[SOLVED] SAMBA Winbind ADS Windows 2003 Server UBUNTU

umiyz · 11-18-2010, 09:02 AM

Hello,

I have a question. I tried for 2x6 hours (2 days) to fix this problem and searched all over the internet.

I have a WIN2003 Server as a primary domaincontroller: DOMEIN.NET
The IP address is 192.168.1.2
FQDN: win2003.domein.net
Username: Administrator
Password: P@ssword

and I have a UBUNTU machine.
IP address is 192.168.1.3
FQDN: ubuntus2.domein.net
Username: ubuntu
Password: P@ssword
Root username: root
Password: P@ssword

UBUNTUS2 is connected to the domainname DOMEIN.NET with use of LIKEWISE-OPEN.
Now I want to use SAMBA with WINBIND (of course IF this is possible).
I want to use SAMBA for FILE/PRINTER SHARING and to logon UBUNTU with WIN2003 ADS users. This does work with LIKEWISE, but I want to use SAMBA.
I am using webmin to configure different options, this is to make it simple for myself, because my knowledge of UBUNTU is basic, and really need some GUI interfaces.

When I try to bind my UBUNTU machine to the domain with the use of WINBIND i get the following error:

Quote:

Unable to find a suitable server for domain DOMEIN.NET
Unable to find a suitable server for domain DOMEIN.NET

This is my smb.conf file:

Quote:

[global]
idmap gid = 10000-20000
idmap uid = 10000-20000
invalid users = root
password server = win2003.domein.net
wins server = 192.168.1.2
workgroup = domein.net
security = ADS
debuglevel = 2
wins support = no
# Winbind settings
# For testing

# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777

I believe there is no use of KERBEROS, but I am not sure..

What am I doing wrong here? Can anyone help me out please? Thank you !

LMW · 11-19-2010, 08:32 PM

Actually, when you want to join Linux machine to Windows domain, it uses Kerberos authentication. Show me your /etc/krb5.conf and I will tell you where the problem is.
P.S. I suppose you have your /etc/hosts and /etc/resolv configured properly?

umiyz · 11-21-2010, 02:10 PM

Quote:

Originally Posted by LMW

Actually, when you want to join Linux machine to Windows domain, it uses Kerberos authentication. Show me your /etc/krb5.conf and I will tell you where the problem is.
P.S. I suppose you have your /etc/hosts and /etc/resolv configured properly?

Hello, thisi is my krb5.conf file.

PHP Code:



[libdefaults] 
    default_realm = DOMEIN.NET 
 
# The following krb5.conf variables are only for MIT Kerberos. 
    krb4_config = /etc/krb.conf 
    krb4_realms = /etc/krb.realms 
    kdc_timesync = 1 
    ccache_type = 4 
    forwardable = true 
    proxiable = true 
 
# The following encryption type specification will be used by MIT Kerberos 
# if uncommented.  In general, the defaults in the MIT Kerberos code are 
# correct and overriding these specifications only serves to disable new 
# encryption types as they are added, creating interoperability problems. 
# 
# Thie only time when you might need to uncomment these lines and change 
# the enctypes is if you have local software that will break on ticket 
# caches containing ticket encryption types it doesn't know about (such as 
# old versions of Sun Java). 
 
#    default_tgs_enctypes = des3-hmac-sha1 
#    default_tkt_enctypes = des3-hmac-sha1 
#    permitted_enctypes = des3-hmac-sha1 
 
# The following libdefaults parameters are only for Heimdal Kerberos. 
    v4_instance_resolve = false 
    v4_name_convert = { 
        host = { 
            rcmd = host 
            ftp = ftp 
        } 
        plain = { 
            something = something-else 
        } 
    } 
    fcc-mit-ticketflags = true 
    default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    dns_lookup_kdc = true 
 
