samba - Oct 2004 - Making Red Hat 3 Authenticate against AD Domain

I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I want
to use the homes function of Samba and I want user's to authenticate
against my AD domain. I am having a problem making the server a member
server of my domain.

I tried using the smbpasswd command and got the error about trying net
join for this action. Also, is there anything else I have to do to get
my users to authenticate against the AD domain?

 

Any help and suggestions would be much appreciated.

Thanks,

 

David

David,

I found this webpage to be very useful for setting up samba with active
directory authentication -
http://www.rongage.org/manual_samba_howto.html.  I started with a very
base install of WBEL without samba.  The version of Kerberos that comes
with WBEL is not new enough to work with a Win2K AD domain or at least I
could never get it to work. I used the latest versions of Samba and
Kerberos.  OpenLDAP was not needed since it was already installed on the
box.

My homes share definition looks like this:

[global]
        template homedir = /home/%D/%U

[homes]
        comment = Home Directories
        create mask = 0600
        directory mask = 0700
        read only = no
        browseable = no
        valid users = @"Domain Admins",@"Domain Users"
        veto oplock files = /*.xls/

The "veto oplock files = /*.xls/" line is to take care of a problem
with
excel thinking that a file has been changed since opened when it
actually hasn't been.

I created the /home/<DOMAIN>/ directory with the group set to "Domain
Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I could use
"Active Directory Users and Computers" to set the home directory.  The
domain name had to be all caps for it to work right.  Right now I am
manually creating the home directory and setting ownership and
permissions.  Haven't been able to get the home directory creation
through "Active Directory Users and Computers" working yet.

Kevin Riggins, CISSP
Quester Linguistics, Inc.


-----Original Message-----
From: David Nickel [mailto:dnickel@gmail.com] 
Sent: Tuesday, October 19, 2004 8:31 AM
To: samba@lists.samba.org
Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain


I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I want
to use the homes function of Samba and I want user's to authenticate
against my AD domain. I am having a problem making the server a member
server of my domain.

I tried using the smbpasswd command and got the error about trying net
join for this action. Also, is there anything else I have to do to get
my users to authenticate against the AD domain?

 

Any help and suggestions would be much appreciated.

Thanks,

 

David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Are you using uppercase for the username@domain.com value when you
execute the kinit command?  I have had problems with lower case.

ex.  kinit ADMINISTRATOR@DOMAIN.COM


-----Original Message-----
From: David Nickel [mailto:dnickel@gmail.com] 
Sent: Tuesday, October 19, 2004 10:15 AM
To: Kevin Riggins
Cc: samba@lists.samba.org
Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain


Thanks for the link and info. I have tried it, but when I get to the
testing kerberos I get an error.

command: kinit ADMINISTRATOR@domain.com
error: kinit(v5): KDC has no support for encryption type while getting
initial credentials

FYI: All I want to do is allow my users, once they logon on to there
domain computers, map to their directory on the web server through
domain authentication instead of the local /etc/passwd file.

On Tue, 19 Oct 2004 08:58:17 -0500, Kevin Riggins
<kevin.riggins@comdev.com> wrote:
> David,
> 
> I found this webpage to be very useful for setting up samba with
active
> directory authentication -
> http://www.rongage.org/manual_samba_howto.html.  I started with a very
> base install of WBEL without samba.  The version of Kerberos that
comes
> with WBEL is not new enough to work with a Win2K AD domain or at least
I
> could never get it to work. I used the latest versions of Samba and
> Kerberos.  OpenLDAP was not needed since it was already installed on
the
> box.
> 
> My homes share definition looks like this:
> 
> [global]
>        template homedir = /home/%D/%U
> 
> [homes]
>        comment = Home Directories
>        create mask = 0600
>        directory mask = 0700
>        read only = no
>        browseable = no
>        valid users = @"Domain Admins",@"Domain Users"
>        veto oplock files = /*.xls/
> 
> The "veto oplock files = /*.xls/" line is to take care of a
problem
with
> excel thinking that a file has been changed since opened when it
> actually hasn't been.
> 
> I created the /home/<DOMAIN>/ directory with the group set to
"Domain
> Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I could use
> "Active Directory Users and Computers" to set the home directory.
The
> domain name had to be all caps for it to work right.  Right now I am
> manually creating the home directory and setting ownership and
> permissions.  Haven't been able to get the home directory creation
> through "Active Directory Users and Computers" working yet.
> 
> Kevin Riggins, CISSP
> Quester Linguistics, Inc.
> 
> 
> 
> 
> -----Original Message-----
> From: David Nickel [mailto:dnickel@gmail.com]
> Sent: Tuesday, October 19, 2004 8:31 AM
> To: samba@lists.samba.org
> Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain
> 
> I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I want
> to use the homes function of Samba and I want user's to authenticate
> against my AD domain. I am having a problem making the server a member
> server of my domain.
> 
> I tried using the smbpasswd command and got the error about trying net
> join for this action. Also, is there anything else I have to do to get
> my users to authenticate against the AD domain?
> 
> Any help and suggestions would be much appreciated.
> 
> Thanks,
> 
> David
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

One other thing.  My /etc/krb5.conf file is a bit different than the one
given on the page I sent you to.

The pertinent portion being below:

[libdefaults]
  ticket_lifetime = 24000
  default_realm = COMDEV.COM
  default_tgs_enctypes = rc4-hmac
  default_tkt_enctypes = rc4-hmac
  forwardable = true
  proxiable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false


-----Original Message-----
From: David Nickel [mailto:dnickel@gmail.com] 
Sent: Tuesday, October 19, 2004 10:15 AM
To: Kevin Riggins
Cc: samba@lists.samba.org
Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain


Thanks for the link and info. I have tried it, but when I get to the
testing kerberos I get an error.

command: kinit ADMINISTRATOR@domain.com
error: kinit(v5): KDC has no support for encryption type while getting
initial credentials

FYI: All I want to do is allow my users, once they logon on to there
domain computers, map to their directory on the web server through
domain authentication instead of the local /etc/passwd file.

On Tue, 19 Oct 2004 08:58:17 -0500, Kevin Riggins
<kevin.riggins@comdev.com> wrote:
> David,
> 
> I found this webpage to be very useful for setting up samba with
active
> directory authentication -
> http://www.rongage.org/manual_samba_howto.html.  I started with a very
> base install of WBEL without samba.  The version of Kerberos that
comes
> with WBEL is not new enough to work with a Win2K AD domain or at least
I
> could never get it to work. I used the latest versions of Samba and
> Kerberos.  OpenLDAP was not needed since it was already installed on
the
> box.
> 
> My homes share definition looks like this:
> 
> [global]
>        template homedir = /home/%D/%U
> 
> [homes]
>        comment = Home Directories
>        create mask = 0600
>        directory mask = 0700
>        read only = no
>        browseable = no
>        valid users = @"Domain Admins",@"Domain Users"
>        veto oplock files = /*.xls/
> 
> The "veto oplock files = /*.xls/" line is to take care of a
problem
with
> excel thinking that a file has been changed since opened when it
> actually hasn't been.
> 
> I created the /home/<DOMAIN>/ directory with the group set to
"Domain
> Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I could use
> "Active Directory Users and Computers" to set the home directory.
The
> domain name had to be all caps for it to work right.  Right now I am
> manually creating the home directory and setting ownership and
> permissions.  Haven't been able to get the home directory creation
> through "Active Directory Users and Computers" working yet.
> 
> Kevin Riggins, CISSP
> Quester Linguistics, Inc.
> 
> 
> 
> 
> -----Original Message-----
> From: David Nickel [mailto:dnickel@gmail.com]
> Sent: Tuesday, October 19, 2004 8:31 AM
> To: samba@lists.samba.org
> Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain
> 
> I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I want
> to use the homes function of Samba and I want user's to authenticate
> against my AD domain. I am having a problem making the server a member
> server of my domain.
> 
> I tried using the smbpasswd command and got the error about trying net
> join for this action. Also, is there anything else I have to do to get
> my users to authenticate against the AD domain?
> 
> Any help and suggestions would be much appreciated.
> 
> Thanks,
> 
> David
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

I also thought of something else, make sure you are using the binaries
that were installed by the new Kerberos package.  I accomplished this by
putting /usr/local/bin and /usr/local/sbin at the beginning of my path
statement.  This needs to be done prior to compiling Samba, because
Samba uses the krb5-config command to configure itself for Kerberos.

If `which kinit` returns anything other than /usr/local/bin, this is
contributing to the problem.

My bad, sorry.

No services are necessary for the Kerberos portion of the setup.

Kevin

-----Original Message-----
From: David Nickel [mailto:dnickel@gmail.com] 
Sent: Tuesday, October 19, 2004 10:59 AM
To: Kevin Riggins
Cc: samba@lists.samba.org
Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain


I have tried the uppercase, lowercase and any combinations. I have
made the following changes to my krb5.conf file and still get the same
error. What services need to be started? Thanks alot for your input.



On Tue, 19 Oct 2004 10:44:29 -0500, Kevin Riggins
<kevin.riggins@comdev.com> wrote:
> One other thing.  My /etc/krb5.conf file is a bit different than the
one
> given on the page I sent you to.
> 
> The pertinent portion being below:
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = COMDEV.COM
>  default_tgs_enctypes = rc4-hmac
>  default_tkt_enctypes = rc4-hmac
>  forwardable = true
>  proxiable = true
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> 
> 
> 
> 
> -----Original Message-----
> From: David Nickel [mailto:dnickel@gmail.com]
> Sent: Tuesday, October 19, 2004 10:15 AM
> To: Kevin Riggins
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain
> 
> Thanks for the link and info. I have tried it, but when I get to the
> testing kerberos I get an error.
> 
> command: kinit ADMINISTRATOR@domain.com
> error: kinit(v5): KDC has no support for encryption type while getting
> initial credentials
> 
> FYI: All I want to do is allow my users, once they logon on to there
> domain computers, map to their directory on the web server through
> domain authentication instead of the local /etc/passwd file.
> 
> On Tue, 19 Oct 2004 08:58:17 -0500, Kevin Riggins
> <kevin.riggins@comdev.com> wrote:
> > David,
> >
> > I found this webpage to be very useful for setting up samba with
> active
> > directory authentication -
> > http://www.rongage.org/manual_samba_howto.html.  I started with a
very
> > base install of WBEL without samba.  The version of Kerberos that
> comes
> > with WBEL is not new enough to work with a Win2K AD domain or at
least
> I
> > could never get it to work. I used the latest versions of Samba and
> > Kerberos.  OpenLDAP was not needed since it was already installed on
> the
> > box.
> >
> > My homes share definition looks like this:
> >
> > [global]
> >        template homedir = /home/%D/%U
> >
> > [homes]
> >        comment = Home Directories
> >        create mask = 0600
> >        directory mask = 0700
> >        read only = no
> >        browseable = no
> >        valid users = @"Domain Admins",@"Domain
Users"
> >        veto oplock files = /*.xls/
> >
> > The "veto oplock files = /*.xls/" line is to take care of a
problem
> with
> > excel thinking that a file has been changed since opened when it
> > actually hasn't been.
> >
> > I created the /home/<DOMAIN>/ directory with the group set to
"Domain
> > Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I could
use
> > "Active Directory Users and Computers" to set the home
directory.
The
> > domain name had to be all caps for it to work right.  Right now I am
> > manually creating the home directory and setting ownership and
> > permissions.  Haven't been able to get the home directory creation
> > through "Active Directory Users and Computers" working yet.
> >
> > Kevin Riggins, CISSP
> > Quester Linguistics, Inc.
> >
> >
> >
> >
> > -----Original Message-----
> > From: David Nickel [mailto:dnickel@gmail.com]
> > Sent: Tuesday, October 19, 2004 8:31 AM
> > To: samba@lists.samba.org
> > Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain
> >
> > I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I
want
> > to use the homes function of Samba and I want user's to
authenticate
> > against my AD domain. I am having a problem making the server a
member
> > server of my domain.
> >
> > I tried using the smbpasswd command and got the error about trying
net
> > join for this action. Also, is there anything else I have to do to
get
> > my users to authenticate against the AD domain?
> >
> > Any help and suggestions would be much appreciated.
> >
> > Thanks,
> >
> > David
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
> >
>

The default version of kerberos that ships with RHEL AS is 1.2 something
and the default samba rpm is built against this version.  In order for a
samba box to become a member of an active directory domain, Kerberos
1.3+ is required. This is why it is necessary to download the latest
binary of kerberos from the following location and download and compile
Samba.

Kerberos:
http://web.mit.edu/kerberos/dist/krb5/1.3/krb5-1.3.5-i686-pc-linux-gnu.t
ar
Samba: http://us3.samba.org/samba/ftp/samba-latest.tar.gz

-----Original Message-----
From: David Nickel [mailto:dnickel@gmail.com] 
Sent: Tuesday, October 19, 2004 11:46 AM
To: Kevin Riggins
Cc: samba@lists.samba.org
Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain


I am using the kinit that is default rpm with RHEL AS 
which kinit is returning: /usr/kerberos/bin/kinit


On Tue, 19 Oct 2004 11:09:42 -0500, Kevin Riggins
<kevin.riggins@comdev.com> wrote:
> I also thought of something else, make sure you are using the binaries
> that were installed by the new Kerberos package.  I accomplished this
by
> putting /usr/local/bin and /usr/local/sbin at the beginning of my path
> statement.  This needs to be done prior to compiling Samba, because
> Samba uses the krb5-config command to configure itself for Kerberos.
> 
> If `which kinit` returns anything other than /usr/local/bin, this is
> contributing to the problem.
> 
> My bad, sorry.
> 
> No services are necessary for the Kerberos portion of the setup.
> 
> Kevin
> 
> 
> 
> -----Original Message-----
> From: David Nickel [mailto:dnickel@gmail.com]
> Sent: Tuesday, October 19, 2004 10:59 AM
> To: Kevin Riggins
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain
> 
> I have tried the uppercase, lowercase and any combinations. I have
> made the following changes to my krb5.conf file and still get the same
> error. What services need to be started? Thanks alot for your input.
> 
> On Tue, 19 Oct 2004 10:44:29 -0500, Kevin Riggins
> <kevin.riggins@comdev.com> wrote:
> > One other thing.  My /etc/krb5.conf file is a bit different than the
> one
> > given on the page I sent you to.
> >
> > The pertinent portion being below:
> >
> > [libdefaults]
> >  ticket_lifetime = 24000
> >  default_realm = COMDEV.COM
> >  default_tgs_enctypes = rc4-hmac
> >  default_tkt_enctypes = rc4-hmac
> >  forwardable = true
> >  proxiable = true
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >
> >
> >
> >
> > -----Original Message-----
> > From: David Nickel [mailto:dnickel@gmail.com]
> > Sent: Tuesday, October 19, 2004 10:15 AM
> > To: Kevin Riggins
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Making Red Hat 3 Authenticate against AD Domain
> >
> > Thanks for the link and info. I have tried it, but when I get to the
> > testing kerberos I get an error.
> >
> > command: kinit ADMINISTRATOR@domain.com
> > error: kinit(v5): KDC has no support for encryption type while
getting
> > initial credentials
> >
> > FYI: All I want to do is allow my users, once they logon on to there
> > domain computers, map to their directory on the web server through
> > domain authentication instead of the local /etc/passwd file.
> >
> > On Tue, 19 Oct 2004 08:58:17 -0500, Kevin Riggins
> > <kevin.riggins@comdev.com> wrote:
> > > David,
> > >
> > > I found this webpage to be very useful for setting up samba with
> > active
> > > directory authentication -
> > > http://www.rongage.org/manual_samba_howto.html.  I started with a
> very
> > > base install of WBEL without samba.  The version of Kerberos that
> > comes
> > > with WBEL is not new enough to work with a Win2K AD domain or at
> least
> > I
> > > could never get it to work. I used the latest versions of Samba
and
> > > Kerberos.  OpenLDAP was not needed since it was already installed
on
> > the
> > > box.
> > >
> > > My homes share definition looks like this:
> > >
> > > [global]
> > >        template homedir = /home/%D/%U
> > >
> > > [homes]
> > >        comment = Home Directories
> > >        create mask = 0600
> > >        directory mask = 0700
> > >        read only = no
> > >        browseable = no
> > >        valid users = @"Domain Admins",@"Domain
Users"
> > >        veto oplock files = /*.xls/
> > >
> > > The "veto oplock files = /*.xls/" line is to take care
of a
problem
> > with
> > > excel thinking that a file has been changed since opened when it
> > > actually hasn't been.
> > >
> > > I created the /home/<DOMAIN>/ directory with the group set
to
> "Domain
> > > Admins" and group rights of u+rwx,g+rwsx,o-rwsx so that I
could
use
> > > "Active Directory Users and Computers" to set the home
directory.
> The
> > > domain name had to be all caps for it to work right.  Right now I
am
> > > manually creating the home directory and setting ownership and
> > > permissions.  Haven't been able to get the home directory
creation
> > > through "Active Directory Users and Computers" working
yet.
> > >
> > > Kevin Riggins, CISSP
> > > Quester Linguistics, Inc.
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: David Nickel [mailto:dnickel@gmail.com]
> > > Sent: Tuesday, October 19, 2004 8:31 AM
> > > To: samba@lists.samba.org
> > > Subject: [Samba] Making Red Hat 3 Authenticate against AD Domain
> > >
> > > I have a Red Hat 3 AS server I am trying to set Samba 3 up on. I
> want
> > > to use the homes function of Samba and I want user's to
authenticate
> > > against my AD domain. I am having a problem making the server a
> member
> > > server of my domain.
> > >
> > > I tried using the smbpasswd command and got the error about
trying
> net
> > > join for this action. Also, is there anything else I have to do
to
> get
> > > my users to authenticate against the AD domain?
> > >
> > > Any help and suggestions would be much appreciated.
> > >
> > > Thanks,
> > >
> > > David
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
>