Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have a Windows 2003 Active Directory domain that I am trying to setup a linux file server within (using Red Hat Enterprise AS 3).
First, here's what I'm trying to do: I am trying to set it so that users who have authenticated to the domain can access the samba shares based on their domain authentication alone, without having to put a separate password in to access the share, so it will appear as though it's just another Windows share.
I have the linux file server configured with samba and kerberos and joined to the domain (Active Directory is recognizing the server connected to the domain). I can use kinit and authenticate, net ads join and join the domain. wbinfo -u and -g show me the domain users
and groups (in addition to the local users). getent passwd and getent group are showing me domain users as well.
Now, when my windows machine, authenticated to the domain, attempts to access one of the shares I get one of the two following errors in the samba log (and a box asking for username/pw in windows):
* Failed to verify incoming ticket!
* User Domain\user does not exist on this system
--Domain\user does exist on the domain and shows in both wbinfo and getent
I have verified that the kerberos server's time and the samba servers time are within seconds of each other.
I'm not sure what else could be the problem. Any thoughts?
The best implementation I've seen only allow Samba to interact at the 2000 functional level (works best at the NT level), and I haven't looked at the architecture of 2003 to know if any more security features were implemented in that functional level. My bet is that your current functional level is what is going to cause errors, but that is only a guess at this point. 2000 didn't allow the functional level to be lowered if I remember correctly, so I don't see why they'd let it happen in 2003.
Well, in monkeying around a bit more I've discovered this:
getent group "DOMAIN1\Domain Users"
this returns a valid listing of users from the Domain Users Group on Domain1 (separate from the domain the servers are on).
getent group "DOMAIN2\Domain Users"
this returns nothing. This is the domain that the servers are all on...
oh, and no, you can not lower your domain level in 2003.