samba - Jul 2005 - Samba Server not using domain users as samba users

Good evening everyone:

I am struggling with a problem here.

 

I have a brand new FC3 server set up.  My Windows domain is a windows 2003
active directory domain.

I have samba configured as below

[global]
        netbios name = SRVWEB-01
        server string = MCA Production Web Server
        printing = cups
        idmap gid = 15000-20000
        password server = srvdc01
        idmap uid = 15000-20000
        workgroup = MCASCHOOL
        os level = 20
        winbind trusted domains only = yes
        winbind use default domain = Yes
        security = domain
        realm = srvdc01

[webroot]
        comment = Websites Home Directory
        writeable = yes
        path = /var/www/html

[ftp]
comment = FTP Home Directory
path = /var/ftp/pub/
read only = No

 

I followed the set up as specified in the how to section at:


http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html#id2536544

 

I followed the procedures as specified in that document to make a domain member
server:

Everything appeared to work correctly

when i try to browse to the server from my windows XP Pro station, the server
shows up in the server list, when i click on it -- it asks for authentication,
but then wont accept any -- i give it my domain admin, my personal user, etc.

As i understand it, i should not have to create a linux user for each of my
domain users, that should be handled by samba, as it looks at the domain users
list and provides authentication.

Previously when i have had this problem, i have had to create a user in samba
(system-config-samba) and manually set their samba password to the same as their
windows password.  THis just does not seem right, and it makes a huge security
hole.

When I look at the samba users list, there are none -- but i think that all of
my Active Directory (domain) users should be listed

Can someone please set me straight.  I am not looking for someone to provide a
turnkey solution, but rather someone who can work with me to help me
troubleshoot this problem so that I can get this working.  This is a test
deployment preparatory to doing the full up one on the file server.

If you need any further information, please feel free to e-mail

 

thanks very much

TIM HOLMES

IT Manager / Webmaster / Science Teacher

Medina Christian Academy

A Higher Standard...

 

Jeremiah 33:3

Jeremiah 29:11

Esther 4:14

>when i try to browse to the server from my windows XP Pro station, the
server shows up in the >server list, when i click on it -- it asks for
authentication, but then wont accept any -- i give it my >domain admin, my
personal user, etc.
>When I look at the samba users list, there are none -- but i think that all
of my Active Directory >(domain) users should be listed
Tim,

See if winbindd is working. What does wbinfo -u or wbinfo -g return?

I could very well be wrong but I don't know if you can use Domain security
in Active Directory. I believe you need to use ADS.

I posted my working samba member server config in an Active Directory
environment in a previous message here:
http://lists.samba.org/archive/samba/2005-June/106701.html

Good Luck,

Mike

> >when i try to browse to the server from my windows XP Pro station,
the
> server shows up in the >server list, when i click on it -- it asks for
> authentication, but then wont accept any -- i give it my >domain
admin, my
> personal user, etc.
> 
> >When I look at the samba users list, there are none -- but i think
that
> all of my Active Directory >(domain) users should be listed
> 
> Tim,
> 
> See if winbindd is working. What does wbinfo -u or wbinfo -g return?
> 
> I could very well be wrong but I don't know if you can use Domain
security
> in Active Directory. I believe you need to use ADS.
> 
> I posted my working samba member server config in an Active Directory
> environment in a previous message here:
> http://lists.samba.org/archive/samba/2005-June/106701.html
> 
> Good Luck,
> 
> Mike
[Tim Holmes] 
Mike:

Wbinfo -u returns a list of the users from the domain

Wbinfo -g returns a list of the groups from the domain

I was wondering about the possibility of needing to go to ADS security

I will dig into it and see what happens

Thanks

TIM

> 
> > >when i try to browse to the server from my windows XP Pro station,
> the
> > server shows up in the >server list, when i click on it -- it asks 
> > for authentication, but then wont accept any -- i give it my
>domain
> admin, my
> > personal user, etc.
> >
> > >When I look at the samba users list, there are none -- but i think
> that
> > all of my Active Directory >(domain) users should be listed
> >
> > Tim,
> >
> > See if winbindd is working. What does wbinfo -u or wbinfo -g return?
> >
> > I could very well be wrong but I don't know if you can use Domain
> security
> > in Active Directory. I believe you need to use ADS.
> >
> > I posted my working samba member server config in an Active 
> > Directory environment in a previous message here:
> > http://lists.samba.org/archive/samba/2005-June/106701.html
> >
> > Good Luck,
> >
> > Mike
> [Tim Holmes]
> Mike:
> 
> Wbinfo -u returns a list of the users from the domain
> 
> Wbinfo -g returns a list of the groups from the domain
> 
> I was wondering about the possibility of needing to go to ADS security
> 
> I will dig into it and see what happens
> 
> Thanks
> 
> TIM
[Tim Holmes] 

Ok -- I have updated my config files as specified in the previous post,


When I run the net ads join -U command, I get the following error

[root@srvweb-01 ~]# net ads join -U administrator administrator's
password:
[2005/07/20 10:57:26, 0] libads/ldap.c:ads_join_realm(1640)
  ads_add_machine_acct (srvweb-01): Type or value exists
ads_join_realm: Type or value exists


This immediately says to me that the machine is already joined to the
domain, but when I check the domain machines list, it is not there that
I can find.

Any Suggestions?

> > > >when i try to browse to the server from my windows XP Pro
station,
> > the
> > > server shows up in the >server list, when i click on it -- it
asks
> > > for authentication, but then wont accept any -- i give it my
>domain
> > admin, my
> > > personal user, etc.
> > >
> > > >When I look at the samba users list, there are none -- but i
think
> > that
> > > all of my Active Directory >(domain) users should be listed
> > >
> > > Tim,
> > >
> > > See if winbindd is working. What does wbinfo -u or wbinfo -g
return?
> > >
> > > I could very well be wrong but I don't know if you can use
Domain
> > security
> > > in Active Directory. I believe you need to use ADS.
> > >
> > > I posted my working samba member server config in an Active
> > > Directory environment in a previous message here:
> > > http://lists.samba.org/archive/samba/2005-June/106701.html
> > >
> > > Good Luck,
> > >
> > > Mike
> > [Tim Holmes]
> > Mike:
> >
> > Wbinfo -u returns a list of the users from the domain
> >
> > Wbinfo -g returns a list of the groups from the domain
> >
> > I was wondering about the possibility of needing to go to ADS
security
> >
> > I will dig into it and see what happens
> >
> > Thanks
> >
> > TIM
> [Tim Holmes]
> 
> Ok -- I have updated my config files as specified in the previous
post,
> 
> 
> When I run the net ads join -U command, I get the following error
> 
> [root@srvweb-01 ~]# net ads join -U administrator administrator's
> password:
> [2005/07/20 10:57:26, 0] libads/ldap.c:ads_join_realm(1640)
>   ads_add_machine_acct (srvweb-01): Type or value exists
> ads_join_realm: Type or value exists
> 
> 
> This immediately says to me that the machine is already joined to the
> domain, but when I check the domain machines list, it is not there
that
> I can find.
> 
> Any Suggestions?
[Tim Holmes] 
Doing some searching on the error message brought the suggestion to try:

[root@srvweb-01 ~]# smbclient -k //srvdc01/C$ krb5_cc_get_principal
failed (No credentials cache found) spnego_gen_negTokenTarg failed: No
credentials cache found session setup failed: NT_STATUS_OK

I must confess that I am more than a little confused here.  

Any suggestions about where I am messed up?

TIM

> -----Original Message-----
> From: M Maki [mailto:mmaki@adelphia.net]
> Sent: Wednesday, July 20, 2005 11:42 AM
> To: Tim Holmes
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Re: Samba Server not using domain users as samba
> users
> 
>  > When I run the net ads join -U command, I get the following error
>  >
>  > [root@srvweb-01 ~]# net ads join -U administrator administrator's
>  > password:
>  > [2005/07/20 10:57:26, 0] libads/ldap.c:ads_join_realm(1640)
>  >   ads_add_machine_acct (srvweb-01): Type or value exists
>  > ads_join_realm: Type or value exists
>  >
>  > This immediately says to me that the machine is already joined to
the
>  > domain, but when I check the domain machines list, it is not there
>  > that I can find.
> 
> I always add my computer accounts to AD before I join them. You might
> want to give that a try though it sounds like that is not your
problem.
> 
> Mike
[Tim Holmes] 

Ok -- one other slight problem -- it seems that I have some sort of a
rogue record in my ADS Tree or something.  For whatever reason, I cannot
join my server as srvweb-01,  so as a simple solution, I changed the
host name on the server to srvweb-02.

I changed it in the system-config-network applet, in the hosts file, and
checked the krb5.conf and smb.conf files to make sure it was not
referenced in there anywhere.

Then I restarted the machine, so all the new settings were applied, also
changed the DNS and reloaded the zone,  This machine has a static
address, so DHCP should be a non issue

But when I try to join the domain, it still fails -- the routine worked
perfectly on my test server, it joined perfectly on the first try.  I
suspect that the old host name (srvweb-01) is registered someplace that
I don't know about, but I cannot seem to find it -- any suggestions
where I should be looking?

Thanks
Timothy A. Holmes
 
IT Manager / Webmaster / Science Teacher
 
Medina Christian Academy
A Higher Standard...
 
Jeremiah 33:3
Jeremiah 29:11
Esther 4:14