Authenticating to Samba share using "Active Directory Server"
DISCLOSURE: This is not a noob question. The answer to this question is not on google. The answer won't be found by reading the Samba docs. Unless you've gotten this to work yourself, you probably shouldn't read any further. You do not have the answer, and you are very unlikely to find it.
I'm definitely a casual Samba admin. I'm no expert, but I've always been able to get it to do the basics after no more than a few hours of painful configuration. However, my latest goal seems beyond me. The goal is this: Allow users of a Microsoft "domain" to access a Samba share using that "domain"'s Active Directory usernames and passwords. I've spent 4 days reading the following documents and trying out their versions of how this should work: http://www.wlug.org.nz/HowtoSamba3An...tory?version=6 http://acd.ucar.edu/~fredrick/linux/samba3/ http://www.pcquest.com/content/linux/104010509.asp http://www.enterpriseitplanet.com/ne...1315_2246911_2 http://asia.cnet.com/itmanager/netad...9081966,00.htm http://www.nyetwork.org/fvlug/Fvlug_Samba3.ppt http://us3.samba.org/samba/docs/man/ At this point, I believe I'm able to authenticate to the ADServer from my Samba host, but I'm not able to access shares from a Windows box. I'm using Redhat's krb5-libs-1.2.7-8, krb5-workstation-1.2.7-8, krb5-devel-1.2.7-8, along with Samba 3.0.2a. I've successfully added the Samba host to the ADS "domain", and it now appears in this domain under the MS neighboorhood browsing widget. I won't go into all the details of my configuration and all that. I believe it's all sound as I can run the various commands listed in the links above. But <b>none of these documents address accessing a Samba share from a Windows box using ADS</b>. And I'd think that would be the primary goal for this new ADS compatibility. Or is the ADS compatibility there ONLY to allow Unix users to access Windows shares using ADS?? Thanks Harry |
Your lucky it's only been 4 days, I've been at it for 3 weeks. I was beginning to think I was the only one that couldn't get this to work. If you happen to come across a solution, please post it.
You can check my post below, it sounds like the same issue. http://linuxquestions.org/questions/...hreadid=161421 |
I just heard of another poor fellow who's been working at this same thing for nearly 6 months. :cry:
From everything I've read, I'm fairly confident it can't be done. At least not with Samba 3.0.2Beta. I think all the ADS hoopla is about the fact that unix users can now mount windows shares using ADS authentication. Who cares? When was the last time you found anything worthwhile on an NTFS drive? I don't understand why the Samba devellopers don't emphasize features that help Samba do what it does best: serve as a cheap file server for Windows users. Most Unix users that work in a Windows environment have a 2nd Windows box anyway. But by far the most frustrating part about using Samba is the horrible support. Samba usenet groups are overflowed with noob questions and few answers. The Samba team won't respond if you write them with a legit question such as ours. I've worked a little with Samba over the last 6 years, and it is the most complicated thing to configure I've run across. Apache can be difficult too, but at least it works as described for the most part, tweaking one value doesn't usually mess up 4 other values as always seems the case with Samba. It looks at this point that we're going to have to install Winblows on our Samba box if we want to run a file server. And given that Samba is 10 years old, I think that fact is pretty sad. |
Doh. This is a toughie. I've not tried it since ADS is a resource bear.... but I take it you're using Kerberos?
Doesn't ADS also support LDAP? curious if there is a workaround to this... J |
Yes, the ADS communication requires kerberos. If you set up Samba as described in many of the links I originally posted, you can access Winblows shares using ADS and kerberos. I think it works pretty well, though I didn't really dig deep into the unix -> ADS/winblows functionality. I'm interested only in the winblows -> samba share/ADS functionality.
|
OK, we got it to work.
Thanks goes to John Terpstra of the Samba team who helped us get it working. Without going into complete detail, what was required for *us* to get it working was primarily MIT Kerberos 1.3.1. To install this without hacking our Redhat 9 install, we upgraded to Fedora 1, which comes with 1.3.1. Once we had this, these are the rough steps we took: - shut down smb - remove /var/cache/samba/* - get rid of prior misconfigured files - remove /etc/samba/secrets.tdb - remove host from the ASD domain (done from the windows side) - configure /etc/krb5.conf (though this is supposed to be unnecessary with kerberos 1.3.1) - configure /etc/samba/smb.conf - below is the global section of our conf: # Global parameters [global] unix charset = LOCALE workgroup = OURADSGROUP realm = OURADSDOMAIN.COM security = ADS log level = 5 log file = /var/log/samba/log.%m max log size = 50 load printers = No domain master = No wins server = (wins server IP) ldap ssl = no idmap uid = 15000-20000 idmap gid = 15000-20000 template primary group = sambausers winbind separator = + winbind use default domain = Yes - added 'sambausers' group to samba host - added 'SambaUsers' group to ASD - edit /etc/samba/smbusers to include line 'root = administrator' - join ADS domain: net ads join -U administrator - verify it worked: wbinfo -u ; wbinfo -g - map some NT/Unix groups: net groupmap modify ntgroup="Domain Users" unixgroup=users net groupmap modify ntgroup="Domain Guests" unixgroup=nobody net groupmap modify ntgroup="Domain Admins" unixgroup=root net groupmap add ntgroup="SambaUsers" unixgroup=sambausers - verify changes: net groupman list - restart winbind (may not be necessary) Done This is how *we* got it to work, not necessarily how you will get it to work. But there currently is no single source of documentation on how to set this up. This should change soon with the release of John Terpstra's new book Samba 3 by Example: Practical Exercises to Successful Deployment. I can follow up on this thread if anyone has questions. I'll help as much as I can :) Harry |
Well done on gettign this to work. I'm sure it will help many people. Perhaps you would consider writing a Linux Answer on the Subject:
http://www.linuxquestions.org/questions/answers.php |
Now how about LDAP across samba / windows? ;)
and good work on finding the solution. this should come in handy for most admins dealing with mixed environs. |
Check out this post http://www.linuxquestions.org/questions/history/153836. It is based off a Suse 9 install but most of the configs are interchangable. Also, Suse 9.1 is supposed to have Active Directory built-in through Samba 3.
|
Glad you got it working. You lucked out finding someone would really knows there stuff. I'm still struggling with it, a little closer perhaps but still not 100% (not even close actually). If you could post some more details on the install it would be great.
TIA |
ALP, have you done all the things i listed above, most importantly updating the krb5-* packages?
|
I forgot a step.
you should run 'smbpasswd root' and change that password to match the ASD domain Administrator's password, since Administrator should map to root. I'm not certain this step is necessary though. but it's part of what we did. i'm not going to write this up as a formal answer, as it does not cover anything but our particular situation. as i said, if you want the authoritative answer for your specific situation, you should buy a copy of Terpstra's book when it's released (this month?). |
For the most part the settings are the same. I gave in and spent the last couple of hours downloading and installing Fedora. I will give it a try with the new krb5.
I noticed you didn't mention the nsswitch.conf, didn't you have to modify it? What configure options did you use with Samba or did you use the version that comes with Fedora? TIA |
damnit, i left the nsswitch.conf stuff out. you are correct, that was necesary too.
i will post that conf tomorrow from work. sorry i'm not more precise but we had trouble keeping up with all the help we were getting and neglected to take careful notes :) |
sorry i forgot to post this step. here are the entries in my /etc/nsswitch.conf file
passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus |
for what I know, ADS is a new kind of M$ made security : security by complexity. Mean this damn thing is so dark, creepy and badly documented that any evil hacker will get discouraged by it and so won't try to hack it (that's what M$ staff think at least).
So if you spend 4 days ONLY to make it works, using Samba (call Micro$oft, they will prolly try to convince you that ADS will never work with samba and that you need a Windoze 2003 server), you are a very good sysadmin lol. So I voted "somewhat complex" |
If you were here I would give you a big kiss....not really, but I express my sincere gratitude for this post. I have lost hair and what was left turned gray over this topic. Through this post and some black magic I finally had success.
To those still having some problems, I had to do one more thing that I found a book titled "The Official SAMBA-3 HOWTO and Reference Guide" on page 168. From a Windows 200x or XP Pro, connect to the share using netbiosname\root (example: fedora\root) and the root password. Find the Samba server through the Computer Management console. Go to the Shared Folders and then double click on the share. Click the Share Permissions tab and then add the desired user or group for access control entities. After that I was successful with an ADS account. |
yes, i think the answer is in this thread, up to the reader to make heads or tails :)
|
I thought I had everything working correctly. ADS authenication seems to work somewhat but I am having some issues that I was hoping someone can point me in the right direction.
"wbinfo -u and -g," and "net group" both show the correct information. For an example...I have a directory called test. If I assign the group root or Domain Admins, I do not have access to the directory using an account that is a member of Domain Admins. The only way i can get it to work is assign the group Domain Users to the directory. But needless to say everybody has permission. It seems to assume that all users are only a member of the Domain Users and nothing else. Any help given would be greatly appreciated. |
did you edit your /etc/nsswitch.conf and /etc/samba/smbusers files and restart smb?
|
Yes. I am hopeing this is not a limitation of Linux, I really want to replace some Windows fileservers. Samba seems to only recognize one group for each user. It basis the group on the users primay group in AD. Example: if i have a directory called test with the group permission set to Domain Admins and and attach with a user who is in the group Domain Admins, he will not have access. If I change the users primary group to Domain Admins and resart Samba he can then access the directory. However he will not be able to access directories that have the group Domain Users, because that is no longer his primary group. If I open SWAT and look at the Status I see that it tags one group to the user that is accessing the share.
Is this just the way it is or is there a work-around? This is a huge stepback for me if it is. Am I also wrong in assuming that I can only add one group per directory? |
Well, it's with SAMBA just like with WINDOWS - you better wait for the next version :) The 3.0.2a has a (bad) bug with secondary groups, they are ignored if the option "winbind use default domain" is set to "yes" (and this way switching off the own domain is enforced). Latest Pre has this bug fixed among others, but is not (yet) recommended for production systems....
For the stable version it helps to disable the default domain, and after a restart of the winbind-deamon (and maybe SAMBA too) it honoures all groups the user is member of. Just tested successfully with a W2K-server and a Mandrake 9.2 with SAMBA 3.0.2a as client - it works like a charm: Locked out user's primary group (Domain Users) completely by ACL and enabled full access to the 3rd group the user is member of (a global group). Result: I'm able to create new folders and documents within the changed folder, granted by the additional group. Another hint for all (future...) SAMBA+Winbind+ADS-Users: When using the Linux/UNIX "id" to lookup group membership (in addition to "net user info <name>") write the name exactly the same way it is listed in the AD, just one letter spelled wrong (upper-/ lowercase) returns only the primary group.... ciao Michael |
Looking at the steps you folks have followed to make this work it seems I'm missing the info in the smbusers file. Exactly what needs to be done with this file?
Thanks |
do yourself a huge favor and just buy the book i mentioned in my earlier post. everything you need is in there. i just got my copy, and it's a great book to have. and it explains this ADServer/Samba hell in great detail in Chapter 9.
as far as your question's answer, it's in this thread, you just have to read it. |
Thank you HackThor for the information. I will give that a try as the workaround. I work for a medium sized company and really need the differnet groups to work. I also have a need for many different people to have different access to the same areas. This is where it has been a little challenging since Linux only has one user/group/others for permissions. But this will get me going again.
Thanks again Harry...I will go buy the book today. I bought what I thought was the book you were mentioning, but i click on the link and the cover is different. Mine is "The Official Samba 3", written by the same people but I guess this one is more up todate and with more information on the areas I need. Sam |
buy it if you like, but you can download it for free at samba.org. it is 748 pages in pdf format. http://us1.samba.org/samba/docs/Samb...Collection.pdf
trust me, it is plenty confusing, although it is a good technical reference, it is definitely not my idea of a "howto". however, i did just place an order at amazon for Samba 3: By Example ... by John Terpstra. same guy wrote both books, but this one is supposed to be the cookbook. we will see. |
How is permissions handled in your installations?
I've been looking into converting a couple of file servers from Windows -> Linux.