[realms] 
    ATHENA.MIT.EDU = { 
        kdc = kerberos.mit.edu:88 
        kdc = kerberos-1.mit.edu:88 
        kdc = kerberos-2.mit.edu:88 
        admin_server = kerberos.mit.edu 
        default_domain = mit.edu 
    } 
    MEDIA-LAB.MIT.EDU = { 
        kdc = kerberos.media.mit.edu 
        admin_server = kerberos.media.mit.edu 
    } 
    ZONE.MIT.EDU = { 
        kdc = casio.mit.edu 
        kdc = seiko.mit.edu 
        admin_server = casio.mit.edu 
    } 
    MOOF.MIT.EDU = { 
        kdc = three-headed-dogcow.mit.edu:88 
        kdc = three-headed-dogcow-1.mit.edu:88 
        admin_server = three-headed-dogcow.mit.edu 
    } 
    CSAIL.MIT.EDU = { 
        kdc = kerberos-1.csail.mit.edu 
        kdc = kerberos-2.csail.mit.edu 
        admin_server = kerberos.csail.mit.edu 
        default_domain = csail.mit.edu 
        krb524_server = krb524.csail.mit.edu 
    } 
    IHTFP.ORG = { 
        kdc = kerberos.ihtfp.org 
        admin_server = kerberos.ihtfp.org 
    } 
    GNU.ORG = { 
        kdc = kerberos.gnu.org 
        kdc = kerberos-2.gnu.org 
        kdc = kerberos-3.gnu.org 
        admin_server = kerberos.gnu.org 
    } 
    1TS.ORG = { 
        kdc = kerberos.1ts.org 
        admin_server = kerberos.1ts.org 
    } 
    GRATUITOUS.ORG = { 
        kdc = kerberos.gratuitous.org 
        admin_server = kerberos.gratuitous.org 
    } 
    DOOMCOM.ORG = { 
        kdc = kerberos.doomcom.org 
        admin_server = kerberos.doomcom.org 
    } 
    ANDREW.CMU.EDU = { 
        kdc = vice28.fs.andrew.cmu.edu 
        kdc = vice2.fs.andrew.cmu.edu 
        kdc = vice11.fs.andrew.cmu.edu 
        kdc = vice12.fs.andrew.cmu.edu 
        admin_server = vice28.fs.andrew.cmu.edu 
        default_domain = andrew.cmu.edu 
    } 
    CS.CMU.EDU = { 
        kdc = kerberos.cs.cmu.edu 
        kdc = kerberos-2.srv.cs.cmu.edu 
        admin_server = kerberos.cs.cmu.edu 
    } 
    DEMENTIA.ORG = { 
        kdc = kerberos.dementia.org 
        kdc = kerberos2.dementia.org 
        admin_server = kerberos.dementia.org 
    } 
    stanford.edu = { 
        kdc = krb5auth1.stanford.edu 
        kdc = krb5auth2.stanford.edu 
        kdc = krb5auth3.stanford.edu 
        master_kdc = krb5auth1.stanford.edu 
        admin_server = krb5-admin.stanford.edu 
        default_domain = stanford.edu 
    } 
    DOMEIN.NET = { 
        auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/ 
        auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/ 
        auth_to_local = DEFAULT 
    } 
 
[domain_realm] 
    .mit.edu = ATHENA.MIT.EDU 
    mit.edu = ATHENA.MIT.EDU 
    .media.mit.edu = MEDIA-LAB.MIT.EDU 
    media.mit.edu = MEDIA-LAB.MIT.EDU 
    .csail.mit.edu = CSAIL.MIT.EDU 
    csail.mit.edu = CSAIL.MIT.EDU 
    .whoi.edu = ATHENA.MIT.EDU 
    whoi.edu = ATHENA.MIT.EDU 
    .stanford.edu = stanford.edu 
    .slac.stanford.edu = SLAC.STANFORD.EDU 
    .domein.net = DOMEIN.NET 
 
[login] 
    krb4_convert = true 
    krb4_get_tickets = false 
[appdefaults] 
    pam = { 
   mappings = DOMEIN\\(.*) $1@DOMEIN.NET 
   forwardable = true 
   validate = true 
    } 
    httpd = { 
   mappings = DOMEIN\\(.*) $1@DOMEIN.NET 
   reverse_mappings = (.*)@DOMEIN\.NET DOMEIN\$1 
    }

This is my hosts

PHP Code:



127.0.0.1 localhost 
127.0.1.1 ubuntus2.domein.net ubuntus2 
# The following lines are desirable for IPv6 capable hosts 
::1 localhost ip6-localhost ip6-loopback 
fe00::0 ip6-localnet 
ff00::0 ip6-mcastprefix 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters 
ff02::3 ip6-allhosts

And this is my resolv

PHP Code:



# Generated by NetworkManager 
nameserver 192.168.1.2

Any idea? thank you !!!!

