-   Linux - Enterprise (
-   -   ...of Samba ADS security, Kerberos, and AD on Windows 2003 (

zerovice 10-17-2006 08:37 PM

...of Samba ADS security, Kerberos, and AD on Windows 2003
RHEL4.4 and Win2003SP1 DC

1st question:
After many attempts I have one question; Is kerberos enough to authenticate with Active Directory or do you have to use it in combination with ldap or winbind in order to access a samba share?

What I am trying to accomplish is to have my RHEL4 box serve out a few shares and for my windows users to access them without having to input any credentials. (I was assuming it would use the kerberos info from the initial windows logon)

I apologize for the post as there are many out there, but if anyone can answer my question above I would at least have some hope that it can be done.

Additionally, I have the necessary samba and kerberos packages installed and I am able to access samba shares logging onto windows with an acct. that is in linux.

I am also able to do a kinit and klist shows the ticket although when I try an smbclient -k -L /servername I receive "session setup failed: NT_STATUS_LOGON_FAILURE" (the server has been added to AD that wasn't a problem)

If any of this has caught your eye or anyone has any ideas please let me know!

zerovice 10-19-2006 06:53 AM

I am currently working on this and will be monitoring the thread for any response it is now 7:50am 10/19 Thursday. Any suggestions would be greatly appreciated.

jgeiger 10-19-2006 07:46 AM

I'm not an expert, but I have never seen a way for samba to authenticate against AD that didn't use winbind. The set up is fairly straight forward, and quite reliable. I haven't met the post requirement to post URL's, but if you do a Google search for "Red Hat samba active directory" the first doc is Red Hat's guide to integrating samba w/ AD.

zerovice 10-19-2006 08:21 AM

Thanks for that, but have already run through this. Additionally, it mentions at the bottom to stop winbind before joining to the domain. Although it doesn't explicitly say to do anything with winbind it would seem it's being used.... Appreciate the effort, anything else offered I am willing to chase up so keep 'em coming!

jgeiger 10-19-2006 08:51 AM

Here's the method we have used on our 4 samba servers:

Configure /etc/krb5.conf:


default = FILE:/var/adm/krb5libs.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log

        default_realm = DOMAIN
        kdc_req_checksum_type = 2
        dns_lookup_realm = true
        dns_lookup_kdc = true

        DOMAIN= {
                kdc = DC.DOMAIN
                admin_server = DC.DOMAIN
                default_domain = DOMAIN

        .domain = DOMAIN

        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false

Configure /etc/nsswitch.conf:

passwd:      files winbind
group:        files winbind
hosts:        files dns
services:    files winbind
networks:    files
protocols:    files winbind
rpc:          files
publickey:    files winbind
netgroup:    files
automount:    files winbind
aliases:      files

Configure /etc/samba/smb.conf: (truncated for the sake of brevity)

  workgroup = DOMAIN
  netbios name = SAMBASERVER
  security = ads
  winbind separator = +
  winbind cache time = 10
  template shell = /bin/bash
  template homedir = /home/%U
  idmap uid = 1000000-3000000
  idmap gid = 1000000-3000000
  idmap backend = idmap_rid:DOMAIN=1000000-3000000
  allow trusted domains = no
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = no
  realm = DOMAIN

Restart winbind and samba.

Get a kerberos ticket:

kinit user@DOMAIN

Join the domain:

net ads join

Configure /etc/pam.d/system-auth:

auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ likeauth nullok
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        sufficient    /lib/security/$ISA/ use_first_pass
auth        required      /lib/security/$ISA/

account    required      /lib/security/$ISA/
account    sufficient    /lib/security/$ISA/ uid < 100 quiet
account    [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/
account    [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/
account    required      /lib/security/$ISA/

password    requisite    /lib/security/$ISA/ retry=3
password    sufficient    /lib/security/$ISA/ nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/ use_authtok
password    sufficient    /lib/security/$ISA/ use_authtok
password    required      /lib/security/$ISA/

session    required      /lib/security/$ISA/
session    required      /lib/security/$ISA/
session    optional      /lib/security/$ISA/

Reboot for good measure.

When it comes back up, you can use wbinfo to get info from the domain and verify you are joined correctly.

wbinfo -t (checks shared secret)
wbinfo -n DOMAIN+someuser (should get a sid back from AD)

That's the process to the best of my recollection.

zerovice 10-19-2006 10:50 AM

Thanks for that! Getting closer.... I have winbind setup and am returning info using wbinfo -u so that's good! Although getent doesn't seem to be returning anything which may be a problem as trying smbclient -L localhost -U username is giving session setup failed: NT_STATUS_LOGON_FAILURE, for either a local or AD user....just wanted to let you know that you had helped thus far...appreciate it.

zerovice 10-19-2006 12:07 PM

Thanks jgeiger! I am all set, now to write up the how-to. In the end the above examples did everything it was supposed to. getent wasn't working because I had winbind uid and gid set additionally so the mapping wasn't happening. Thanks!

All times are GMT -5. The time now is 10:54 PM.