From what I've heard you can use ACL to control permissions on the files and directories on the SAMBA server, against users in the windows AD. The only problem is that this is disabled in the default build and rpm's. Trying to build samba with with acl, winbind, ldap and kerberos seems to work not all. Is this wrong? Is there way to configure user and group permissions without the acl support in SAMBA 3.0.2a (or 3.0.3) that has just been released, or are you just linking windows groups against a linux group? // Henrik, Sweden. |
From what I have experienced you only user ACL to set the share access. Once in the share you use Linux, Kerberos, or LDAP. I am using Kerberos and I don't need to map groups to windows groups. I can actully see all the AD groups from my Linux box and add the AD groups and users directly. I was having a probem getting Samba see all the AD groups that a user was a member. It only wanted to use the users primary AD group. This was a bug and was fixed in the beta version 3.0.3pre2.
Sam |
Cheers for the thread, I'm about to do the same thing (win > nix fileserver), you've saved me a lot of aggro.
|
I tried to do this with Suse 9.0 for 3 months and failed, now since Suse 9.1 comes with Samba 3.0.2a I try again since some days, and I think I am quite cloth.
I can join the domain I can run a wbinfo -u works correct I can run a kinit and it works at the logon screen I see all my domainusers but as soon I try to login as a domainmeber I get an error says X-session login is disabled but from any MS machine I can use this profile. I am afraid this has to do with pam but I do not know much about it, may be somebody can help cause of I start dreaming of smb.conf |
Looks like I'm stuck w/ a Win2K domain using ADS & the higher ups want linux file/web/mail servers. Looked through ALL the books by Terpstra & informative but still cannot map drives from windows 2k clients to the linux server. Keeps coming back wit a dialogue box saying "incorrect password or username". Need some guidance here if you can.
Conf files: smb.conf : [global] unix charset = LOCALE workgroup = HOME realm = CULLUM.COM security = ADS netbios name = WEBMAIL encrypt passwords = yes printcap name = /etc/printcap load printers = no domain master = No log level = 5 log file = /var/log/samba/%m.log max log size = 50 interfaces = 172.19.220.3/24 local master = no dns proxy = no idmap uid = 15000-20000 idmap gid = 15000-20000 template primary group = sambausers template shell = /bin/false winbind separator = + winbind use default domain = yes password server = * guest ok = yes ldap ssl = no [homes] comment = Home Directories preserve case = yes browseable = yes writeable = yes short preserve case = yes **************************************************************************** krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = CULLUM.COM dns_lookup_realm = true dns_lookup_kdc = true default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true [realms] CULLUM.COM = { kdc = pdc-a.cullum.com:88 kdc = pdc-b.cullum.com:88 admin_server = pdc-b.cullum.com:644 default_domain = cullum.com } [domain_realm] .cullum.com = CULLUM.COM cullum.com = CULLUM.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } **************************************************************************** nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind hosts: files dns bootparms: nisplus [NOTFOUND=return] FILES ethers: files netmasks: files networks: files protocols: files winbind rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases: files nisplus **************************************************************************** Tests: [root@webmail samba]# wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Domain Computers Domain Users Domain Guests Group Policy Creator Owners Cert Publishers Domain Controllers Enterprise Admins Domain Admins Schema Admins DnsUpdateProxy linux **************************************************************************** [root@webmail samba]# wbinfo -u bcullum IWAM_PDC-B IUSR_PDC-B root webmail/webmail Guest TsInternetUser Administrator krbtgt dbcullum dhcpuser dacul BILL-P4$ NS2$ HOST/webmail WKSTN2K$ NS1$ PDC-B$ PDC-A$ **************************************************************************** group mappings: [root@webmail samba]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> nobody Domain Users (S-1-5-21-3378732851-2348953953-3721217398-513) -> users Power Users (S-1-5-32-547) -> root Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> root Domain Admins (S-1-5-21-3378732851-2348953953-3721217398-512) -> root Account Operators (S-1-5-32-548) -> -1 Domain Guests (S-1-5-21-3378732851-2348953953-3721217398-514) -> nobody SambaUsers (S-1-5-21-3378732851-2348953953-3721217398-2001) -> sambausers Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> users **************************************************************************** The only problems I encountered when I set this up was I had to use the -a switch in the smbpasswd command to match the win2k administrator password & when I ran testparm on the smb.conf file it came back with "'winbind separator = +' might cause problems with group membership" On the PDC's the group "SambaUsers" has all the domain users & computers as members. I've been working on this for a month now with RedHat 9 w/ latest versions of kerebos & samba and now w/ Fedora core 2 using the default versions. The current versions: samba-client-3.0.3-5 system-config-samba-1.2.9-2 samba-3.0.3-5 samba-swat-3.0.3-5 samba-common-3.0.3-5 pam_krb5-2.0.10-1 krb5-libs-1.3.3-1 krb5-workstation-1.3.3-1 krb5-devel-1.3.3-1 krb5-server-1.3.3-1 By the way the pam config file has not been touched (messed up on RedHat 9 & could not log back in. Not even locally as root!) Any help you or anybody can give me would be appreciated. |
hi.
