable = no
    create mode = 0644
    directory mode = 0755
    create mask = 0755

    Then I edited /etc/nsswitch.conf :

    passwd: compat winbind
    group: compat winbind
    shadow: compat
    hosts: files dns wins
    networks: files dns
    protocols: files
    services: files
    ethers: files
    rpc: files
    netmasks: files
    netgroup: files
    publickey: files
    bootparams: files
    automount: files
    aliases: files

    ran testparm and it came back ok.

    Then I downloaded Kerberos 5.1.4 from MIT
    made and installed it. (make install DESTDIR=/usr)
    cp krb5.conf /etc/krb5.conf
    Editted the realm so it was correct for my Domain

    Then joined by doing:

    net ads join -U Administrator

    and this worked, it joined ok and I could then issue wbinfo -u | less ,
    getent groups | less , getent users | less and that is all working fine.

    At this point I tried to connect using a windows box and a Active
    Directory login but I don't get anywhere. So I have also tried editing
    /etc/pam.d/login

    #%PAM-1.0
     auth required pam_securetty.so
      auth sufficient pam_winbind.so
      auth sufficient pam_unix.so use_first_pass
      auth required pam_stack.so service=system-auth
      auth required pam_nologin.so
      account sufficient pam_winbind.so
      account required pam_stack.so service=system-auth
      password required pam_stack.so service=system-auth
      session required pam_stack.so service=system-auth
      session optional pam_console.so

    But that doesn't help either, and now I am slightly stuff on that error.
     I think that I might have an issue with secrets.tdb as it isn't in its
    default location of /etc/samba - but then again the debian build might
    default it to /var/lib/samba

    Thanks for any help in advance.

    Tim 

    -- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Michael Satterwhite: "Re: A little apt help"

    Relevant Pages

    • Re: Connection to a SAMBA Active Directory
      ... There is no such thing as a SAMBA active directory. ... workstations, servers, mac's, and nix boxes to the AD and then install ... Install Windows 2003 Server. ...
      (microsoft.public.exchange.connectivity)
    • Re: Samba and Active Directory
      ... > I have a problem with getting Samba talking to my Active Directory ... Running Debian testing at the moment, ... Is it by any chance running win2k3 sp1? ...
      (Debian-User)
    • Re: samba and lan with winxp and linux computers
      ... I added a fourth computer running Redhat Linux 9 personal edition. ... | read the redhat documentation and the samba documentation and these ... | install any samba components by default. ... | now for the windows network but it still can't see the windows ...
      (alt.os.linux.redhat)
    • RE: DNS and Active Directory
      ... Where do set the 'OS level' in samba. ... I want the Samba server to be my master browser. ... Now I am setting up Active Directory, flying by the seat of my ... All my DNS servers are Linux based. ...
      (RedHat)
    • Re: Connection to a SAMBA Active Directory
      ... We are really stuck on the 2-way trust from the SAMBA side. ... domain and the Exchange server in another domain will work. ... I am able to define a 2 way Realm trust using the Active Directory ...
      (microsoft.public.exchange.connectivity)