samba - Jul 2004 - security = ADS

Hi all,

I've been fighting with joining my samba server (debian) to my active
directory domain for 4 days now.  The problem here is that users in my active
directory domain on windows machines are not able to browse my samba shares
without being prompted for authentication.

I can:
- Join the domain from samba server using net ads
- View list of tickets when brownsing window shares with klist
- list window shares without being prompted with "smbclient -k -L
<windows_servername>

I can NOT:
- use "net use * \\<smb_servername>\share" from window based
machine.
(this resultes in "The password or user name is invalid for
\\delshare\public" (delshare being my samba server name)

I have no clue what to do from here. I've looked over my smb.conf file 20
times likewise my krb5.conf file

Any suggestions would be greatly appreciated. I've arn out of tests.

R.

Yes I've seen this behavior a LOT.  I've replied to it.  For some 
reason, the Samba when joined to ads needs to contacted for shares by IP 
addy.  The XP shares then authenticate properly.

Try \\ipaddy-samba-server\share-name.  If you connect, do a netstat -an 
on the samba server.  You'll see the XP box connected to port 445.  I 
suspect that in an ads environment, the XP boxes default to connecting 
to shares on 445.  I suspect smbd, or nmbd are mishandling this when 
netbios names are used.

Rashaad S. Hyndman wrote:
>Hi all,
>
>I've been fighting with joining my samba server (debian) to my active
directory domain for 4 days now.  The problem here is that users in my active
directory domain on windows machines are not able to browse my samba shares
without being prompted for authentication.
>
>I can:
>- Join the domain from samba server using net ads
>- View list of tickets when brownsing window shares with klist
>- list window shares without being prompted with "smbclient -k -L
<windows_servername>
>
>I can NOT:
>- use "net use * \\<smb_servername>\share" from window based
machine.
>(this resultes in "The password or user name is invalid for
\\delshare\public" (delshare being my samba server name)
>
>I have no clue what to do from here. I've looked over my smb.conf file
20 times likewise my krb5.conf file
>
>Any suggestions would be greatly appreciated. I've arn out of tests.
>
>R.
>  
>

HErE arE my ConF file 

                
----------------------------------------SMB.conf----------------------
#======================= Global Settings ====================== 
[global]
 
netbios name = smbserver_name
realm = MYREALM.NET

 
   workgroup = mydomain
 

   server string = %h server (Samba %v)
 

password server = addc01.MYREALM.NET 
security = ADS
 
 

   wins support = yes
 

   include = /etc/samba/dhcp.conf

   dns proxy = no
 

    name resolve order = lmhosts host wins bcast
 
#### Debugging/Accounting ####

   log file = /var/log/samba/log.%m
 
# Put a capping on the size of the log files (in Kb).
   max log size = 1000
 
   syslog = 0
    panic action = /usr/share/samba/panic-action %d
 
 
####### Authentication #######

   encrypt passwords = yes

   passdb backend = tdbsam guest
 
   obey pam restrictions = yes
 
   guest account = guest
   invalid users = root

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
 
 
#======================= Share Definitions ====================== 
[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   preserver case = yes
   short preserve case = yes
 
[public]
  comment = Software and tool downloads
  browseable = yes
  path = /usr/share/public
  writable = no 
  public = yes
 

   writable = no
 
   create mask = 0700

   directory mask = 0700
  
[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700
 
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

==============================
------------------------------krb5.conf--------------------------

=========================================


 [logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log
 
[libdefaults]
 default_realm = MYREALM.NET
 
[relams]
 MYREALM.NET= {
  kdc = addc01.MYREALM.NET 
}
 
[domain_realms]
 .addc01.myrealm.net  = MYREALM.NET

=========================================


These are the only files that i have editted to get to this point.  I really
appreciate your help.





  ----- Original Message ----- 
  From: Tom Skeren 
  To: Rashaad S. Hyndman 
  Sent: Thursday, July 22, 2004 7:25 PM
  Subject: Re: [Samba] security = ADS


  Rashaad S. Hyndman wrote:

That seems to be an interesting concept but does work in this case for some
reason.  Here is what i did:


C:\Documents and Settings\rshyndman>net use * \\10.55.222.82\public\
System error 67 has occurred.

The network name cannot be found.Try right clicking on My Computer and use
map-network-drive function.



C:\Documents and Settings\rshyndman>ping 10.55.222.82

Pinging 10.55.222.82 with 32 bytes of data:

Reply from 10.55.222.82: bytes=32 time<10ms TTL=64
Reply from 10.55.222.82: bytes=32 time<10ms TTL=64

Interesting thing here is that is says name not found but i can ping both by
name and ip. You think mapping name to ip in the hosts file will help?  Hmmm
:-(

----- Original Message ----- 
From: "Tom Skeren" <tms3@fskklaw.com>
To: "Rashaad S. Hyndman" <IslandBwoy@ToughGuy.net>
Cc: <samba@lists.samba.org>
Sent: Thursday, July 22, 2004 4:07 PM
Subject: Re: [Samba] security = ADS


  Yes I've seen this behavior a LOT.  I've replied to it.  For some
reason, the Samba when joined to ads needs to contacted for shares by IP
addy.  The XP shares then authenticate properly.

Try \\ipaddy-samba-server\share-name.  If you connect, do a netstat -an
on the samba server.  You'll see the XP box connected to port 445.  I
suspect that in an ads environment, the XP boxes default to connecting
to shares on 445.  I suspect smbd, or nmbd are mishandling this when
netbios names are used.

Rashaad S. Hyndman wrote:

    Hi all,

I've been fighting with joining my samba server (debian) to my active
      directory domain for 4 days now.  The problem here is that users in my
active directory domain on windows machines are not able to browse my samba
shares without being prompted for authentication.
  I can:
- Join the domain from samba server using net ads
- View list of tickets when brownsing window shares with klist
- list window shares without being prompted with "smbclient -k -L
      <windows_servername>
  I can NOT:
- use "net use * \\<smb_servername>\share" from window based
machine.
(this resultes in "The password or user name is invalid for
      \\delshare\public" (delshare being my samba server name)
  I have no clue what to do from here. I've looked over my smb.conf file 20
      times likewise my krb5.conf file
  Any suggestions would be greatly appreciated. I've arn out of tests.

R.

sorry about that last email that did not contain the resource i used. I
think it was because i copied the contents of a website which could have
been considered advertisement because of some of images.  In either case
enjoy:

http://www.wlug.org.nz/HowtoSamba3AndActiveDirectory


----- Original Message ----- 
From: "Rashaad S. Hyndman" <IslandBwoy@ToughGuy.net>
To: "Rashaad S. Hyndman" <IslandBwoy@ToughGuy.net>; "Tom
Skeren"
<tms3@fskklaw.com>
Cc: <samba@lists.samba.org>
Sent: Friday, July 23, 2004 2:18 PM
Subject: Re: [Samba] security = ADS - IT WORKS!!!!!!!!!