I want to add smth about the smbusers file when using samba 3 security = ADS. I use SuSE 9.1 with samba 3 and have managed to use Security = ADS to validate user access to shares against a win2003 server active domain. With samba 3 and Security = Domain everything works well. However, with Security = ADS, i now seem to have a problem with mapping the windows administrator user to my user (jgm) on the samba box. Details: --- jgm exists on both linux and windows2003 boxes. --- on the samba box, i have "jgm = administrator" in /etc/samba/smbusers. --- smbusers is included in smb.conf as "username map = /etc/samba/smbusers" All this worked with security = Domain, but now, with ADS when I log on to winxp as administrator and access a samba share, I'm prompted for username & password. If i enter "jgm" and password I'm granted access to the share as jgm (i see my jgm home folder, so trust me here). This is a minor inconvenience, i know, but it troubles me because its as if samba 3 with ads has forgotten to use the "username map = /etc/samba/smbusers" parameter of smb.conf and although it authenticates "administrator" against active directory, it doesn't know what to do next with this user called "administrator" who isn't a linux user. The rest of the users which have the same names on linux and windows don't have this problem, they log onto all samba shares transparently. Does anyone use smbusers successfully with samba 3 and security = ADS? |
Ok,
I've used the configurations found in this thread, and I'm able to join the Domain, which is great, and I can also use Windows-machines logged on to the AD to access shares on the Samba-machine without having to type passwords or anything. Great! But! I would like to manage the computer from the AD-server using Computer Management. Does anyone know if this is possible? I can see the computer in the AD server and I can click manage. but when i try to change anything or view the shares.. etc.. I get a message that says: "Access is denied". I cant stop shares or add groups or users for access to the shares. I would also prefer to be able to add shares, but I understand if that aint possible. Anyone else who had a problem with this? Or has someone even looked in to it? /Mattias |
First off,
Cheers to everyone contributing to this post. I spent the better part of 3-4 days working on setting up a Fileserver and this thread has kept me sane. I pretty much followed this to the t: Quote:
right clicking on a share on a win machine and going to the security tab, I try to remove "Everyone" from the list. As soon as a hit apply "Everyone" comes right back. If I try to add a user or group I get "Unable to change permission changes on ***** Acess Denied." The share is owned by the user and I've chmod'ed 755 that dir. Can anyone point me in the direction of where I may have gone wrong? Heres my samba config Quote:
I modified nsswitch.conf as follows: Quote:
and krb5.conf as follows: Quote:
One last thing... is an LDAP server nessecary for this to work properly? Any help is greatly appreciated ..... thanx again ! |
For those of you with Fedora Core 2, did winbind install? It's not showing up under my services like it did on Enterprise 3.
Also, has anyone been able to create a fileserver joined to a NT4 domain and setup shares using NT4 domain users? I have a mixed network and I can list all the users from every domain (ADS based), but that's about it. Also wbinfo -u / -g will not work in ADS mode...only in Domain. Any ideas as to what is up would be greatly appreciated. |
Do you use Samba to configure shares? If so, if you click on the "Properties" button and then click "Access".. are you supposed to see a list of all the domain users in there? The only place I see a list domain users is under "Samba Users" under the "Unix Username" drop down. But I don't know what to do with it. Any insight would be helpful!
|
FYI: The book hlslaughter was talking about "Samba-3 by Example" by John H. Terpstra is available for download from the Samba.org website here. Also (as posted ealier in this topic), the book: "The Official Samba-3 HOWTO and Reference Guide" is also available for download.
|
All times are GMT -5. The time now is 07:55 AM. |