LMW · 11-21-2010, 07:08 PM

Quote:

Originally Posted by umiyz

Hello, thisi is my krb5.conf file.

PHP Code:



[libdefaults] 
    default_realm = DOMEIN.NET 
 
# The following krb5.conf variables are only for MIT Kerberos. 
    krb4_config = /etc/krb.conf 
    krb4_realms = /etc/krb.realms 
    kdc_timesync = 1 
    ccache_type = 4 
    forwardable = true 
    proxiable = true 
 
# The following encryption type specification will be used by MIT Kerberos 
# if uncommented.  In general, the defaults in the MIT Kerberos code are 
# correct and overriding these specifications only serves to disable new 
# encryption types as they are added, creating interoperability problems. 
# 
# Thie only time when you might need to uncomment these lines and change 
# the enctypes is if you have local software that will break on ticket 
# caches containing ticket encryption types it doesn't know about (such as 
# old versions of Sun Java). 
 
#    default_tgs_enctypes = des3-hmac-sha1 
#    default_tkt_enctypes = des3-hmac-sha1 
#    permitted_enctypes = des3-hmac-sha1 
 
# The following libdefaults parameters are only for Heimdal Kerberos. 
    v4_instance_resolve = false 
    v4_name_convert = { 
        host = { 
            rcmd = host 
            ftp = ftp 
        } 
        plain = { 
            something = something-else 
        } 
    } 
    fcc-mit-ticketflags = true 
    default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC 
    dns_lookup_kdc = true 
 
[realms] 
    ATHENA.MIT.EDU = { 
        kdc = kerberos.mit.edu:88 
        kdc = kerberos-1.mit.edu:88 
        kdc = kerberos-2.mit.edu:88 
        admin_server = kerberos.mit.edu 
        default_domain = mit.edu 
    } 
    MEDIA-LAB.MIT.EDU = { 
        kdc = kerberos.media.mit.edu 
        admin_server = kerberos.media.mit.edu 
    } 
    ZONE.MIT.EDU = { 
        kdc = casio.mit.edu 
        kdc = seiko.mit.edu 
        admin_server = casio.mit.edu 
    } 
    MOOF.MIT.EDU = { 
        kdc = three-headed-dogcow.mit.edu:88 
        kdc = three-headed-dogcow-1.mit.edu:88 
        admin_server = three-headed-dogcow.mit.edu 
    } 
    CSAIL.MIT.EDU = { 
        kdc = kerberos-1.csail.mit.edu 
        kdc = kerberos-2.csail.mit.edu 
        admin_server = kerberos.csail.mit.edu 
        default_domain = csail.mit.edu 
        krb524_server = krb524.csail.mit.edu 
    } 
    IHTFP.ORG = { 
        kdc = kerberos.ihtfp.org 
        admin_server = kerberos.ihtfp.org 
    } 
    GNU.ORG = { 
        kdc = kerberos.gnu.org 
        kdc = kerberos-2.gnu.org 
        kdc = kerberos-3.gnu.org 
        admin_server = kerberos.gnu.org 
    } 
    1TS.ORG = { 
        kdc = kerberos.1ts.org 
        admin_server = kerberos.1ts.org 
    } 
    GRATUITOUS.ORG = { 
        kdc = kerberos.gratuitous.org 
        admin_server = kerberos.gratuitous.org 
    } 
    DOOMCOM.ORG = { 
        kdc = kerberos.doomcom.org 
        admin_server = kerberos.doomcom.org 
    } 
    ANDREW.CMU.EDU = { 
        kdc = vice28.fs.andrew.cmu.edu 
        kdc = vice2.fs.andrew.cmu.edu 
        kdc = vice11.fs.andrew.cmu.edu 
        kdc = vice12.fs.andrew.cmu.edu 
        admin_server = vice28.fs.andrew.cmu.edu 
        default_domain = andrew.cmu.edu 
    } 
    CS.CMU.EDU = { 
        kdc = kerberos.cs.cmu.edu 
        kdc = kerberos-2.srv.cs.cmu.edu 
        admin_server = kerberos.cs.cmu.edu 
    } 
    DEMENTIA.ORG = { 
        kdc = kerberos.dementia.org 
        kdc = kerberos2.dementia.org 
        admin_server = kerberos.dementia.org 
    } 
    stanford.edu = { 
        kdc = krb5auth1.stanford.edu 
        kdc = krb5auth2.stanford.edu 
        kdc = krb5auth3.stanford.edu 
        master_kdc = krb5auth1.stanford.edu 
        admin_server = krb5-admin.stanford.edu 
        default_domain = stanford.edu 
    } 
    DOMEIN.NET = { 
        auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/ 
        auth_to_local = RULE:[1:$0\$1](^DOMEIN\.NET\\.*)s/^DOMEIN\.NET/DOMEIN/ 
        auth_to_local = DEFAULT 
    } 
 
[domain_realm] 
    .mit.edu = ATHENA.MIT.EDU 
    mit.edu = ATHENA.MIT.EDU 
    .media.mit.edu = MEDIA-LAB.MIT.EDU 
    media.mit.edu = MEDIA-LAB.MIT.EDU 
    .csail.mit.edu = CSAIL.MIT.EDU 
    csail.mit.edu = CSAIL.MIT.EDU 
    .whoi.edu = ATHENA.MIT.EDU 
    whoi.edu = ATHENA.MIT.EDU 
    .stanford.edu = stanford.edu 
    .slac.stanford.edu = SLAC.STANFORD.EDU 
    .domein.net = DOMEIN.NET 
 
[login] 
    krb4_convert = true 
    krb4_get_tickets = false 
[appdefaults] 
    pam = { 
   mappings = DOMEIN\\(.*) $1@DOMEIN.NET 
   forwardable = true 
   validate = true 
    } 
    httpd = { 
   mappings = DOMEIN\\(.*) $1@DOMEIN.NET 
   reverse_mappings = (.*)@DOMEIN\.NET DOMEIN\$1 
    }

This is my hosts

PHP Code:



127.0.0.1 localhost 
127.0.1.1 ubuntus2.domein.net ubuntus2 
# The following lines are desirable for IPv6 capable hosts 
::1 localhost ip6-localhost ip6-loopback 
fe00::0 ip6-localnet 
ff00::0 ip6-mcastprefix 
ff02::1 ip6-allnodes 
ff02::2 ip6-allrouters 
ff02::3 ip6-allhosts

And this is my resolv

PHP Code:



# Generated by NetworkManager 
nameserver 192.168.1.2

Any idea? thank you !!!!

Here's your krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = DOMEIN.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMEIN.NET = {
kdc = win2003.domein.net:88
admin_server = win2003.domein.net:749
default_domain = DOMEIN.NET
}

[domain_realm]
.domein.net = DOMEIN.NET
domein.net = DOMEIN.NET
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
try_first_pass = true
}

And your hosts file should look like that:

127.0.0.1 localhost
127.0.1.1 ubuntus2.domein.net ubuntus2
192.168.1.2 win2003.domein.net win2003
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

This should help. Report the result, please.

umiyz · 11-21-2010, 07:46 PM

Hello, I made the necessary changes, but I still have the same result:

Quote:

Binding to domain with command /usr/bin/net join -U Administrator ..

Unable to find a suitable server for domain DOMEIN.NET
Unable to find a suitable server for domain DOMEIN.NET

Do I need to make several changes to Windows 2003 Server aswell?

UPDATE **

I tried this now and get the following:
net rpc getsid -S DOMEIN.NET -I 192.168.1.2 -U Administrator%P@ssword

Quote:

Could not connect to server DOMEIN.NET
Connection failed: NT_STATUS_ACCESS_DENIED

Still an error, but I can see that no access is granted..
Only problem is, I don't know to where..

