Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-20-2004, 07:52 AM   #1
LQ Newbie
Registered: Aug 2001
Posts: 6

Rep: Reputation: 0
Samba 3.0.2, Kerberos, Linux (RHAS3.0), Win2kAD - linux smb server with a w2k client

Thanks for any assistance in advance.

My ultimate goal is to create a single sign on environment on our networks. Right now, we have a Win2K A/D environment (native mode) running with hundreds of Windows 2000 clients and a handful of Linux servers running Red Hat Enterprise Advanced Server 3.0. For most of our unix servers, we have an LDAP server running Solaris 9 to centralize all unix logins. But, for this situation, I will not have this new RHAS3.0 server configured for LDAP. I have configured samba 2.x in the past, but this is the first time I am working on 3.0.x. I am running samba 3.0.2 on the RHAS3.0 server which also has krb5-libs-1.2.7.

To simplify, there is one linux samba server that I need to access from a Windows client and I want to authenticate with the Win2K A/D. Right now, if the user account exists on the linux server using the same username as in A/D, I can access the samba share on the linux server from a windows client. Once I remove the unix user, I can no longer access the share.

I am new to Kerberos and Pam configuration, so please bear with me.

Here are the key configuration files:
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = LINUXSERVERNAME
password server = WIN2kDC
security = ADS
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
template shell = /bin/bash
winbind separator = +

path = /data
read only = no
public = no
only guest = no
writable = yes

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

ticket_lifetime = 24000
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_etypes = arcfour-hmac-md5
default_etypes_des = arcfour-hmac-md5

kdc = Win2kDC.DOMAIN.COM:88
admin_server = Win2kDC.DOMAIN.COM:749
default_domain =

[domain_realm] = DOMAIN.COM = DOMAIN.COM

pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

auth required
auth required service=system-auth
account required service=system-auth
session required service=system-auth
password required service=system-auth
SAMBA WINBIND authentication
auth required /lib/security/
account required /lib/security/
auth required /lib/security/ nullok shadow
account required /lib/security/

auth required
auth required service=system-auth
auth required
Added the following three lines for SAMBA and WINBIND
auth sufficient /lib/security/
auth sufficient /lib/security/ use_first_pass
account sufficient /lib/security/
account required service=system-auth
password required service=system-auth
session required service=system-auth
session optional

Last edited by irishb3; 07-20-2004 at 07:54 AM.
Old 07-20-2004, 08:01 AM   #2
LQ Newbie
Registered: Aug 2001
Posts: 6

Original Poster
Rep: Reputation: 0
As I was copying my config files into this post, I realized that I had group and passwd in /etc/nsswitch.conf set to "files". I changed that to "passwd: files winbind" and "group: files winbind", and now I can access the shares from a Windows client controlling access via the "valid users" field in smb.conf.

Now, what needs to be done to be able to have logins to all unix systems be authenticated via Win2K A/D? I know it's a huge question, but any guidance and experience would be greatly appreciated.

Old 07-20-2004, 08:05 AM   #3
LQ Newbie
Registered: Aug 2001
Posts: 6

Original Poster
Rep: Reputation: 0
I restored the krb5.conf to the default that came with the install and I am a still able to access my shares. Was kerberos only needed when I joined the Linux Samba Server to the domain via "net ads join"?

It seems as though Kerberos is no longer needed once the system is joined to the domain.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
error accessing samba server from smb client MichaelVaughn Linux - Software 1 04-30-2004 01:01 PM
Client server model using linux server and w2k clients? siva_bhavani Linux - Networking 2 09-29-2003 03:35 PM
W2K Server and Linux/Win98 Client problem gurkha Linux - Networking 3 06-24-2003 10:08 AM
RH Linux 7.3 (Gateway) and W2K server as client gogo Linux - Networking 7 06-24-2002 10:51 AM
Samba Printing from w2k client to epson on linux box vance Linux - Networking 0 12-18-2001 05:10 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:00 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration