Hello list. I recently moved to an AD environment. I'm still keeping a samba servers to make my cups-managed printers available to windows users, rather than duplicating configuration with a Windows print service. But I'm facing two problems, probably due to the way we manage AD. First, all my host belong to a Unix-managed DNS domain (msr-inria.inria.fr), not to the windows-managed one corresponding to the AD realm (msr-inria.idf). It means resolving their IP address result in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a secondary server for the foo.msr-inria.idf, meaning SRV record lookup still works. But all CIFS kerberos authentication attempt for the host unqualified, or realm-qualified fails: I can't use \\foo, nor \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr I know this is probably due to kerberos DNS-based hostname canonicalisation, and not samba-specific (it also occurs with netapp filers), but I initially understood it with my samba server. Is there anything I could do there to make user's life easier ? Second, when kerberos autentication fails, my samba server (and I guess, any CIFS server) fallbacks into password-based autentication. But there is an issue with the way we manage users account. We sync our unix ldap account into AD, meaning each 'bar' user exists in LDAP as 'MSR-INRIA.IDF\bar', but with a random password, and we authenticate them through their Unix-managed kerberos account 'MSR-INRIA.INRIA.FR\bar'. It means trying to authenticate them as 'MSR-INRIA.IDF\bar' won't work, and I get those error messages: [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. [2008/11/12 18:47:32, 0] auth/auth_domain.c:domain_client_validate(260) domain_client_validate: unable to validate password for user rousse in domain MSR-INRIA to Domain controller CONCORDE.MSR-INRIA.IDF. Error was NT_STATUS_WRONG_PASSWORD. (I guess the windows client cached my credentials when I initially logged in). There is a user mapping option in samba, but it is primary meant for mapping Windows users to Unix users, whereas I'd need there to map Windows unqualified users to kerberos-realm users, instead of ad-realm users. Is this possible someway ? -- Guillaume Rousse Service des Moyens Informatiques INRIA Saclay - Ile de France Tel: 01 69 35 69 62
On Wednesday 12 November 2008 19:23:52 Guillaume Rousse wrote:> Hello list. > > I recently moved to an AD environment. I'm still keeping a samba servers > to make my cups-managed printers available to windows users, rather than > duplicating configuration with a Windows print service. But I'm facing > two problems, probably due to the way we manage AD. > > First, all my host belong to a Unix-managed DNS domain > (msr-inria.inria.fr), not to the windows-managed one corresponding to > the AD realm (msr-inria.idf). It means resolving their IP address result > in foo.msr-inria.inria.fr, not in foo.msr-inria.idf. The Unix DNS is a > secondary server for the foo.msr-inria.idf, meaning SRV record lookup > still works. But all CIFS kerberos authentication attempt for the host > unqualified, or realm-qualified fails: I can't use \\foo, nor > \\foo.msr-inria.idf, only \\foo.msr-inria.inria.fr > > I know this is probably due to kerberos DNS-based hostname > canonicalisation, and not samba-specific (it also occurs with netapp > filers), but I initially understood it with my samba server. Is there > anything I could do there to make user's life easier ? >seems very complicated to me. Maybe you could use only one DNS system with differents dns zones (something like msr-inria.inria.fr for your general domain and windows.msr-inria.inria.fr for the AD part) all managed with bind ? This is what we have here and this allow a box to know is actual name without any kind of schizophrenia. if you need foo to be resolve as foo.msr-inria.inria.fr, you could have foo.msr-inria.inria.fr CNAME foo.windows.msr-inria.inria.fr foo.windows.msr-inria.inria.fr A x.x.x.x x.x.x.x PTR foo.windows.msr-inria.inria.fr (...)> > There is a user mapping option in samba, but it is primary meant for > mapping Windows users to Unix users, whereas I'd need there to map > Windows unqualified users to kerberos-realm users, instead of ad-realm > users. Is this possible someway ?I'm not sure to understand exactly your problem but I think that samba can't use a non-AD-kerberos-realm. If there is a way, i'm very interesting, though. -- Pascal Levy Ing?nieur r?seaux & ressources informatiques Biblioth?que InterUniversitaire Sainte Genevi?ve t?l. : (33) 1 44 41 97 53 Biblioth?que InterUniversitaire de Langues Orientales t?l. : (33) 1 44 77 95 00 pascal.levy@univ-paris3.fr -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. Url : http://lists.samba.org/archive/samba/attachments/20081112/4e99fdf7/attachment.bin
Possibly Parallel Threads
- samba, ADS and privileges management
- desactivating NTLM fallback when accessing a share and kerberos auth fails
- Troubles converting a pv host from dom0-hosted kernel to self-contained kernel
- xend crash at startup
- insufficient fix for gcc localised output in stubdom makefile