Authenticating to Samba share using "Active Directory Server"

DISCLOSURE: This is not a noob question. The answer to this question is not on google. The answer won't be found by reading the Samba docs. Unless you've gotten this to work yourself, you probably shouldn't read any further. You do not have the answer, and you are very unlikely to find it.

I'm definitely a casual Samba admin. I'm no expert, but I've always been able to get it to do the basics after no more than a few hours of painful configuration.

However, my latest goal seems beyond me. The goal is this:

Allow users of a Microsoft "domain" to access a Samba share using that
"domain"'s Active Directory usernames and passwords.

I've spent 4 days reading the following documents and trying out their versions of how this should work:

http://www.wlug.org.nz/HowtoSamba3An...tory?version=6
http://acd.ucar.edu/~fredrick/linux/samba3/
http://www.pcquest.com/content/linux/104010509.asp
http://www.enterpriseitplanet.com/ne...1315_2246911_2
http://asia.cnet.com/itmanager/netad...9081966,00.htm
http://www.nyetwork.org/fvlug/Fvlug_Samba3.ppt
http://us3.samba.org/samba/docs/man/

At this point, I believe I'm able to authenticate to the ADServer from my Samba host, but I'm not able to access shares from a Windows box.

I'm using Redhat's krb5-libs-1.2.7-8, krb5-workstation-1.2.7-8, krb5-devel-1.2.7-8, along with Samba 3.0.2a.

I've successfully added the Samba host to the ADS "domain", and it now appears
in this domain under the MS neighboorhood browsing widget. I won't go into all the details of my configuration and all that. I believe it's all sound as I can run the various commands listed in the links above. But <b>none of these documents address accessing a Samba share from a Windows box using ADS</b>. And I'd think that would be the primary goal for this new ADS compatibility. Or is the ADS compatibility there ONLY to allow Unix users to access Windows shares using ADS??

Thanks

Harry

Your lucky it's only been 4 days, I've been at it for 3 weeks. I was beginning to think I was the only one that couldn't get this to work. If you happen to come across a solution, please post it.

You can check my post below, it sounds like the same issue.

http://linuxquestions.org/questions/...hreadid=161421

I just heard of another poor fellow who's been working at this same thing for nearly 6 months.

From everything I've read, I'm fairly confident it can't be done. At least not with Samba 3.0.2Beta.

I think all the ADS hoopla is about the fact that unix users can now mount windows shares using ADS authentication. Who cares? When was the last time you found anything worthwhile on an NTFS drive? I don't understand why the Samba devellopers don't emphasize features that help Samba do what it does best: serve as a cheap file server for Windows users. Most Unix users that work in a Windows environment have a 2nd Windows box anyway.

But by far the most frustrating part about using Samba is the horrible support. Samba usenet groups are overflowed with noob questions and few answers. The Samba team won't respond if you write them with a legit question such as ours. I've worked a little with Samba over the last 6 years, and it is the most complicated thing to configure I've run across. Apache can be difficult too, but at least it works as described for the most part, tweaking one value doesn't usually mess up 4 other values as always seems the case with Samba.

It looks at this point that we're going to have to install Winblows on our Samba box if we want to run a file server. And given that Samba is 10 years old, I think that fact is pretty sad.

Doh. This is a toughie. I've not tried it since ADS is a resource bear.... but I take it you're using Kerberos?

Doesn't ADS also support LDAP?

curious if there is a workaround to this...


J

Yes, the ADS communication requires kerberos. If you set up Samba as described in many of the links I originally posted, you can access Winblows shares using ADS and kerberos. I think it works pretty well, though I didn't really dig deep into the unix -> ADS/winblows functionality. I'm interested only in the winblows -> samba share/ADS functionality.

OK, we got it to work.

Thanks goes to John Terpstra of the Samba team who helped us get it working.

Without going into complete detail, what was required for *us* to get it working was primarily MIT Kerberos 1.3.1. To install this without hacking our Redhat 9 install, we upgraded to Fedora 1, which comes with 1.3.1.

Once we had this, these are the rough steps we took:

- shut down smb
- remove /var/cache/samba/* - get rid of prior misconfigured files
- remove /etc/samba/secrets.tdb
- remove host from the ASD domain (done from the windows side)
- configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1)
- configure /etc/samba/smb.conf - below is the global section of our conf:

# Global parameters
[global]
unix charset = LOCALE
workgroup = OURADSGROUP
realm = OURADSDOMAIN.COM
security = ADS
log level = 5
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
domain master = No
wins server = (wins server IP)
ldap ssl = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template primary group = sambausers
winbind separator = +
winbind use default domain = Yes

- added 'sambausers' group to samba host
- added 'SambaUsers' group to ASD
- edit /etc/samba/smbusers to include line 'root = administrator'
- join ADS domain: net ads join -U administrator
- verify it worked: wbinfo -u ; wbinfo -g
- map some NT/Unix groups:
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap add ntgroup="SambaUsers" unixgroup=sambausers
- verify changes: net groupman list
- restart winbind (may not be necessary)

Done

This is how *we* got it to work, not necessarily how you will get it to work.

But there currently is no single source of documentation on how to set this up. This should change soon with the release of John Terpstra's new book Samba 3 by Example: Practical Exercises to Successful Deployment.

I can follow up on this thread if anyone has questions. I'll help as much as I can

Harry

Well done on gettign this to work. I'm sure it will help many people. Perhaps you would consider writing a Linux Answer on the Subject:
http://www.linuxquestions.org/questions/answers.php

Now how about LDAP across samba / windows?

and good work on finding the solution. this should come in handy for most admins dealing with mixed environs.

Check out this post http://www.linuxquestions.org/questions/history/153836. It is based off a Suse 9 install but most of the configs are interchangable. Also, Suse 9.1 is supposed to have Active Directory built-in through Samba 3.

Glad you got it working. You lucked out finding someone would really knows there stuff. I'm still struggling with it, a little closer perhaps but still not 100% (not even close actually). If you could post some more details on the install it would be great.

TIA

ALP, have you done all the things i listed above, most importantly updating the krb5-* packages?

I forgot a step.

you should run 'smbpasswd root' and change that password to match the ASD domain Administrator's password, since Administrator should map to root. I'm not certain this step is necessary though. but it's part of what we did.

i'm not going to write this up as a formal answer, as it does not cover anything but our particular situation.

as i said, if you want the authoritative answer for your specific situation, you should buy a copy of Terpstra's book when it's released (this month?).

For the most part the settings are the same. I gave in and spent the last couple of hours downloading and installing Fedora. I will give it a try with the new krb5.

I noticed you didn't mention the nsswitch.conf, didn't you have to modify it? What configure options did you use with Samba or did you use the version that comes with Fedora?

TIA

damnit, i left the nsswitch.conf stuff out. you are correct, that was necesary too.

i will post that conf tomorrow from work.

sorry i'm not more precise but we had trouble keeping up with all the help we were getting and neglected to take careful notes

sorry i forgot to post this step. here are the entries in my /etc/nsswitch.conf file

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus