Authenticating to Samba share using "Active Directory Server"
 

DISCLOSURE: This is not a noob question. The answer to this question is not on google. The answer won't be found by reading the Samba docs. Unless you've gotten this to work yourself, you probably shouldn't read any further. You do not have the answer, and you are very unlikely to find it.

I'm definitely a casual Samba admin. I'm no expert, but I've always been able to get it to do the basics after no more than a few hours of painful configuration.

However, my latest goal seems beyond me. The goal is this:

Allow users of a Microsoft "domain" to access a Samba share using that
"domain"'s Active Directory usernames and passwords.

I've spent 4 days reading the following documents and trying out their versions of how this should work:

http://www.wlug.org.nz/HowtoSamba3An...tory?version=6
http://acd.ucar.edu/~fredrick/linux/samba3/
http://www.pcquest.com/content/linux/104010509.asp
http://www.enterpriseitplanet.com/ne...1315_2246911_2
http://asia.cnet.com/itmanager/netad...9081966,00.htm
http://www.nyetwork.org/fvlug/Fvlug_Samba3.ppt
http://us3.samba.org/samba/docs/man/

At this point, I believe I'm able to authenticate to the ADServer from my Samba host, but I'm not able to access shares from a Windows box.

I'm using Redhat's krb5-libs-1.2.7-8, krb5-workstation-1.2.7-8, krb5-devel-1.2.7-8, along with Samba 3.0.2a.

I've successfully added the Samba host to the ADS "domain", and it now appears
in this domain under the MS neighboorhood browsing widget. I won't go into all the details of my configuration and all that. I believe it's all sound as I can run the various commands listed in the links above. But <b>none of these documents address accessing a Samba share from a Windows box using ADS</b>. And I'd think that would be the primary goal for this new ADS compatibility. Or is the ADS compatibility there ONLY to allow Unix users to access Windows shares using ADS??

Thanks

Harry

Your lucky it's only been 4 days, I've been at it for 3 weeks. I was beginning to think I was the only one that couldn't get this to work. If you happen to come across a solution, please post it.

You can check my post below, it sounds like the same issue.

http://linuxquestions.org/questions/...hreadid=161421

I just heard of another poor fellow who's been working at this same thing for nearly 6 months. :cry:

From everything I've read, I'm fairly confident it can't be done. At least not with Samba 3.0.2Beta.

I think all the ADS hoopla is about the fact that unix users can now mount windows shares using ADS authentication. Who cares? When was the last time you found anything worthwhile on an NTFS drive? I don't understand why the Samba devellopers don't emphasize features that help Samba do what it does best: serve as a cheap file server for Windows users. Most Unix users that work in a Windows environment have a 2nd Windows box anyway.

But by far the most frustrating part about using Samba is the horrible support. Samba usenet groups are overflowed with noob questions and few answers. The Samba team won't respond if you write them with a legit question such as ours. I've worked a little with Samba over the last 6 years, and it is the most complicated thing to configure I've run across. Apache can be difficult too, but at least it works as described for the most part, tweaking one value doesn't usually mess up 4 other values as always seems the case with Samba.

It looks at this point that we're going to have to install Winblows on our Samba box if we want to run a file server. And given that Samba is 10 years old, I think that fact is pretty sad.

Doh. This is a toughie. I've not tried it since ADS is a resource bear.... but I take it you're using Kerberos?

Doesn't ADS also support LDAP?

curious if there is a workaround to this...


J

Yes, the ADS communication requires kerberos. If you set up Samba as described in many of the links I originally posted, you can access Winblows shares using ADS and kerberos. I think it works pretty well, though I didn't really dig deep into the unix -> ADS/winblows functionality. I'm interested only in the winblows -> samba share/ADS functionality.

OK, we got it to work.

Thanks goes to John Terpstra of the Samba team who helped us get it working.

Without going into complete detail, what was required for *us* to get it working was primarily MIT Kerberos 1.3.1. To install this without hacking our Redhat 9 install, we upgraded to Fedora 1, which comes with 1.3.1.

