[Samba] Authenticating to AD - SMB

This is a discussion on [Samba] Authenticating to AD - SMB ; Sorry if this has been asked before. I've tried to research this but I'm getting overwhelmed.. I have Mandrake 9.1 running in a Windows shop where the users are stored in Active Directory. Now I had things sort of set ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: [Samba] Authenticating to AD

  1. [Samba] Authenticating to AD

    Sorry if this has been asked before. I've tried to research this but I'm
    getting overwhelmed..

    I have Mandrake 9.1 running in a Windows shop where the users are stored
    in Active Directory. Now I had things sort of set up with Samba 2.2 but
    decided to switch to Samba 3.0. Got the binaries and installed them.
    Oddity #1 - seems everything has a 3 appended to it! So /etc/init.d/smb
    is /etc/init.d/smb3, /etc/init.d/winbind is /etc/init.d/winbind3, wbinfo
    is wbinfo3, etc. No real biggie except I believe that I had to adjust
    pam.d files to use pam_winbind3.so. Anyways.

    What I have set up so far allows file sharing but user authentication is
    not correct. I can, for example, wbinfo3 -u and see all the users
    (except they lack the + portion) as well as groups. But if I
    getent passwd I do not see anything from AD.

    If I ssh from the Linux box to the same Linux box using a username that
    should be in the AD (my username of adefaria) I see the following in
    /var/log/messages:

    Nov 19 17:33:35 sonslinux sshd[30073]: Illegal user adefaria from
    192.168.1.47

    Needless to say there is no way to ssh in and winbindd apparently isn't
    finding adefaria.

    If I wbinfo3 -a adefaria% I see:

    plaintext password authentication succeeded
    challenge/response password authentication failed
    error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
    error messsage was: winbind client not authorized to use
    winbindd_pam_auth_crap
    Could not authenticate user adefaria with challenge/response

    However if I su to root on the Linux box and do the wbinfo3 for adefaria
    it works.

    My ultimate goal is to have all AD users available to the Linux box and
    I would like to have them homed into their home directories that are
    also windows based (smbfs). As such I'm concerned that the UID mappings
    are correct so that there aren't any permissions problems.

    As an aside, although we are a Windows shop, usage of Cygwin is
    prevalent. Cygwin uses part of the SID as a UID. So I want to make sure
    that my UID on Linux matches my UID that I have in Cygwin. As I see it
    winbindd seems to assign UID to people in the range of 10000-20000 (as
    configured in smb.conf) but in Cygwin UIDs are typically the last 4
    digits of the SID. So my Cygwin UID under Windows is 1370. I would like
    it so that when I ssh into the Linux box I am assigned a matching UID of
    1370. Is this doable?

    Please let me know what information you may need to help me from my
    config files.

    Thanks.


    --
    Shin: A device for finding furniture in the dark.


  2. Re: [Samba] Authenticating to AD

    Andrew DeFaria wrote:

    > Sorry if this has been asked before. I've tried to research this but
    > I'm getting overwhelmed..
    >
    > I have Mandrake 9.1 running in a Windows shop where the users are
    > stored in Active Directory. Now I had things sort of set up with Samba
    > 2.2 but decided to switch to Samba 3.0. Got the binaries and installed
    > them. Oddity #1 - seems everything has a 3 appended to it! So
    > /etc/init.d/smb is /etc/init.d/smb3, /etc/init.d/winbind is
    > /etc/init.d/winbind3, wbinfo is wbinfo3, etc. No real biggie except I
    > believe that I had to adjust pam.d files to use pam_winbind3.so. Anyways.
    >
    > What I have set up so far allows file sharing but user authentication
    > is not correct. I can, for example, wbinfo3 -u and see all the users
    > (except they lack the + portion) as well as groups. But if I
    > getent passwd I do not see anything from AD.
    >
    > If I ssh from the Linux box to the same Linux box using a username
    > that should be in the AD (my username of adefaria) I see the following
    > in /var/log/messages:
    >
    > Nov 19 17:33:35 sonslinux sshd[30073]: Illegal user adefaria from
    > 192.168.1.47
    >
    > Needless to say there is no way to ssh in and winbindd apparently
    > isn't finding adefaria.
    >
    > If I wbinfo3 -a adefaria% I see:
    >
    > plaintext password authentication succeeded
    > challenge/response password authentication failed
    > error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
    > error messsage was: winbind client not authorized to use
    > winbindd_pam_auth_crap
    > Could not authenticate user adefaria with challenge/response
    >
    > However if I su to root on the Linux box and do the wbinfo3 for
    > adefaria it works.
    >
    > My ultimate goal is to have all AD users available to the Linux box
    > and I would like to have them homed into their home directories that
    > are also windows based (smbfs). As such I'm concerned that the UID
    > mappings are correct so that there aren't any permissions problems.
    >
    > As an aside, although we are a Windows shop, usage of Cygwin is
    > prevalent. Cygwin uses part of the SID as a UID. So I want to make
    > sure that my UID on Linux matches my UID that I have in Cygwin. As I
    > see it winbindd seems to assign UID to people in the range of
    > 10000-20000 (as configured in smb.conf) but in Cygwin UIDs are
    > typically the last 4 digits of the SID. So my Cygwin UID under Windows
    > is 1370. I would like it so that when I ssh into the Linux box I am
    > assigned a matching UID of 1370. Is this doable?
    >
    > Please let me know what information you may need to help me from my
    > config files.
    >
    > Thanks.


