LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-10-2008, 04:45 PM   #1
micksul
LQ Newbie
 
Registered: May 2007
Posts: 9

Rep: Reputation: 0
Samba\Active Directory with multiple domains.


Hi,
I am trying to get multiple AD domains to authenticate to a linux server using samba and Kerberos file.
I had it working for some time but now find that only users from 1 domain can connect (Ill call it DomainA).
All other users defined in the samba file from other domains (DomainB) get prompted for a windows username and password when trying to access the share.
I can see the following in the logs, it appears the NTP server is not running on the AD server.
Would this cause authentication issues from users of other domains?
logs
Dec 10 01:44:01 cua sevhd[4365]: [7628] [10-Dec-2008 1:44:01.682] [sev 2] [49] Arg 0 = [NTP] No NTP server found on x.x.x.x on last attempt
Dec 10 01:44:02 cua sevhd[4365]: [7629] [10-Dec-2008 1:44:01.706] [sev 2] [49] Arg 0 = [NTP] System time not adjusted
(Where x.x.x.x is the IP of the DC.)


The logs on the linux server for domain_B show the following:
server:/var/log/samba # tail log.wb-DomainB
[2008/12/10 12:45:47, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password CUA$@NUH.LOCAL failed: Clock skew too great
[2008/12/10 13:46:46, 0] libads/kerberos.c:ads_kinit_password(228)
kerberos_kinit_password CUA$@NUH.LOCAL failed: Clock skew too great

When I issue /usr/bin/wbinfo u and /usr/bin/wbinfo g it only comes back with users and groups from DomainA only


However I have manually synched the time from the AD server using.
Net ads time and the offset between the DC and the linux server is zero.

Will fixing the NTP server on the DC resolve this authentication issue does anyone know?

Trust Groups lists both domains:
Trusted Groups:
server:/var/log/samba # /usr/bin/wbinfo -m
DomainA
DomainB

Thanks in advance gurus!
 
Old 12-10-2008, 05:54 PM   #2
kolodz1
LQ Newbie
 
Registered: Apr 2008
Distribution: fedora, debian
Posts: 8

Rep: Reputation: 1
AD uses time to as part of the validation process so if your offset was too large any sessions that refreshed/logged in wouldn't work. (http://support.microsoft.com/kb/884776 for a bit on that) I'm not too sure what that would do to the domain trusts so you'd have to check those to make sure they're still valid.

AFAIK the machine trusts should still exist, so you might just have to rejoin one of the servers to the domain.
 
Old 12-10-2008, 06:01 PM   #3
micksul
LQ Newbie
 
Registered: May 2007
Posts: 9

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by kolodz1 View Post
AD uses time to as part of the validation process so if your offset was too large any sessions that refreshed/logged in wouldn't work. (http://support.microsoft.com/kb/884776 for a bit on that) I'm not too sure what that would do to the domain trusts so you'd have to check those to make sure they're still valid.

AFAIK the machine trusts should still exist, so you might just have to rejoin one of the servers to the domain.


Thanks!

The strange this is that the offset is now 0 as I issued a
sudo /user/bin/net time set -S "kerberos_server"
Now /usr/bin/net ads info shows an offset of 0.

Then again the logs are complaining about not being able to reach the NTP server.

I'll see if the AD admins will take a look at the NTP server on the DC.

By the way, how do I check the domain trusts?
Is that wbinfo -m, if so then it shows all my trusted domains OK.
server:/var/log/samba # /usr/bin/wbinfo -m
DomainA
DomainB
 
Old 12-11-2008, 10:58 AM   #4
kolodz1
LQ Newbie
 
Registered: Apr 2008
Distribution: fedora, debian
Posts: 8

Rep: Reputation: 1
Code:
wbinfo -t
Should return info on the machine trust as well. If both the -t and -m switches return ok, then the issue is somewhere in the authentication service.
I have to admit that this is a pretty new problem to me, and I'm a bit more familiar using AD then SAMBA/LDAP setups, but I think you're close.

One of the things I've noticed before is that you can access AD info with wbinfo pretty easily once you have a machine trust. So wbinfo can return good info, but samba will still be broken.

A few things to try, if you haven't already

Code:
kinit user@DOMAIN.TLD
Check Kerberos auth, Case sensitive and domain must be in caps AFAIK

Code:
net ads info
check to see if the AD server can be reached. If this doesn't work you may want to try a net ads join to see if the problem is just that the server isn't logged into the AD.


I hope this helps.
RK
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple domains in LDAP and 1 samba server for all domains, what to do? xnomad Linux - Server 1 11-14-2008 10:12 AM
Samba - nmbd errors - Active Directory - query_name_response: Multiple (2) responses micksul Linux - Newbie 7 09-22-2008 04:33 PM
Active Directory User Cannot Write to Samba Home Directory jonwatson Linux - Networking 2 12-19-2006 01:40 PM
Can I use a single Samba server for multiple domains? help321 Linux - Software 0 08-11-2004 06:20 AM
Multiple domains under samba bruceg Linux - Networking 1 11-12-2003 02:16 PM


All times are GMT -5. The time now is 10:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration