Rich Cardwell
2004-Dec-16 11:46 UTC
[Samba] Samba 3.0.x in ADS mode in a Windows Krb AD forest domain, does it work?
Hi, With some luck someone on this list can tell me if what I'm trying to do is possible with Samba 3, and if I'm really lucky how to get it working. As I'm pretty stuck at the moment and have hit the limits of my knowledge. At present in my environment we are running numerous Samba 2 servers in server and domain level security (I know server level security is a bad idea), and everything works fine. However as time moves on we are looking to migrate our servers off Samba 2 and onto Samba 3 and switch all servers over to ads mode. However during testing (on Debian and HP-UX machines) we appear to have hit a problem that I can't resolve, namely I can't connect to any shares, as the servers don't appear to recognize the login domain. For this to make any sense I will attempt to explain our environment. At present we have an old legacy domain which is all based around NT trusts, and a new domain which uses Kerberos AD forest trusts. Now in our new domain we have central domain, with other sub domains hanging off it for users (one per geography) and organisational units (again one per OU unit). Now the way the domain has been configured is that user accounts live in the the user domains, and machine accounts live in the organisational units domains, all pretty simple. However when connecting to a Samba 3 host configured in ads mode that has successfully joined the OU domain we hit a problem that the server doesn't seem to recognise the login domain, and remaps the domain to the local OU and hence the login fails, as this logfile extract shows. [2004/12/16 11:02:27, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [LOGINDOMAIN]\[ricc]@[CARDWELL-R-3] with the new password interface [2004/12/16 11:02:27, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [OUDOMAIN.HPL.HP.COM]\[ricc]@[CARDWELL-R-3] [2004/12/16 11:02:27, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/12/16 11:02:27, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/12/16 11:02:27, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/12/16 11:02:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/12/16 11:02:28, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [ricc] -> [ricc] FAILED with err or NT_STATUS_ACCESS_DENIED However if I try and connect to an admin account that lives in the OUDOMAIN, everything works as Samba appears to recognize the domain as valid. As an additional test, I have tried to connect to the share using an old account in the Legacy domain which uses the old NTLM NT trust mechanisms, and this appears to work as the Samba server recognizes the domain, and hence leaves the domain prefix alone, as this logfile extract shows. [2004/12/16 11:26:47, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [LEGACYDOMAIN]\[ricc]@[CA RDWELL-R-3] with the new password interface [2004/12/16 11:26:47, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [LEGACYDOMAIN]\[ricc]@[CARDWELL-R-3] [2004/12/16 11:26:47, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/12/16 11:26:47, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 So I guess my question is: Has anyone else managed to get samba to work in this kind of domain? or alternatively does anyone know if Samba 3 supports this kind of domain structure using Forest AD trusts yet? Thanks in advance, for any help you can provide, as this has been driving me (not so) slowly nuts. Rich Cardwell -- smb.conf for testhosts is as follows: #======================= Global Settings ====================== [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = OUDOMAIN.HPL.HP.COM debug level = 4 # server string is the equivalent of the NT Description field server string = %L server (Samba %v) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both wins server = XX.XX.XX.net # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Put a capping on the size of the log files (in Kb). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. ; syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # "security = user" is always a good idea. This will require a Unix account # in this server for every user accessing the server. See # /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc # package for details. security = ads realm = OUDOMAIN.HPL.HP.COM password server = support-br1.XX.XX.XX.XX username map = /etc/samba/smbusers client use spnego = yes ldap ssl = start tls # You may wish to use password encryption. See the section on # 'encrypt passwords' in the smb.conf(5) manpage before enabling. encrypt passwords = true # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = tdbsam guest obey pam restrictions = yes ; guest account = nobody invalid users = root # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. ; unix password sync = no # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Augustin Luton <aluton@hybrigenics.fr> for # sending the correct chat script for the passwd program in Debian Potato). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword :* %n\n . ########## Printing ########## # If you want to automatically load your printer list rather # than setting them up individually then you'll need this ; load printers = yes # lpr(ng) printing. You may wish to override the location of the # printcap file ; printing = bsd ; printcap name = /etc/printcap # CUPS printing. See also the cupsaddsmb(8) manpage in the # cupsys-client package. ; printing = cups ; printcap name = cups # When using [print$], root is implicitly a 'printer admin', but you can # also give this right to other users to add drivers and set printer # properties ; printer admin = @ntadmin ######## File sharing ######## # Name mangling options ; preserve case = yes ; short preserve case = yes ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Most people will find that this option gives better performance. # See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html # for details # You may want to add the following on a Linux system: # SO_RCVBUF=8192 SO_SNDBUF=8192 socket options = TCP_NODELAY # machine will be configured as a BDC (a secondary logon server), you # must set this to 'no'; otherwise, the default behavior is recommended. ; domain master = auto # Some defaults for winbind (make sure you're not using the ranges # for something else.) ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash winbind separator = + idmap uid = 10000-200000 idmap gid = 10000-200000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = no #======================= Share Definitions ====================== [homes] comment = Home Directories browseable = yes # By default, the home directories are exported read-only. Change next # parameter to 'yes' if you want to be able to write to them. writable = no # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0700 valid users = %S -- Richard Cardwell
Charles Weber
2004-Dec-20 23:14 UTC
[Samba] Samba 3.0.x in ADS mode in a Windows Krb AD forest domain, does it work?
I have just put in service our first AD member samba server and am replacing, like many of us, samba 2 servers. Our setup is HHS AD tree, with NIH users in ou's under NIH domain and servers in attached division domain (NIA in our case). Our NIH users have no problems so far other than the usual of sites this size. This sounds somewhat similar to what you are asking. I have not tried to connect from another connected AD domain so that I would traverse 2 trusts. That seems to be your situation as I understand it. Chuck
Maybe Matching Threads
- User longer than 20 characters can't join domain (windows 7 pro)
- No subject
- Samba 3.4.7 on Debian Squeeze does not allow Vista machines to connect to shares XP users can connect though
- Authentication in trusded domain
- Vista error 67 The network name cannot be found