Once we had this, these are the rough steps we took:

- shut down smb
- remove /var/cache/samba/* - get rid of prior misconfigured files
- remove /etc/samba/secrets.tdb
- remove host from the ASD domain (done from the windows side)
- configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1)
- configure /etc/samba/smb.conf - below is the global section of our conf:

# Global parameters
[global]
unix charset = LOCALE
workgroup = OURADSGROUP
realm = OURADSDOMAIN.COM
security = ADS
log level = 5
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
domain master = No
wins server = (wins server IP)
ldap ssl = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template primary group = sambausers
winbind separator = +
winbind use default domain = Yes

- added 'sambausers' group to samba host
- added 'SambaUsers' group to ASD
- edit /etc/samba/smbusers to include line 'root = administrator'
- join ADS domain: net ads join -U administrator
- verify it worked: wbinfo -u ; wbinfo -g
- map some NT/Unix groups:
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap add ntgroup="SambaUsers" unixgroup=sambausers
- verify changes: net groupman list
- restart winbind (may not be necessary)

Done

This is how *we* got it to work, not necessarily how you will get it to work.

But there currently is no single source of documentation on how to set this up. This should change soon with the release of John Terpstra's new book Samba 3 by Example: Practical Exercises to Successful Deployment.

I can follow up on this thread if anyone has questions. I'll help as much as I can :)

Harry

Well done on gettign this to work. I'm sure it will help many people. Perhaps you would consider writing a Linux Answer on the Subject:
http://www.linuxquestions.org/questions/answers.php

Now how about LDAP across samba / windows? ;)

and good work on finding the solution. this should come in handy for most admins dealing with mixed environs.

Check out this post http://www.linuxquestions.org/questions/history/153836. It is based off a Suse 9 install but most of the configs are interchangable. Also, Suse 9.1 is supposed to have Active Directory built-in through Samba 3.

Glad you got it working. You lucked out finding someone would really knows there stuff. I'm still struggling with it, a little closer perhaps but still not 100% (not even close actually). If you could post some more details on the install it would be great.

TIA

ALP, have you done all the things i listed above, most importantly updating the krb5-* packages?

I forgot a step.

you should run 'smbpasswd root' and change that password to match the ASD domain Administrator's password, since Administrator should map to root. I'm not certain this step is necessary though. but it's part of what we did.

i'm not going to write this up as a formal answer, as it does not cover anything but our particular situation.

as i said, if you want the authoritative answer for your specific situation, you should buy a copy of Terpstra's book when it's released (this month?).

For the most part the settings are the same. I gave in and spent the last couple of hours downloading and installing Fedora. I will give it a try with the new krb5.

I noticed you didn't mention the nsswitch.conf, didn't you have to modify it? What configure options did you use with Samba or did you use the version that comes with Fedora?

TIA

damnit, i left the nsswitch.conf stuff out. you are correct, that was necesary too.

i will post that conf tomorrow from work.

sorry i'm not more precise but we had trouble keeping up with all the help we were getting and neglected to take careful notes :)

sorry i forgot to post this step. here are the entries in my /etc/nsswitch.conf file

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus

for what I know, ADS is a new kind of M$ made security : security by complexity. Mean this damn thing is so dark, creepy and badly documented that any evil hacker will get discouraged by it and so won't try to hack it (that's what M$ staff think at least).
So if you spend 4 days ONLY to make it works, using Samba (call Micro$oft, they will prolly try to convince you that ADS will never work with samba and that you need a Windoze 2003 server), you are a very good sysadmin lol.
So I voted "somewhat complex"

If you were here I would give you a big kiss....not really, but I express my sincere gratitude for this post. I have lost hair and what was left turned gray over this topic. Through this post and some black magic I finally had success.

To those still having some problems, I had to do one more thing that I found a book titled "The Official SAMBA-3 HOWTO and Reference Guide" on page 168. From a Windows 200x or XP Pro, connect to the share using netbiosname\root (example: fedora\root) and the root password. Find the Samba server through the Computer Management console. Go to the Shared Folders and then double click on the share. Click the Share Permissions tab and then add the desired user or group for access control entities. After that I was successful with an ADS account.

yes, i think the answer is in this thread, up to the reader to make heads or tails :)

I thought I had everything working correctly. ADS authenication seems to work somewhat but I am having some issues that I was hoping someone can point me in the right direction.

