Getting Samba to authenticate against Active Directory
Hi,
Iam trying to setup Samba version 3.2.3 on Redhat (RHEL5) server to use Active Directory for authentication. I followed the instructions from article in following website: http://technet.microsoft.com/en-au/m.../dd228986.aspx Setup Winbind + Samba + Kerberos and it seems to work fine. I can see the users in Active Directory through winbind as well as authenticate users using NTLM authentication. Problem is that Iam unable to access Samba share from Windows clients as AD user. Analyzing the network traffic on SMBD port gives: --- 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error:STATUS_LOGON_FAILURE -- I can however access the Samba share as local user in the Samba server via smbpasswd: --- 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response --- Winbind gives following error, not sure if this is significant for I can access the AD via "wbinfo" [2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm Googling helped me to get so far, but not completely resolve this issue. Please find the configuration setting + detailed error log below: ---- i) Software Version samba-client-3.2.3 samba-common-3.2.3 samba-3.2.3 samba-doc-3.2.3 samba-winbind-32bit-3.2.3 samba-swat-3.2.3 samba-debuginfo-3.2.3 krb5-workstation-1.5-17 krb5-libs-1.5-17 krb5-devel-1.5-17 krb5-auth-dialog-0.7-1 pam_krb5-2.2.11-1 krb5-devel-1.5-17 krb5-libs-1.5-17 pam_krb5-2.2.11-1 ii) Configure Kerberos cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TESTDOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] TESTDOMAIN.LOCAL = { kdc = 172.16.4.10 default_domain = TESTDOMAIN.LOCAL } [domain_realm] .testdomain = TESTDOMAIN.LOCAL testdomain = TESTDOMAIN.LOCAL .localdomain = TESTDOMAIN.LOCAL localdomain = TESTDOMAIN.LOCAL sol.datadirectnet.com = TESTDOMAIN.LOCAL testdomain.local = TESTDOMAIN.LOCAL .testdomain.local = TESTDOMAIN.LOCAL [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } iii) Authenticate a user against AD via Kerberos kinit Administrator@TESTDOMAIN.LOCAL Password for Administrator@TESTDOMAIN.LOCAL: iv) List Kerberos Tickets klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@TESTDOMAIN.LOCAL Valid starting Expires Service principal 11/26/08 14:54:36 11/27/08 00:54:39 krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL renew until 11/27/08 14:54:36 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached v) Configure WinBind +PAM /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session optional pam_mkhomedir.so skel=/etc/skel umask=0644 session required pam_unix.so vi) Windbind started and can see users in AD /etc/init.d/winbind status winbindd (pid 14574 14562 14561 14459 14458) is running... wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -u list D1950-01+kums D1950-01+tristan TESTDOMAIN+administrator TESTDOMAIN+guest TESTDOMAIN+krbtgt TESTDOMAIN+testuser wbinfo -g TESTDOMAIN+domain computers TESTDOMAIN+domain controllers TESTDOMAIN+schema admins TESTDOMAIN+enterprise admins TESTDOMAIN+cert publishers TESTDOMAIN+domain admins TESTDOMAIN+domain users wbinfo -a TESTDOMAIN+testuser%password plaintext password authentication succeeded challenge/response password authentication succeeded vii) Modify /etc/pam.d/samba /etc/pam.d/samba auth required pam_stack.so service=system-auth auth required pam_env.so auth sufficient pam_krb5 use_first_pass auth include /lib/security/pam_winbind.so auth required pam_deny.so session required pam_stack.so service=system-auth account required pam_stack.so service=system-auth account include /lib/security/pam_winbind.so password required pam_stack.so service=system-auth viii) Configure smb.conf [global] workgroup = TESTDOMAIN realm = TESTDOMAIN.LOCAL security = ADS password server = 172.16.4.10 client NTLMv2 auth = Yes log file = /var/log/samba/log.%m max log size = 50 smb ports = 445 use mmap = No dns proxy = No socket address = 192.168.97.5 idmap backend = ad idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special force unknown acl user = Yes [global-share] path = /mnt/global read only = No inherit permissions = Yes inherit acls = Yes ix) Samba running /etc/init.d/smb status smbd (pid 32010 32006) is running... nmbd (pid 31998) is running... lsof -i TCP:445 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME winbindd 31799 root 17u IPv4 8034872 TCP D1950-01.sol.datadirectnet.com:57534->172.16.4.10:microsoft-ds (ESTABLISHED) winbindd 31800 root 17u IPv4 8034855 TCP D1950-01.sol.datadirectnet.com:57532->172.16.4.10:microsoft-ds (ESTABLISHED) smbd 32006 root 19u IPv4 8035491 TCP node1:microsoft-ds (LISTEN) x) Join to AD is successful net ads testjoin Join is OK xi) Authentication of AD user seems to work fine ntlm_auth --request-nt-key --domain=TESTDOMAIN --username=testuser password: NT_STATUS_OK: Success (0x0) xii) /etc/init.d/iptables status Firewall is stopped. xiii)Analyze Network Traffic on SMBD port Login as TESTDOMAIN\testuser (in Windows System) 10.844796 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response 10.844932 192.168.97.2 -> 192.168.97.5 SMB Trans2 Request, GET_DFS_REFERRAL, File: \192.168.97.5\global-share 10.844993 192.168.97.5 -> 192.168.97.2 SMB Trans2 Response, GET_DFS_REFERRAL, Error: STATUS_NOT_FOUND 10.849712 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 10.849800 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 10.849969 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: TESTDOMAIN\testuser 10.853302 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 11.033663 192.168.97.2 -> 192.168.97.5 TCP capmux > microsoft-ds [ACK] Seq=1616 Ack=1172 Win=15213 Len=0 20.944057 192.168.97.2 -> 192.168.97.5 SMB Logoff AndX Request 20.944152 192.168.97.5 -> 192.168.97.2 SMB Logoff AndX Response 20.944231 192.168.97.2 -> 192.168.97.5 SMB Tree Disconnect Request 20.944360 192.168.97.5 -> 192.168.97.2 SMB Tree Disconnect Response Login as D1950-01\kums (in Windows System) 163.625577 192.168.97.2 -> 192.168.97.5 TCP 4746 > microsoft-ds [ACK] Seq=1024 Ack=855 Win=15530 Len=0 166.059399 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 166.059551 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 166.059746 192.168.97.2 -> 192.168.97.5 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: D1950-01\kums 166.068297 192.168.97.5 -> 192.168.97.2 SMB Session Setup AndX Response 166.068500 192.168.97.2 -> 192.168.97.5 SMB Tree Connect AndX Request, Path: \\192.168.97.5\global-share 166.068787 192.168.97.5 -> 192.168.97.2 SMB Tree Connect AndX Response xiv) Winbind Error [2008/11/26 15:22:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dc$@TESTDOMAIN (Cannot find KDC for requested realm) [2008/11/26 15:22:58, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot find KDC for requested realm ---- Thanks in Advance, -Kums |
I just discovered Likewise - after watching the last of my hair fall out after tweaking winbindd for another distro. I have used successfully on FC, CentOs and Ubuntu.
I want my hair back winbindd |
The OP may not realize that you are telling him that Likewise Open may help him authenticate against AD.. you might want to include a link next time. :)
OP's post was back in November,. I sure hope he got it all sorted out before now.. |
All times are GMT -5. The time now is 06:28 AM. |