LMW · 11-21-2010, 08:07 PM

Quote:

Originally Posted by umiyz

Hello, I made the necessary changes, but I still have the same result:

Do I need to make several changes to Windows 2003 Server aswell?

Make smb.conf look like that, then restart winbind and samba services.

[global]
idmap gid = 10000-20000
idmap uid = 10000-20000
password server = 192.168.1.2
workgroup = DOMEIN
realm = DOMEIN.NET
encrypt passwords = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
security = ADS
debuglevel = 2
wins support = no
# Winbind settings
# For testing

# A shared folder for testing purposes
[SharedFolder]
path = /home/onno2/Shared_Folder
available = yes
public = yes
writable = yes
force create mode = 0666
force directory mode = 0777

Then try "net ads join -U Administrator" (without quotes, of course =) )

umiyz · 11-21-2010, 08:29 PM

I think you fixed it now !

Quote:

root@ubuntus2:~# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- DOMEIN
Joined 'UBUNTUS2' to realm 'domein.net'

Thank you very much.. !!!!!!!!!!

Well I am joined now, do I still require likewise-open ?
Because without it, I cannot logon Ubuntu with a ADS username..

LMW · 11-21-2010, 08:46 PM

Quote:

Originally Posted by umiyz

I think you fixed it now !

Thank you very much.. !!!!!!!!!!

Well I am joined now, do I still require likewise-open ?
Because without it, I cannot logon Ubuntu with a ADS username..

No, you don't need likewise-open. Moreover, you didn't need it earlier. Samba did it all.
Here's a good Samba + AD HOWTO
Enjoy!

umiyz · 11-28-2010, 03:16 PM

Hello, I have another question..
How can I install my Ubuntu as a secondary domaincontroller?
Do I need LDAP for this? And how can I do this?

Thankyou !

LMW · 11-28-2010, 11:24 PM

Googling can save you a lot of time

http://www.samba.org/samba/docs/man/...samba-bdc.html
Enjoy

linuxlover.chaitanya · 11-29-2010, 12:41 AM

According to the above link given:

Quote:

Active Directory Domain Control

As of the release of MS Windows 2000 and Active Directory, this information is now stored in a directory that can be replicated and for which partial or full administrative control can be delegated. Samba-3 is not able to be a domain controller within an Active Directory tree, and it cannot be an Active Directory server. This means that Samba-3 also cannot act as a BDC to an Active Directory domain controller.

umiyz · 11-29-2010, 01:58 AM

Quote:

Originally Posted by LMW

Googling can save you a lot of time

http://www.samba.org/samba/docs/man/...samba-bdc.html
Enjoy

Yes, I did google for a quite time (since my last post).

However it seems it does not fix my problem.
Samba is more diffferent then LDAP I guess?

Thanks anyways... I am still looking for an answer.. It is frustating

linuxlover.chaitanya · 11-29-2010, 03:09 AM

Quote:

Originally Posted by umiyz

Yes, I did google for a quite time (since my last post).

However it seems it does not fix my problem.
Samba is more diffferent then LDAP I guess?

Thanks anyways... I am still looking for an answer.. It is frustating

I do not understand what you mean to say Samba is more different than LDAP?
Yes it is. Samba is typically used to share files and folders with windows. Or for windows networking.
Please go through this link to know what is LDAP.

umiyz · 12-13-2010, 01:03 PM

Quote:

Originally Posted by linuxlover.chaitanya

I do not understand what you mean to say Samba is more different than LDAP?
Yes it is. Samba is typically used to share files and folders with windows. Or for windows networking.
Please go through this link to know what is LDAP.

Well I want to following:

I want my Active Directory users able to logon Ubuntu server.
Also I want to share folders with my ubuntu machine to the desired Active Directory users.

It seems I need LDAP for this.

Before I can use LDAP, I needed to make my ubuntu machine a memberserver first, which is now.

I tried to google for this, also a reason why my post took such a long time. But I couldn't find any usefull information. There is information, but it is all outdated...

I hope any one you can help me with this problem.
I really need LDAP fixing.

Thank you !