"wbinfo -u and -g," and "net group" both show the correct information. For an example...I have a directory called test. If I assign the group root or Domain Admins, I do not have access to the directory using an account that is a member of Domain Admins. The only way i can get it to work is assign the group Domain Users to the directory. But needless to say everybody has permission. It seems to assume that all users are only a member of the Domain Users and nothing else.

Any help given would be greatly appreciated.

did you edit your /etc/nsswitch.conf and /etc/samba/smbusers files and restart smb?

Yes. I am hopeing this is not a limitation of Linux, I really want to replace some Windows fileservers. Samba seems to only recognize one group for each user. It basis the group on the users primay group in AD. Example: if i have a directory called test with the group permission set to Domain Admins and and attach with a user who is in the group Domain Admins, he will not have access. If I change the users primary group to Domain Admins and resart Samba he can then access the directory. However he will not be able to access directories that have the group Domain Users, because that is no longer his primary group. If I open SWAT and look at the Status I see that it tags one group to the user that is accessing the share.

Is this just the way it is or is there a work-around? This is a huge stepback for me if it is. Am I also wrong in assuming that I can only add one group per directory?

Well, it's with SAMBA just like with WINDOWS - you better wait for the next version :) The 3.0.2a has a (bad) bug with secondary groups, they are ignored if the option "winbind use default domain" is set to "yes" (and this way switching off the own domain is enforced). Latest Pre has this bug fixed among others, but is not (yet) recommended for production systems....
For the stable version it helps to disable the default domain, and after a restart of the winbind-deamon (and maybe SAMBA too) it honoures all groups the user is member of. Just tested successfully with a W2K-server and a Mandrake 9.2 with SAMBA 3.0.2a as client - it works like a charm: Locked out user's primary group (Domain Users) completely by ACL and enabled full access to the 3rd group the user is member of (a global group). Result: I'm able to create new folders and documents within the changed folder, granted by the additional group.

Another hint for all (future...) SAMBA+Winbind+ADS-Users: When using the Linux/UNIX "id" to lookup group membership (in addition to "net user info <name>") write the name exactly the same way it is listed in the AD, just one letter spelled wrong (upper-/ lowercase) returns only the primary group....

ciao

Michael

Looking at the steps you folks have followed to make this work it seems I'm missing the info in the smbusers file. Exactly what needs to be done with this file?

Thanks

do yourself a huge favor and just buy the book i mentioned in my earlier post. everything you need is in there. i just got my copy, and it's a great book to have. and it explains this ADServer/Samba hell in great detail in Chapter 9.

as far as your question's answer, it's in this thread, you just have to read it.

Thank you HackThor for the information. I will give that a try as the workaround. I work for a medium sized company and really need the differnet groups to work. I also have a need for many different people to have different access to the same areas. This is where it has been a little challenging since Linux only has one user/group/others for permissions. But this will get me going again.

Thanks again Harry...I will go buy the book today. I bought what I thought was the book you were mentioning, but i click on the link and the cover is different. Mine is "The Official Samba 3", written by the same people but I guess this one is more up todate and with more information on the areas I need.

Sam

buy it if you like, but you can download it for free at samba.org. it is 748 pages in pdf format. http://us1.samba.org/samba/docs/Samb...Collection.pdf

trust me, it is plenty confusing, although it is a good technical reference, it is definitely not my idea of a "howto".

however, i did just place an order at amazon for Samba 3: By Example ... by John Terpstra. same guy wrote both books, but this one is supposed to be the cookbook.

we will see.

How is permissions handled in your installations?
 

I've been looking into converting a couple of file servers from Windows -> Linux.

From what I've heard you can use ACL to control permissions on the files and directories on the SAMBA server, against users in the windows AD.

The only problem is that this is disabled in the default build and rpm's.
Trying to build samba with with acl, winbind, ldap and kerberos seems to work not all.

Is this wrong?
Is there way to configure user and group permissions without the acl support in SAMBA 3.0.2a (or 3.0.3) that has just been released, or are you just linking windows groups against a linux group?

// Henrik, Sweden.