    Anybody? I'm totally lost here as to why this is not working. I would
    appreciate any feedback anybody has to offer.

    (Another aside, I tried posting to linux.samba where every post appears
    to have [Samba] in the front of it but I keep getting denied with a
    message of: "Couldn't mail your post to the moderator, please try
    again". What's up with that?)
    --
    Ever notice how fast Windows runs? Neither did I.


  3. Re: [Samba] Authenticating to AD

    I'm surprised that nobody had commented yet. Does nobody else see such
    problems or can offer any help? Is anybody seeing my posts at all? Could
    somebody please response if only to say "Yeah we see your posts but have
    no solution".

    Thanks.

    Andrew DeFaria wrote:

    > Andrew DeFaria wrote:
    >
    >> Sorry if this has been asked before. I've tried to research this but
    >> I'm getting overwhelmed..
    >>
    >> I have Mandrake 9.1 running in a Windows shop where the users are
    >> stored in Active Directory. Now I had things sort of set up with
    >> Samba 2.2 but decided to switch to Samba 3.0. Got the binaries and
    >> installed them. Oddity #1 - seems everything has a 3 appended to it!
    >> So /etc/init.d/smb is /etc/init.d/smb3, /etc/init.d/winbind is
    >> /etc/init.d/winbind3, wbinfo is wbinfo3, etc. No real biggie except I
    >> believe that I had to adjust pam.d files to use pam_winbind3.so.
    >> Anyways.
    >>
    >> What I have set up so far allows file sharing but user authentication
    >> is not correct. I can, for example, wbinfo3 -u and see all the users
    >> (except they lack the + portion) as well as groups. But if I
    >> getent passwd I do not see anything from AD.
    >>
    >> If I ssh from the Linux box to the same Linux box using a username
    >> that should be in the AD (my username of adefaria) I see the
    >> following in /var/log/messages:
    >>
    >> Nov 19 17:33:35 sonslinux sshd[30073]: Illegal user adefaria from
    >> 192.168.1.47
    >>
    >> Needless to say there is no way to ssh in and winbindd apparently
    >> isn't finding adefaria.
    >>
    >> If I wbinfo3 -a adefaria% I see:
    >>
    >> plaintext password authentication succeeded
    >> challenge/response password authentication failed
    >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
    >> error messsage was: winbind client not authorized to use
    >> winbindd_pam_auth_crap
    >> Could not authenticate user adefaria with challenge/response
    >>
    >> However if I su to root on the Linux box and do the wbinfo3 for
    >> adefaria it works.
    >>
    >> My ultimate goal is to have all AD users available to the Linux box
    >> and I would like to have them homed into their home directories that
    >> are also windows based (smbfs). As such I'm concerned that the UID
    >> mappings are correct so that there aren't any permissions problems.
    >>
    >> As an aside, although we are a Windows shop, usage of Cygwin is
    >> prevalent. Cygwin uses part of the SID as a UID. So I want to make
    >> sure that my UID on Linux matches my UID that I have in Cygwin. As I
    >> see it winbindd seems to assign UID to people in the range of
    >> 10000-20000 (as configured in smb.conf) but in Cygwin UIDs are
    >> typically the last 4 digits of the SID. So my Cygwin UID under
    >> Windows is 1370. I would like it so that when I ssh into the Linux
    >> box I am assigned a matching UID of 1370. Is this doable?
    >>
    >> Please let me know what information you may need to help me from my
    >> config files.
    >>
    >> Thanks.

    >
    >
    > Anybody? I'm totally lost here as to why this is not working. I would
    > appreciate any feedback anybody has to offer.
    >
    > (Another aside, I tried posting to linux.samba where every post
    > appears to have [Samba] in the front of it but I keep getting denied
    > with a message of: "Couldn't mail your post to the moderator, please
    > try again". What's up with that?)



    --
    You know how it is when you're walking up the stairs, and you get to the
    top, and you think there's one more step? I'm like that all the time.


