Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Windows 2003 Active Directory domain that I am trying to setup a linux file server within (using Red Hat Enterprise AS 3).
First, here's what I'm trying to do: I am trying to set it so that users who have authenticated to the domain can access the samba shares based on their domain authentication alone, without having to put a separate password in to access the share, so it will appear as though it's just another Windows share.
I have the linux file server configured with samba and kerberos and joined to the domain (Active Directory is recognizing the server connected to the domain). I can use kinit and authenticate, net ads join and join the domain. wbinfo -u and -g show me the domain users
and groups (in addition to the local users). getent passwd and getent group are showing me domain users as well.
Now, when my windows machine, authenticated to the domain, attempts to access one of the shares I get one of the two following errors in the samba log (and a box asking for username/pw in windows):
* Failed to verify incoming ticket!
* User Domain\user does not exist on this system
--Domain\user does exist on the domain and shows in both wbinfo and getent
I have verified that the kerberos server's time and the samba servers time are within seconds of each other.
I'm not sure what else could be the problem. Any thoughts?
The best implementation I've seen only allow Samba to interact at the 2000 functional level (works best at the NT level), and I haven't looked at the architecture of 2003 to know if any more security features were implemented in that functional level. My bet is that your current functional level is what is going to cause errors, but that is only a guess at this point. 2000 didn't allow the functional level to be lowered if I remember correctly, so I don't see why they'd let it happen in 2003.
Well, in monkeying around a bit more I've discovered this:
getent group "DOMAIN1\Domain Users"
this returns a valid listing of users from the Domain Users Group on Domain1 (separate from the domain the servers are on).
getent group "DOMAIN2\Domain Users"
this returns nothing. This is the domain that the servers are all on...
oh, and no, you can not lower your domain level in 2003.
Any and all users of DOMAIN2 can now connect with no problems.
Users of any other domain, including DOMAIN1 get an access denied error and the samba log turns up:
[2006/02/02 08:34:28, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [chad] -> [chad] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT
In searching google, I've only found this error talked about when trying to join a domain, never when trying to access a share...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.