From what I have experienced you only user ACL to set the share access. Once in the share you use Linux, Kerberos, or LDAP. I am using Kerberos and I don't need to map groups to windows groups. I can actully see all the AD groups from my Linux box and add the AD groups and users directly. I was having a probem getting Samba see all the AD groups that a user was a member. It only wanted to use the users primary AD group. This was a bug and was fixed in the beta version 3.0.3pre2.

Sam

Cheers for the thread, I'm about to do the same thing (win > nix fileserver), you've saved me a lot of aggro.

I tried to do this with Suse 9.0 for 3 months and failed, now since Suse 9.1 comes with Samba 3.0.2a I try again since some days, and I think I am quite cloth.
I can join the domain
I can run a wbinfo -u works correct
I can run a kinit and it works
at the logon screen I see all my domainusers but as soon I try to login as a domainmeber I get an error says X-session login is disabled
but from any MS machine I can use this profile. I am afraid this has to do with pam but I do not know much about it, may be somebody can help
cause of I start dreaming of smb.conf

Looks like I'm stuck w/ a Win2K domain using ADS & the higher ups want linux file/web/mail servers. Looked through ALL the books by Terpstra & informative but still cannot map drives from windows 2k clients to the linux server. Keeps coming back wit a dialogue box saying "incorrect password or username". Need some guidance here if you can.

Conf files:

smb.conf :

[global]
unix charset = LOCALE
workgroup = HOME
realm = CULLUM.COM
security = ADS
netbios name = WEBMAIL
encrypt passwords = yes
printcap name = /etc/printcap
load printers = no
domain master = No
log level = 5
log file = /var/log/samba/%m.log
max log size = 50
interfaces = 172.19.220.3/24
local master = no
dns proxy = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template primary group = sambausers
template shell = /bin/false
winbind separator = +
winbind use default domain = yes
password server = *
guest ok = yes
ldap ssl = no


[homes]
comment = Home Directories
preserve case = yes
browseable = yes
writeable = yes
short preserve case = yes
****************************************************************************
krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = CULLUM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true

[realms]
CULLUM.COM = {
kdc = pdc-a.cullum.com:88
kdc = pdc-b.cullum.com:88
admin_server = pdc-b.cullum.com:644
default_domain = cullum.com
}

[domain_realm]
.cullum.com = CULLUM.COM
cullum.com = CULLUM.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
****************************************************************************
nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparms: nisplus [NOTFOUND=return] FILES
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
****************************************************************************
Tests:

[root@webmail samba]# wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
Domain Computers
Domain Users
Domain Guests
Group Policy Creator Owners
Cert Publishers
Domain Controllers
Enterprise Admins
Domain Admins
Schema Admins
DnsUpdateProxy
linux
****************************************************************************
[root@webmail samba]# wbinfo -u
bcullum
IWAM_PDC-B
IUSR_PDC-B
root
webmail/webmail
Guest
TsInternetUser
Administrator
krbtgt
dbcullum
dhcpuser
dacul
BILL-P4$
NS2$
HOST/webmail
WKSTN2K$
NS1$
PDC-B$
PDC-A$
****************************************************************************
group mappings:

[root@webmail samba]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> nobody
Domain Users (S-1-5-21-3378732851-2348953953-3721217398-513) -> users
Power Users (S-1-5-32-547) -> root
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> root
Domain Admins (S-1-5-21-3378732851-2348953953-3721217398-512) -> root
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-3378732851-2348953953-3721217398-514) -> nobody
SambaUsers (S-1-5-21-3378732851-2348953953-3721217398-2001) -> sambausers
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> users
****************************************************************************

The only problems I encountered when I set this up was I had to use the -a switch in the smbpasswd command to match the win2k administrator password & when I ran testparm on the smb.conf file it came back with "'winbind separator = +' might cause problems with group membership"

On the PDC's the group "SambaUsers" has all the domain users & computers as members. I've been working on this for a month now with RedHat 9 w/ latest versions of kerebos & samba and now w/ Fedora core 2 using the default versions. The current versions:

samba-client-3.0.3-5
system-config-samba-1.2.9-2
samba-3.0.3-5
samba-swat-3.0.3-5
samba-common-3.0.3-5

pam_krb5-2.0.10-1
krb5-libs-1.3.3-1
krb5-workstation-1.3.3-1
krb5-devel-1.3.3-1
krb5-server-1.3.3-1

By the way the pam config file has not been touched (messed up on RedHat 9 & could not log back in. Not even locally as root!)

Any help you or anybody can give me would be appreciated.

hi.

I want to add smth about the smbusers file when using samba 3 security = ADS.

I use SuSE 9.1 with samba 3 and have managed to use Security = ADS to validate user access to shares
against a win2003 server active domain.
With samba 3 and Security = Domain everything works well.
However, with Security = ADS, i now seem to have a problem with mapping the windows administrator user to
my user (jgm) on the samba box.
Details:
--- jgm exists on both linux and windows2003 boxes.
--- on the samba box, i have "jgm = administrator" in /etc/samba/smbusers.
--- smbusers is included in smb.conf as "username map = /etc/samba/smbusers"

All this worked with security = Domain, but now, with ADS when I log on to winxp as administrator and access a
samba share, I'm prompted for username & password. If i enter "jgm" and password I'm granted access to the
share as jgm (i see my jgm home folder, so trust me here).

This is a minor inconvenience, i know, but it troubles me because its as if samba 3 with ads has forgotten to
use the "username map = /etc/samba/smbusers" parameter of smb.conf and although it authenticates
"administrator" against active directory, it doesn't know what to do next with this user called "administrator"
who isn't a linux user.

The rest of the users which have the same names on linux and windows don't have this problem, they log onto
all samba shares transparently.

Does anyone use smbusers successfully with samba 3 and security = ADS?

Ok,

I've used the configurations found in this thread, and I'm able to join the Domain, which is great, and I can also use Windows-machines logged on to the AD to access shares on the Samba-machine without having to type passwords or anything.
Great!
But!
I would like to manage the computer from the AD-server using Computer Management.
Does anyone know if this is possible?
I can see the computer in the AD server and I can click manage. but when i try to change anything or view the shares.. etc.. I get a message that says: "Access is denied".
I cant stop shares or add groups or users for access to the shares.
I would also prefer to be able to add shares, but I understand if that aint possible.

Anyone else who had a problem with this?
Or has someone even looked in to it?

/Mattias

First off,

Cheers to everyone contributing to this post. I spent the better part of 3-4 days working on setting up a Fileserver and this thread has kept me sane. I pretty much followed this to the t:

I am was able to join the domain, i can query users and groups (wbinfo -u or -g), wbinfo -t is successful, I can chown dir's to users and groups create on the Win AD server I can even log in locally on the linux machine using an AD account created on the Win machine.....BUT I'm still having a little issue. I can't seem to modify permissions on shares from a win machine. For example:

right clicking on a share on a win machine and going to the security tab, I try to remove "Everyone" from the list. As soon as a hit apply "Everyone" comes right back. If I try to add a user or group I get "Unable to change permission changes on ***** Acess Denied."

The share is owned by the user and I've chmod'ed 755 that dir. Can anyone point me in the direction of where I may have gone wrong?

Heres my samba config

I modified nsswitch.conf as follows:


and krb5.conf as follows:

One last thing... is an LDAP server nessecary for this to work properly?

Any help is greatly appreciated ..... thanx again !

For those of you with Fedora Core 2, did winbind install? It's not showing up under my services like it did on Enterprise 3.

Also, has anyone been able to create a fileserver joined to a NT4 domain and setup shares using NT4 domain users? I have a mixed network and I can list all the users from every domain (ADS based), but that's about it.

Also wbinfo -u / -g will not work in ADS mode...only in Domain.

Any ideas as to what is up would be greatly appreciated.

Do you use Samba to configure shares? If so, if you click on the "Properties" button and then click "Access".. are you supposed to see a list of all the domain users in there? The only place I see a list domain users is under "Samba Users" under the "Unix Username" drop down. But I don't know what to do with it. Any insight would be helpful!

FYI: The book hlslaughter was talking about "Samba-3 by Example" by John H. Terpstra is available for download from the Samba.org website here. Also (as posted ealier in this topic), the book: "The Official Samba-3 HOWTO and Reference Guide" is also available for download.