  4. Re: [Samba] Authenticating to AD

    In article ,
    Andrew DeFaria wrote:
    > problems or can offer any help? Is anybody seeing my posts at all? Could
    > somebody please response if only to say "Yeah we see your posts but have


    Don't feel bad, everyone ignores me too. Next time you wonder about
    something like that, look up your post on Google. If it's there, it
    probably got out.
    --
    /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
    or put "not-spam" or "/dev/rob0" in Subject header to reply

  5. Re: [Samba] Authenticating to AD

    /dev/rob0 wrote:
    In article <d9a16$3fcba0c8$ceb8cc02$25844@msgid.meganewsserve rs.com>,
    Andrew DeFaria wrote:
    problems or can offer any help? Is anybody seeing my posts at all? Could somebody please response if only to say "Yeah we see your posts but have
    Don't feel bad, everyone ignores me too. Next time you wonder about something like that, look up your post on Google. If it's there, it probably got out. OK so it's out. Anybody have any ideas of what I can do to get this to work?

    I've been playing more with this but still not getting past the basic problem.

    I have a new problem. A user comes up to me and asks why he cannot browse into his home directory on the Linux box. I have a [homes] section in smb.conf (slight aside... I also have an smb-winbind.conf file which appears to be very much like smb.conf. Is it needed? Do setting in smb.conf that also appear in smb-winbind.conf need to be the same? This is very confusing. I hope that this smb-winbind.conf file is just a sample conf file and it can be deleted):

    [homes]
      comment       = "Home directories"
      path          = /home/%u
      public        = yes
      writable      = yes

    Browsing with Windows Explorer to the Linux box shows me a directory which represents my home directory based on my username (adefaria). Double clicking it results in a long delay then a dialog box stating:
    \\sonslinux\adefaria is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.

    No network provider accepted the given network path.
    The Samba log file for this machine shows several:

    [2003/12/01 14:02:50, 0] smbd/service.c:make_connection(599)
      adefaria (192.168.1.26) Can't change directory to /home/salira+adefaria (No such file or directory)
    [2003/12/01 15:21:56, 0] smbd/service.c:make_connection(599)
      adefaria (192.168.1.26) Can't change directory to /home/salira+adefaria (No such file or directory)
    [2003/12/01 15:22:05, 0] smbd/service.c:make_connection(599)
      adefaria (192.168.1.26) Can't change directory to /home/salira+adefaria (No such file or directory)

    Notice how it's prepending the domain name followed by the "+" for %u! (Attempts to turn off winbind use default domain do not work). If I create a symlink from /home/salira+adefaria -> /home/adefaria (a directory that does exist and the one I'm attempting to browse too) then I am able to browse in OK. But it doesn't seem right that I should have to symlink things. How can I get winbind (or smb) to translate %u to just the username without the domainname+ at the front?
    --
    Help Wanted: Telepath. You know where to apply.


  6. Re: [Samba] Authenticating to AD


    "/dev/rob0" wrote in message
    news:slrnbsnh1e.bub.rob0@linuxbox.linux.box...
    > In article ,
    > Andrew DeFaria wrote:
    > > problems or can offer any help? Is anybody seeing my posts at all? Could
    > > somebody please response if only to say "Yeah we see your posts but have

    >
    > Don't feel bad, everyone ignores me too. Next time you wonder about
    > something like that, look up your post on Google. If it's there, it
    > probably got out.


    ... pretty redundant to answer every post with " yeah we've seen it but we've
    gotten no answer" isn't it ? :-)



  7. Re: [Samba] Authenticating to AD

    In article , imbsysop wrote:
    >> Don't feel bad, everyone ignores me too. Next time you wonder about
    >> something like that, look up your post on Google. If it's there, it
    >> probably got out.

    >
    > .. pretty redundant to answer every post with " yeah we've seen it but we've
    > gotten no answer" isn't it ? :-)


    Yes, which is why I included the Google suggestion. I wanted to put
    forth at least a tiny amount of content. This one, OTOH, has none.
    --
    /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
    or put "not-spam" or "/dev/rob0" in Subject header to reply

  8. Re: [Samba] Authenticating to AD

    imbsysop wrote:
    "/dev/rob0" <rob0@gmx.co.uk> wrote in message
    news:slrnbsnh1e.bub.rob0@linuxbox.linux.box...
    In article <d9a16$3fcba0c8$ceb8cc02$25844@msgid.meganewsserve rs.com>,
    Andrew DeFaria wrote:
    problems or can offer any help? Is anybody seeing my posts at all? Could somebody please response if only to say "Yeah we see your posts but have
    Don't feel bad, everyone ignores me too. Next time you wonder about something like that, look up your post on Google. If it's there, it probably got out.
    .. pretty redundant to answer every post with " yeah we've seen it but we've gotten no answer" isn't it ? :-) Not at all! It does several things:
    Acknowledges that your question made it out there. Confirms that this indeed is a problem. Gives the information that the problem is known and there is no known solution yet. However I doubt that this is a problem that is known with no known solution. For one this used to work, albeit not perfectly before, even on my system. Then I foolishly decided to upgrade to Samba 3 and that worked worse so not I've downgraded back to 2.2.8.

