Re: [Samba] Unable to get Samba-3.6.12 to authenticate using ADS
Hi, you probably haven't setup NSS etc so that your fileserver knows about your AD users. Have a read here: https://wiki.samba.org/index.php/Samba_%26_Active_Directory Then once you have understood what needs to be done, go here: http://linuxcostablanca.blogspot.co.uk/2013/04/sssd-in-samba-40.html The above is about using sssd instead of winbind, sssd is a lot easier to use than winbind There is also a page (on the sssd website) about using sssd against windows 2008 server (AD): https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server Rowland On 24 May 2013 22:12, Lee Allen l...@leecallen.com wrote: I have a Samba-4 system running as an Active Directory server. It's working great: computers are joined to it, users are logged in, etc. Good job Samba developers, and thank you! But of course I am not satisfied. Now I want to configure another server (well, a VM) as a file server using Samba-3.6.12. I want it to refer to the Samba4 server for all user authentication. My understanding of the documentation is that I set server = ads and join the samba3 system to my domain. I do not need to create any users/accounts on the Samba3 (fileserver) system. Am I right so far? But, it's not working -- it is not authenticating requests using the AD server. There are error messages coming out of Samba that I don't understand (no surprise there). I have read the relevant documentation, including the Domain Membership section, and I have followed the instructions here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member Here are the details. AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13). Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17). A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to the domain, user allenlan\lallen is logged in to it, and I attempt to map a share on the Samba-3.6.12 system using: # net use L: \\192.168.0.17\Lee this prompts for username (it should not), I enter allenlan\lallen (or allenlan.net\lallen), it prompts for password, and I enter that. The authentication fails - the log file is below. # cat /opt/local/etc/samba/smb.conf [global] workgroup = ALLENLAN server string = Samba %v (%h) realm = allenlan.net security = ads password server = 192.168.0.13 load printers = no guest account = guest (omitting the shares) # kinit administra...@allenlan.net # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administra...@allenlan.net IssuedExpires Principal May 24 19:44:08 2013 May 25 05:44:08 2013 krbtgt/ allenlan@allenlan.net # net ads join -U Administrator%password # net ads testjoin Join is OK # net ads info LDAP server: 192.168.0.13 LDAP server name: samba-ad.allenlan.net Realm: ALLENLAN.NET Bind Path: dc=ALLENLAN,dc=NET LDAP port: 389 Server time: Fri, 24 May 2013 19:44:36 UTC KDC server: 192.168.0.13 Server time offset: 0 # /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf Maximum core file size limits now -3(soft) -3(hard) smbd version 3.6.12 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /opt/local/etc/samba/smb.conf Processing section [global] Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /opt/local/etc/samba/smb.conf Processing section [global] Processing section [Lee] adding IPC service added interface net0 ip=192.168.0.17 bcast=192.168.0.255 netmask=255.255.255.0 loaded services Initialise the svcctl registry keys if needed. Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Initialise the eventlog registry keys if needed. Closed policy get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 Successfully contacted LDAP server 192.168.0.13 get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 Successfully contacted LDAP server 192.168.0.13 Connected to LDAP server samba-ad.allenlan.net ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration Sat, 25 May 2013 05:46:13 UTC reloading printcap cache No Printers
[Samba] Unable to get Samba-3.6.12 to authenticate using ADS
I have a Samba-4 system running as an Active Directory server. It's working great: computers are joined to it, users are logged in, etc. Good job Samba developers, and thank you! But of course I am not satisfied. Now I want to configure another server (well, a VM) as a file server using Samba-3.6.12. I want it to refer to the Samba4 server for all user authentication. My understanding of the documentation is that I set server = ads and join the samba3 system to my domain. I do not need to create any users/accounts on the Samba3 (fileserver) system. Am I right so far? But, it's not working -- it is not authenticating requests using the AD server. There are error messages coming out of Samba that I don't understand (no surprise there). I have read the relevant documentation, including the Domain Membership section, and I have followed the instructions here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member Here are the details. AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13). Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17). A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to the domain, user allenlan\lallen is logged in to it, and I attempt to map a share on the Samba-3.6.12 system using: # net use L: \\192.168.0.17\Lee this prompts for username (it should not), I enter allenlan\lallen (or allenlan.net\lallen), it prompts for password, and I enter that. The authentication fails - the log file is below. # cat /opt/local/etc/samba/smb.conf [global] workgroup = ALLENLAN server string = Samba %v (%h) realm = allenlan.net security = ads password server = 192.168.0.13 load printers = no guest account = guest (omitting the shares) # kinit administra...@allenlan.net # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: administra...@allenlan.net IssuedExpires Principal May 24 19:44:08 2013 May 25 05:44:08 2013 krbtgt/allenlan@allenlan.net # net ads join -U Administrator%password # net ads testjoin Join is OK # net ads info LDAP server: 192.168.0.13 LDAP server name: samba-ad.allenlan.net Realm: ALLENLAN.NET Bind Path: dc=ALLENLAN,dc=NET LDAP port: 389 Server time: Fri, 24 May 2013 19:44:36 UTC KDC server: 192.168.0.13 Server time offset: 0 # /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf Maximum core file size limits now -3(soft) -3(hard) smbd version 3.6.12 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /opt/local/etc/samba/smb.conf Processing section [global] Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /opt/local/etc/samba/smb.conf Processing section [global] Processing section [Lee] adding IPC service added interface net0 ip=192.168.0.17 bcast=192.168.0.255 netmask=255.255.255.0 loaded services Initialise the svcctl registry keys if needed. Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Initialise the eventlog registry keys if needed. Closed policy get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 Successfully contacted LDAP server 192.168.0.13 get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 get_dc_list: preferred server list: samba-ad.allenlan.net, 192.168.0.13 Successfully contacted LDAP server 192.168.0.13 Connected to LDAP server samba-ad.allenlan.net ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration Sat, 25 May 2013 05:46:13 UTC reloading printcap cache No Printers found!!! reload status: error waiting for connections Allowed connection from 192.168.0.93 (192.168.0.93) init_oplocks: initializing messages. Transaction 0 of length 159 (0 toread) switch message SMBnegprot (pid 85924) conn 0x0 Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [LANMAN1.0] Requested protocol [Windows for Workgroups 3.1a] Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Requested protocol [SMB 2.002] Requested protocol [SMB 2.???] using SPNEGO Selected protocol NT LM 0.12 Transaction 1 of length 1622 (0 toread) switch message SMBsesssetupX (pid 85924) conn 0x0 wct=12 flg2=0xc807 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Doing spnego session setup NativeOS=[]
