Samba3 won't validate through w2k server 1

[philote]

I have to enter a username/password every time a Windows XP client tries to connect to a Samba (on RH9) share. I had tried to set up Samba to check username/passwords through our w2k server using kerberos but obviously that's not working.

In the smb.conf file I have security set to ADS, the realm set to the realm I have in the kerberos config, and it's set to encrypt passwords. Can someone tell me what else I need to check or point me to a thorough tutorial on how to set it up?

 

[rzs0502]

what version of samba are you using?

when the user enters his username & password, does it authenticate successfully?



"If you always do what you've always done, you will always be where you've always been."

 

[philote]

I'm using Samba 3.0.
The users have to be users on the linux machine in order to get access. Win2k/AD username/passwords don't get granted access.

I've tried all sorts of things and now my smb.conf file probably has a bunch of extra lines it doesn't need. That's why I'd like to find a good walkthrough or tutorial on setting up Samba to authenticate users via Active Directory. I have found a few guides that attempt to tell you how to get Samba to work with Active Directory but they weren't all that good, and it seems they were mainly for connecting the Samba machine to a Windows share.

 

[comtec17]

You will need to install and configure LDAP to authenticate AD users to Linux

 

[philote]

Can you give more specifics? I have ldap installed.

 

[rzs0502]

Have you tried the winbind option in Samba 3?
I've had far less grey hairs since using it


"If you always do what you've always done, you will always be where you've always been."

 

[philote]

Well, I've tried. But again, I don't know if I did it right. Can you point me to a good walkthrough or give me some tips on setting up winbind?

 

[rzs0502]

For the winbind daemon to start, you need to have the following in your [global] section of your /etc/samba/smb.conf file

winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
hostname lookups = Yes

Then start the winbind service `service winbind start`
After it starts and if everything goes well, you can type `wbinfo -u` to view usernames on the domain
`wninfo -u` to view all groups
`wbinfo --help` for more info on the option available.

If that works, users on the domain can connect to your Samba server.
You can then set permissions on folders etc.
eg. `chown -R "NTDOM+administrator":"Domain Admins" /admin`


"If you always do what you've always done, you will always be where you've always been."

 

[rzs0502]

Note that the above will show you users and groups from trusted domains as well.

"If you always do what you've always done, you will always be where you've always been."

 

[philote]

Now that's the kind of info I was looking for. Have a star.

That allowed me to view the list of users and groups, but I got an 'invalid user' from chown as used in your example. I used the domain and username as it's listed from wbinfo -u. Am I missing something else?

 

[rzs0502]

Oops, I missed a step.

Type `getent passwd` & `getent group`

Your chown should now work

Also, I believe you can drastically speed up Samba/Winbind by doing the following: (I'm trying it now as well)

(Make backup)
vi /etc/init.d/winbind

Line 30 should read
daemon winbindd

Add a `-B` to the end to read
daemon winbindd -B

This allows the daemon to run in dual daemon mode which improve performance.




"If you always do what you've always done, you will always be where you've always been."

 

[rzs0502]

PS. Note that the above allows users to SSH into your box with their NT usernames and passwords as well! Added security will be required to prevent that.

"If you always do what you've always done, you will always be where you've always been."

 

[philote]

getent didn't help, it just prints a list of users or groups. Also, is this method allowing me to authenticate using kerberos?

 

[philote]

Oh, and I just may start over fresh and try setting up everything again. I came across someone's web site who was saying they configured Samba 3 on RH9 to authenticate with kerberos to their Win2k AD server. He didn't go into any detail on how he got this to work but gave a link to a Samba HOW TO that I've looked at before. I think maybe if I just start fresh and follow that HOW TO then I may have better luck.

 

[rzs0502]

Using LDAP and Kerberos, a domain member running winbind can enumerate users and groups in exactly the same way as a Win2k client would, and in so doing provide a much more efficient and effective winbind implementation.

The [global] portion should have the following:

realm = my.kerberos.REALM
security = ADS
ads server = my.kerberos.server (may / may not be required)

Unfortunately, (for me) it cannot be a Active Directory Server or an Active Directory Domain Conroller





"If you always do what you've always done, you will always be where you've always been."