LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 01-31-2006, 08:29 PM   #1
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Rep: Reputation: 15
Samba with Active Directory authentication


Hi!

I have a Windows 2003 Active Directory domain that I am trying to setup a linux file server within (using Red Hat Enterprise AS 3).

First, here's what I'm trying to do: I am trying to set it so that users who have authenticated to the domain can access the samba shares based on their domain authentication alone, without having to put a separate password in to access the share, so it will appear as though it's just another Windows share.

I have the linux file server configured with samba and kerberos and joined to the domain (Active Directory is recognizing the server connected to the domain). I can use kinit and authenticate, net ads join and join the domain. wbinfo -u and -g show me the domain users
and groups (in addition to the local users). getent passwd and getent group are showing me domain users as well.

Now, when my windows machine, authenticated to the domain, attempts to access one of the shares I get one of the two following errors in the samba log (and a box asking for username/pw in windows):

* Failed to verify incoming ticket!
* User Domain\user does not exist on this system
--Domain\user does exist on the domain and shows in both wbinfo and getent

I have verified that the kerberos server's time and the samba servers time are within seconds of each other.

I'm not sure what else could be the problem. Any thoughts?

Thanks
 
Old 01-31-2006, 08:40 PM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
what is your current function domain level?
 
Old 01-31-2006, 08:49 PM   #3
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
Windows Server 2003 (highest level).
 
Old 02-01-2006, 03:32 PM   #4
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
The best implementation I've seen only allow Samba to interact at the 2000 functional level (works best at the NT level), and I haven't looked at the architecture of 2003 to know if any more security features were implemented in that functional level. My bet is that your current functional level is what is going to cause errors, but that is only a guess at this point. 2000 didn't allow the functional level to be lowered if I remember correctly, so I don't see why they'd let it happen in 2003.
 
Old 02-01-2006, 03:38 PM   #5
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
Well, in monkeying around a bit more I've discovered this:

getent group "DOMAIN1\Domain Users"
this returns a valid listing of users from the Domain Users Group on Domain1 (separate from the domain the servers are on).
getent group "DOMAIN2\Domain Users"
this returns nothing. This is the domain that the servers are all on...

oh, and no, you can not lower your domain level in 2003.
 
Old 02-02-2006, 08:43 AM   #6
Ziggie
Member
 
Registered: Nov 2005
Distribution: Red Hat AS 3
Posts: 49

Original Poster
Rep: Reputation: 15
More monkeying, new problems.

Any and all users of DOMAIN2 can now connect with no problems.
Users of any other domain, including DOMAIN1 get an access denied error and the samba log turns up:

[2006/02/02 08:34:28, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [chad] -> [chad] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

In searching google, I've only found this error talked about when trying to join a domain, never when trying to access a share...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory Authentication zenix Suse/Novell 29 03-22-2007 11:00 AM
Samba Active Directory Authentication zenix Linux - Networking 1 09-17-2005 05:26 AM
Active Directory authentication? cwhitmore Mandriva 3 03-09-2005 12:25 PM
active directory authentication mozilla Linux - Networking 2 02-21-2005 05:55 AM
samba-authentication with Active Directory sanjeevsagoo Linux - Networking 2 05-07-2004 04:09 AM


All times are GMT -5. The time now is 05:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration