Unable to connect Samba with Windows 2008r2

Mush' · 02-22-2012, 08:19 AM

Hi all,

I've big trouble with samba... I'm working on it since 2 days, many tests and any solution, so, I need some help

2 os :

RedHat Linux 3
Windows 2008r2 (with a 2003 forest)

With :

Samba 3-3.5.12-44
Winbind 3-3.5.12-44
Kerberos 1.2.7-72

Let me post you some conf files :
smb.conf

Code:

[global]
    workgroup = <DOMAIN>
    netbios name = <HOSTNAME>
    security = ads
    realm = <DOMAIN.COM>
    password server = <domain.com>

    wins server = <x.x.x.x>
    enable privileges = yes
    allow trusted domains = no
    dns proxy = no
    name resolve order = host wins bcast
    encrypt passwords = yes

    log level = 2
    log file = /var/log/samba/%m.log
    max log size = 50

    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    client use spnego = yes
    client ntlmv2 auth = yes

krb5.conf

Code:

[libdefaults]
 default_realm = DOMAIN.COM
 default_tgs_enctypes = hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 default_tkt_enctypes = hmac-md5 des-cbc-crc des-cbc-md5 des3-hmac-sha1
 dns_lookup_realm = false
 dns_lookup_kdc = true
 ticket_lifetime = 2400

[realms]
 DOMAIN.COM = {
  kdc = dcserver1.domain.com
  kdc = dcserver2.domain.com
  default_domain = DOMAIN.COM
 }

[domain_realm]
 .domain.com = DOMAIN.COM
 domain.com = DOMAIN.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 1d
   renew_lifetime = 1d
   forwardable = true
   krb4_convert = false
 }

nsswitch.conf

Code:

passwd:    compat winbind
shadow:    compat 
group:     compat winbind 

hosts:      files dns wins

Now, what works / what doesn't
I work with this tutorial : http://itscblog.tamu.edu/joining-sam...008-r2-domain/
Really nice, but when I run test commands, I've some mistakes :

wbinfo commands

wbinfo -t : checking the trust secret for domain <DOMAIN> via RPC calls succeeded => OK
wbinfo -m : BUILTIN / <HOSTNAME> / <DOMAIN> => OK
wbinfo -u : ... nothing return
wbinfo -g : ... nothing return

kerberos commands

kinit -V administrateur : Password for administrateur@DOMAIN.COM Authenticated to Kerberos v5 => OK
klist : I've a ticket => OK

And now, ERRORS!!!

net ads testjoin

Code:

[2012/02/22 15:06:22.001366,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: No credentials found with supported encryption types
[2012/02/22 15:06:22.014129,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: No credentials found with supported encryption types
Join to domain is not valid: Undetermined error

net rpc testjoin

Code:

 Join to 'DOMAIN' is OK

net ads info

Code:

LDAP server: x.x.x.x
LDAP server name: SERVER.domain.com
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: mer, 22 f_v 2012 15:08:38 CET
KDC server: x.x.x.x
Server time offset: -40

And the strange part :
when I try to join the samba server with my DC, the server appear on computers in my domain (on the DC server), but I've an error...
the command : net ads join -d3 -U administrateur
the error :

Code:

 libnet_Join:
      libnet_JoinCtx: struct libnet_JoinCtx
          out: struct libnet_JoinCtx
              account_name             : NULL
              netbios_domain_name      : 'DOMAIN'
              dns_domain_name          : 'domain.com'
              forest_name              : 'domain.com'
              dn                       : 'CN=server,CN=Computers,DC=domain,DC=com'
              domain_sid               : *
                  domain_sid               : S-1-5-21-2640920947-3474158869-4038139365
              modified_config          : 0x00 (0)
              error_string             : NULL
              domain_is_ad             : 0x01 (1)
              result                   : WERR_OK
Using short domain name -- DOMAIN
Joined 'server' to realm 'domain.com'
[2012/02/22 14:54:41.730260,  2] lib/interface.c:340(add_interface)
  added interface eth1 ip=172.32.1.12 bcast=172.32.1.255 netmask=255.255.255.0
[2012/02/22 14:54:41.730299,  2] lib/interface.c:340(add_interface)
  added interface eth0 ip=192.168.1.12 bcast=192.168.1.255 netmask=255.255.255.0
DNS update failed!

The net ads leave command is working too.

I tried a lot of configuration on samba, kerberos, windows2008r2 GPO... and I failed...
If someone have an idea??

Thanks in advance,

Mush'

rhbegin · 02-22-2012, 04:43 PM

I would recommend using a newer version of CentOS 6 at least, RHEL3 is several years old and there are many more packages available in the newer distro.

cbtshare · 02-23-2012, 01:57 AM

when you joined the domain , do you see the linux server in AD?..And to be safe, even though you get a ticket, make sure the ADS server is in the /etc/hosts file ip address and FQDN.Your config is a bit confusing so its kinda hard to decipher where your using <domain name> as the actual domain and where its just a copy from a config file.Because in smb.conf you have and password server = <domain.com> , this should actually be either the ip address or name of the windows box.

Mush' · 02-23-2012, 06:59 AM

@rhbegin : actually, we can't, but I'm agree with you, this should be the better solution...

@cbtshare : when I join the domain, the linux server appear in the AD. I just add the ADS server on the hosts file, but nothing change.
About the password server variable, I change them to the AD server ip, but same thing.

I'll try to clean the config, and restart at the beginning ^^

Beandip408 · 03-05-2012, 12:15 PM

this is my script:

Code:

#!/bin/bash

if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi

echo "Enter the Domain Admin name: "
read DADMIN

echo "Enter the Domain Group name: "
read DGROUP

STATE_OK=0
STATE_ERROR=1

HOSTLEN=`hostname | awk '{print length}'`
if [ ${HOSTLEN} -gt 24 ]
then
 echo "The Hostname is too long! rename and rerun the script. Current length is:  ${HOSTLEN}"
 exit ${STATE_ERROR}
else
echo "Hostname is proper length! process continuing..."
fi

yum erase samba-* -y
yum install pam_krb5 sudo authconfig -y
 yum install  samba3x-winbind.i386 samba3x-winbind.x86_64 samba3x-winbind-devel.i386 samba3x-winbind-devel.x86_64 -y

chkconfig winbind on


#change DOMAIN to fit yours
mkdir /home/DOMAIN
chmod 777 /home/DOMAIN

#change DOMAIN to fit yours
authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=DOMAIN --smbrealm=DOMAIN.LOCAL --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/DOMAIN/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=DOMAIN.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

sed -i "/auth        sufficient    pam_unix.so nullok try_first_pass/a auth        requisite     pam_succeed_if.so user ingroup $DGROUP debug" /etc/pam.d/system-auth
sed -i '/session     optional      pam_mkhomedir.so/c session     optional      pam_mkhomedir.so umask=0077' /etc/pam.d/system-auth



sed -i "/Allows people in group wheel to run all commands/a %$DGROUP  ALL = DEPLOY" /etc/sudoers

service winbind restart
net ads join -U $DADMIN



cat >> /etc/sudoers << EOF
Cmnd_Alias DEPLOY = /bin/touch *, /usr/bin/readlink, /bin/chown, /bin/echo, /usr/bin/mysql, /usr/bin/mysqldump, /bin/ln, /sbin/service, /bin/ls, /bin/rm, /bin/mkdir, /bin/chmod, /bin/mv, /bin/sudo, /usr/bin/tail, /bin/chgrp, /bin/cat, /bin/more
EOF

service winbind restart

make sure you enable UNIX attributes on your windows server, and the domain group should be a group that the user belongs to in AD
the reason that the length of the hostname matters, is because if it is over 15, then it wont bind to AD. ours end with .1on1.com (which is 9 chars) so 15 chars max plus our 9 = 24

Beandip408 · 03-05-2012, 12:22 PM

also make sure selinux and iptables are off. those bastards will prevent a lot of access.

cdmontoya · 09-20-2012, 10:34 AM

Did u resolve the problem? can u give me ur files configurations??
I'm trying to do it with Centos 5.8

Beandip408 · 09-20-2012, 10:41 AM

here is my script for older versions of CentOS:

Code:

#!/bin/bash

if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root" 1>&2
   exit 1
fi


echo "Enter the Domain Admin name: "
read DADMIN

echo "Enter the Domain Group name: "
read DGROUP

STATE_OK=0
STATE_ERROR=1

HOSTLEN=`hostname | awk '{print length}'`
if [ ${HOSTLEN} -gt 15 ]
then
 echo "The Hostname is too long! rename and rerun the script. Current length is:  ${HOSTLEN}"
 exit ${STATE_ERROR}
else
echo "Hostname is proper length! process continuing..."
fi

if sestatus | grep -q "enforcing"
  then
    echo "Your firewall is running! service ufw is running! "
    echo "do you want to disable your selinux firewall?"
    read DISFIREWALL
fi

if [ "$DISFIREWALL" = "yes" -o "$DISFIREWALL" = "y" ]
  then
    setenforce 0
    sed -i '/SELINUX=enforcing/c SELINUX=disabled' /etc/selinux/config
  if sestatus | grep -q "enforcing"
      then
        echo "Your firewall is still running, try a different way to disable it!"
        exit ${STATE_ERROR}
    fi
  else
    echo "Your firewall is off, good job! process continuing..."
fi

yum erase samba-* -y
yum install pam_krb5 sudo authconfig -y
 yum install  samba3x-winbind.i386 samba3x-winbind.x86_64 samba3x-winbind-devel.i386 samba3x-winbind-devel.x86_64 -y

chkconfig winbind on

mkdir /home/PUTYOURDOMAINNAMEHERE
chmod 777 /home/PUTYOURDOMAINNAMEHERE

authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=PUTYOURDOMAINNAMEHERE --smbrealm=PUTYOURDOMAINNAMEHERE.LOCAL --enablewinbindusedefaultdomain --winbindtemplatehomedir=/home/PUTYOURDOMAINNAMEHERE/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=PUTYOURDOMAINNAMEHERE.LOCAL --enablekrb5kdcdns --enablekrb5realmdns --enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

sed -i "/auth        sufficient    pam_unix.so nullok try_first_pass/a auth        requisite     pam_succeed_if.so user ingroup $DGROUP debug" /etc/pam.d/system-auth
sed -i '/session     optional      pam_mkhomedir.so/c session     optional      pam_mkhomedir.so umask=0077' /etc/pam.d/system-auth



sed -i "/Allows people in group wheel to run all commands/a %$DGROUP  ALL = DEPLOY" /etc/sudoers

service winbind restart
net ads join -U $DADMIN



cat >> /etc/sudoers << EOF
Cmnd_Alias DEPLOY = /bin/touch *, /usr/bin/readlink, /bin/chown, /bin/echo, /usr/bin/mysql, /usr/bin/mysqldump, /bin/ln, /sbin/service, /bin/ls, /bin/rm, /bin/mkdir, /bin/chmod, /bin/mv, /bin/sudo, /usr/bin/tail, /bin/chgrp, /bin/cat, /bin/more
EOF

service winbind restart

cdmontoya · 09-20-2012, 10:47 AM

Thx Beandip408, does it work?

Beandip408 · 09-20-2012, 10:52 AM

yep. just make sure that you create a group called something like "linuxgroup" in your AD and then add the users to that group. make sure to change the "PUTYOURDOMAINNAMEHERE" to your domain name here in caps