...of Samba ADS security, Kerberos, and AD on Windows 2003
 

Systems:
RHEL4.4 and Win2003SP1 DC

1st question:
After many attempts I have one question; Is kerberos enough to authenticate with Active Directory or do you have to use it in combination with ldap or winbind in order to access a samba share?

What I am trying to accomplish is to have my RHEL4 box serve out a few shares and for my windows users to access them without having to input any credentials. (I was assuming it would use the kerberos info from the initial windows logon)

I apologize for the post as there are many out there, but if anyone can answer my question above I would at least have some hope that it can be done.

Additionally, I have the necessary samba and kerberos packages installed and I am able to access samba shares logging onto windows with an acct. that is in linux.

I am also able to do a kinit and klist shows the ticket although when I try an smbclient -k -L /servername I receive "session setup failed: NT_STATUS_LOGON_FAILURE" (the server has been added to AD that wasn't a problem)

If any of this has caught your eye or anyone has any ideas please let me know!

I am currently working on this and will be monitoring the thread for any response it is now 7:50am 10/19 Thursday. Any suggestions would be greatly appreciated.

I'm not an expert, but I have never seen a way for samba to authenticate against AD that didn't use winbind. The set up is fairly straight forward, and quite reliable. I haven't met the post requirement to post URL's, but if you do a Google search for "Red Hat samba active directory" the first doc is Red Hat's guide to integrating samba w/ AD.

Thanks for that, but have already run through this. Additionally, it mentions at the bottom to stop winbind before joining to the domain. Although it doesn't explicitly say to do anything with winbind it would seem it's being used.... Appreciate the effort, anything else offered I am willing to chase up so keep 'em coming!

Here's the method we have used on our 4 samba servers:

Configure /etc/krb5.conf:

Configure /etc/nsswitch.conf:
Configure /etc/samba/smb.conf: (truncated for the sake of brevity)
Restart winbind and samba.

Get a kerberos ticket:

kinit user@DOMAIN

Join the domain:

net ads join

Configure /etc/pam.d/system-auth:
Reboot for good measure.

When it comes back up, you can use wbinfo to get info from the domain and verify you are joined correctly.

wbinfo -t (checks shared secret)
wbinfo -n DOMAIN+someuser (should get a sid back from AD)

That's the process to the best of my recollection.

Thanks for that! Getting closer.... I have winbind setup and am returning info using wbinfo -u so that's good! Although getent doesn't seem to be returning anything which may be a problem as trying smbclient -L localhost -U username is giving session setup failed: NT_STATUS_LOGON_FAILURE, for either a local or AD user....just wanted to let you know that you had helped thus far...appreciate it.

Thanks jgeiger! I am all set, now to write up the how-to. In the end the above examples did everything it was supposed to. getent wasn't working because I had winbind uid and gid set additionally so the mapping wasn't happening. Thanks!