LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Samba with Active Directory authentication (https://www.linuxquestions.org/questions/linux-enterprise-47/samba-with-active-directory-authentication-410189/)

Ziggie 01-31-2006 07:29 PM
Samba with Active Directory authentication
 
Hi!

I have a Windows 2003 Active Directory domain that I am trying to setup a linux file server within (using Red Hat Enterprise AS 3).

First, here's what I'm trying to do: I am trying to set it so that users who have authenticated to the domain can access the samba shares based on their domain authentication alone, without having to put a separate password in to access the share, so it will appear as though it's just another Windows share.

I have the linux file server configured with samba and kerberos and joined to the domain (Active Directory is recognizing the server connected to the domain). I can use kinit and authenticate, net ads join and join the domain. wbinfo -u and -g show me the domain users
and groups (in addition to the local users). getent passwd and getent group are showing me domain users as well.

Now, when my windows machine, authenticated to the domain, attempts to access one of the shares I get one of the two following errors in the samba log (and a box asking for username/pw in windows):

* Failed to verify incoming ticket!
* User Domain\user does not exist on this system
--Domain\user does exist on the domain and shows in both wbinfo and getent

I have verified that the kerberos server's time and the samba servers time are within seconds of each other.

I'm not sure what else could be the problem. Any thoughts?

Thanks

musicman_ace 01-31-2006 07:40 PM
what is your current function domain level?

Ziggie 01-31-2006 07:49 PM
Windows Server 2003 (highest level).

musicman_ace 02-01-2006 02:32 PM
The best implementation I've seen only allow Samba to interact at the 2000 functional level (works best at the NT level), and I haven't looked at the architecture of 2003 to know if any more security features were implemented in that functional level. My bet is that your current functional level is what is going to cause errors, but that is only a guess at this point. 2000 didn't allow the functional level to be lowered if I remember correctly, so I don't see why they'd let it happen in 2003.

Ziggie 02-01-2006 02:38 PM
Well, in monkeying around a bit more I've discovered this:

getent group "DOMAIN1\Domain Users"
this returns a valid listing of users from the Domain Users Group on Domain1 (separate from the domain the servers are on).
getent group "DOMAIN2\Domain Users"
this returns nothing. This is the domain that the servers are all on...

oh, and no, you can not lower your domain level in 2003.

Ziggie 02-02-2006 07:43 AM
More monkeying, new problems.

Any and all users of DOMAIN2 can now connect with no problems.
Users of any other domain, including DOMAIN1 get an access denied error and the samba log turns up:

[2006/02/02 08:34:28, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [chad] -> [chad] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

In searching google, I've only found this error talked about when trying to join a domain, never when trying to access a share...


All times are GMT -5. The time now is 12:31 PM.