> Halleluiah!!!!!!!!! It works. With all the documentation I've read
including
> the official samba-3 howto for setting up ADS none of them mentioned what
> happened to be the most critical piece of information, winbind!  Now
I've
> seen a couple post that mentioned this daemon but it was not included in
the
> official howto's so I skipped over it.  In Either case I've
included the
> article that I used to get my samba ADS implementation working.  If you
have
> followed other howto's you have probably got 99% of the work done.  If
you
> happen to have more questions please feel free to email me and I'll
dictate
> exactly what I have in my environment.
>
> Thanks for your input,
> R.
>
>
>
>
>
>
> Howto Samba 3 And Active Directory
> G o o g l e users: We have detected that you were searching for howto
samba
> ads.
>
> The Waikato Linux Users Group hope that this page answers your questions,
> but, if it doesn't, we politely request that if/when you find the
answer
to
> your question you contibute your information back into this Wiki (via the
> Edit button at the bottom of the page) so that others can also find this
> information easier.
>
> We also suggest that if this page doesn't answer your question, try
> Searching the wiki, or, to find pages similar to this one, try or .
>
>       What's this? It's a near-copy of ActiveDirectorySamba, but
not
linked
> from anywhere and with a lot of stuff deleted? Please don't
> DisagreeByDeleting. Can someone who has Samba3 experience shed light on
the
> changes between this page and the other? --AristotlePagaltzis
>
>       ActiveDirectorySamba is a correct howto for setting up Samba 3 with
> ActiveDirectory. So it's basically a copy paste from there to here and
> delete the other. -- GerwinVanDeSteeg
>
>
> --------------------------------------------------------------------------
>
>       This simple guide is a mostly accurate way to set up a Samba machine
> as a DomainMember in a Windows 2000 or Windows 2003 ActiveDirectory
Domain.
>
>       The following setup is used:
>
>         192.168.0.1   test1.thinclient.test.org  (the AD server, hereafter
> known as the server)
>
>         192.168.0.209 mail.thinclient.test.org   (samba3 machine)
>
>       The Samba system is based upon a stock standard RedHat 9 system with
> the samba software upgraded to Samba3 (using RPM)
>
>       The following steps are needed to get the system functioning:
>
>         1.. configure name resolution using either dns or a hosts file
>         2.. configure samba and winbindd
>         3.. configure kerberos
>         4.. testing the kerberos configuration
>         5.. good luck
>       Configure name resolution
>       ActiveDirectory relies HEAVILY on DNS to resolve not only host names
> but services they provide as well. To set up DNS on the linux box, see the
> DNSHowTo, otherwise consult necessary Windows documentation on setting up
> forward AND reverse DNS zones.
>
>       As a temporarily solution, you can use hosts based authentication,
> this is ugly and hacky, and should be avoided at all costs. -- 
JamesSpooner
>
>       The first step is to configure name resolution for our systems. The
> kerberos authentication system, which we will configure later on, requires
> us to be able to do a reverse lookup on an IP address to get a fully
> qualified domain name (FQDN). There are two ways to do this, the cheap and
> nasty method is to use a hosts file on both systems, which will have
entries
> similar to the following.
>
>       Samba machine
>       /etc/hosts
>
>         127.0.0.1       mail    mail.thinclient.test.org
> localhost.localdomain   localhost
>
>         192.168.0.1     test1   test1.thinclient.test.org
>
>         192.168.0.209   mail    mail.thinclient.test.org
>
>       Surely it would be better to put the FQDN first, and not alias
> localhost to a name other than localhost? -- PerryLorier
>
>       Windows Active Directory server
>       %Systemroot%\System32\drivers\etc\hosts[1]
>
>         127.0.0.1       test1   test1.thinclient.test.org
> localhost.localdomain   localhost
>
>         192.168.0.1     test1   test1.thinclient.test.org
>
>         192.168.0.209   mail    mail.thinclient.test.org
>
>       The correct method is to setup DNS on the server which can be done
> through the DNS console in the AdministrativeTools section of Windows
> 2000/2003 Server. We won't go into the details of setting this up here,
but
> we will specify the linux side of that here.
>
>       /etc/resolv.conf
>
>         search      thinclient.test.org
>
>         domain      thinclient.test.org
>
>         nameserver  192.168.0.1
>
>       Configure Samba3 and Winbindd
>       This part is the easy one, we just create ourselves a default Samba
> configuration with at least the following entries (Note this is a
completely
> empty and default configuration file, and you may wish to add more. A file
> share would be handy to add).
>
>       /etc/samba/smb.conf
>
>         [global]
>
>           # general options
>
>           workgroup = THINCLIENT
>
>           netbios name = MAIL
>
>           # winbindd configuration
>
>           winbind separator = +
>
>           idmap uid = 10000-20000
>
>           idmap gid = 10000-20000
>
>           winbind enum users = yes
>
>           winbind enum groups = yes
>
>           template homedir = /home/%D/%U
>
>           template shell = /bin/bash
>
>           # Active directory joining
>
>           # "ads server" is only necessary if your kdc can't
be located
> using /etc/krb5.conf -- JamesSpooner
>
>           # ads server = test1.thinclient.test.org
>
>           security = ads
>
>           encrypt passwords = yes
>
>           realm = thinclient.test.org
>
>       NB: The important things to pay attention to here are the name of
our
> samba machine (netbios name), the workgroup, and the ActiveDirectory
stuff.
>
>       Configure Kerberos5
>       See ActiveDirectoryKerberos on setting up Kerberos to talk to
> ActiveDirectory.
>
>       We need to generate a key for our samba machine on the Windows
server,
> and securely import this into our samba machine. To create the keyfile we
> run the following on the Windows server:
>
>         ktpass - princ host/mail.thinclient.test.org@THINCLIENT.TEST.ORG \
>
>                    -mapuser MAIL -pass MAIL1234PASSWORD -out mail.keytab
>
>       We then transfer the mail.keytab securely to our samba machine by
> using something similar to SSH or another secure means. And then on the
> samba machine we will import the keyfile we just generated by using the
> ktutil program, which is part of the kerberos distribution. The unix
> commands for ktutil are as follows:
>
>         % ktutil
>
>         ktutil: rkt mail.keytab
>
>         ktutil: list
>
>         ktutil: wkt /etc/krb5.keytab
>
>         ktutil: q
>
>       Alternatively ... as root:
>
>         net join -U Administrator%password
>
>       This will join the Samba machine to the ActiveDirectory Domain.
>
>       References
>         a.. Using Kerberos Clients section of the Microsoft : Step-by-Step
> Guide to Kerberos 5 (krb5 1.0) Interoperability
>         b.. Authentication to ADS
>         c.. The winbindd and Active Directory Domain Member sections of
the
> Samba v3 Documentation
>         d.. Realy huge manual for samba 3, in this document you can find
> almost everything
>
> --------------------------------------------------------------------------
>
>       Footnotes
>
>       [1] %Systemroot% is a variable set by Windows NT and onward to mean
> "the location where Windows is installed", ie c:\winnt,
c:\windows, etc.
>      This news side bar needs a browser with "iframe" support.
>
>       No pages link to HowtoSamba3AndActiveDirectory.
>
>       Please visit the WlugSponsors.
>
>
>
> --------------------------------------------------------------------------
--
> ----
>
> Last edited on Tuesday, June 1, 2004 10:04:05 pm by AlastairPorter.
>
> Please note that any user can change the contents of pages on this site,
and
> therefore the Waikato Linux Users Group can offer no assurances that the
> information is correct, and the information on this site is not
necessarily
> the opinion of the Waikato Linux Users Group, or any of its members.
> Copyright is retained by the individual authors of a page. If you have any
c
> omplaints about the contents of this page, please do not hesitate to
contact
> the Waikato Linux Users Group, or, click the Edit button below!
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
>      Sign In
>
>
>
>