    Additionally I find it hard to believe that people are just settling with such problems as not being able to browse their home directories on Linux and not being able to log into Linux with their Windows usernames using Winbind. Effectively winbind is useless AFAICT and I don't think people are idly standing for that.

    I suspect it's much more that people aren't using Mandrake 9.1 in such a fashion.
    --
    C:\> Bad command or file name! Go stand in the corner.

  9. Re: [Samba] Authenticating to AD


    "Andrew DeFaria" wrote in message
    news:a19a7$3fccfae8$ceb8cc02$18454@msgid.meganewss ervers.com...
    imbsysop wrote:


    ... pretty redundant to answer every post with " yeah we've seen it but we've
    gotten no answer" isn't it ? :-)
    Not at all! It does several things:

    Acknowledges that your question made it out there.
    Confirms that this indeed is a problem.
    Gives the information that the problem is known and there is no known
    solution yet.


    You must be kidding ..(while you are posting in html for that matter) !!

    why waste a 100% bandwidth in saying nothing if one does not have an answer
    ?
    you'll be flamed to hell in many groups :-)



  10. Re: [Samba] Authenticating to AD

    imbsysop wrote:

    > .. pretty redundant to answer every post with " yeah we've seen it but
    > we've
    > gotten no answer" isn't it ? :-)
    > Not at all! It does several things:
    >
    > Acknowledges that your question made it out there.
    > Confirms that this indeed is a problem.
    > Gives the information that the problem is known and there is no known
    > solution yet.
    >
    > You must be kidding ..(while you are posting in html for that matter) !!


    What makes you think I'm kidding? It does do all of the above does it not?

    > why waste a 100% bandwidth in saying nothing if one does not have an
    > answer?


    Bandwidth is cheap. Advice is precious, even it if says that this is
    indeed a problem with no solution right now. Also, just because you
    don't have the answer doesn't mean there isn't an answer.

    I remain unconvinced that there is no solution to this simple problem.
    If there is no solution then Samba has a very severe limitation. What
    good is winbind if you cannot use it to authenticate a Windows user for
    the purposes of logging in?!? And besides, as I said before, it used to
    work for me until I tried Samba 3.0.

    > you'll be flamed to hell in many groups :-)


    So what? I'll just ignore that irrelevance of the remarks.


  11. Re: [Samba] Authenticating to AD

    In article <6e76d$3fcfbde7$ceb8cc02$30004@msgid.meganewsserver s.com>,
    Andrew DeFaria wrote:
    >>> .. pretty redundant to answer every post with " yeah we've seen it but
    >>> we've gotten no answer" isn't it ? :-)

    >> Not at all! It does several things:
    >>
    >> Acknowledges that your question made it out there.


    My reply did only this (and attempted to help you augment your skillset
    for use in dealing with future issues.) Please do not assume nor imply
    that I said anything more.

    >> Confirms that this indeed is a problem.
    >> Gives the information that the problem is known and there is no known
    >> solution yet.


    It did neither of those. I do not use AD at all. In fact I find the
    thought of authenticating Unix users against a Windows server (if that
    is what it does, I do not know) to be rather unpleasant, even
    frightening. For all I know (and no, I am not inclined to go research
    it) your problem is answered in big letters at the top of a README file.

    Thank you for not posting HTML, and good luck.
    --
    /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
    or put "not-spam" or "/dev/rob0" in Subject header to reply

  12. Re: [Samba] Authenticating to AD

    /dev/rob0 wrote:

    > It did neither of those. I do not use AD at all. In fact I find the
    > thought of authenticating Unix users against a Windows server (if that
    > is what it does, I do not know) to be rather unpleasant, even
    > frightening.


    Sometimes people are forced into dealing with unpleasant situations. In
    my case my shop is primarily Windows based (though we use a lot of
    Cygwin). I've been asked to help get our product running on Linux and
    Solaris. We have some Linux boxes and a Solaris box. So I set up Samba.
    Now I'd like to be able to allow the engineers to log into the Linux box
    and do their work. The thought of having to create user accounts,
    duplicating them from their Window's account equivalents does not sound
    pleasant either.

    In the Windows world Cygwin addresses the problem of Unix functionality
    in a Windows world nicely. Engineers can fire up a bash shell and be
    homed to their Windows home directory and everything is fine.

    What I'd like to accomplish is to allow engineers to ssh/rsh/telnet to
    the Linux box, see their bash prompt and also see their same old familar
    "home" directory, that just happens to be mounted from their Windows
    home share.

    All this involves things like winbind, to get the user account
    information from AD (BTW AD is Active Directory and is pretty much just
    like old NT 4.0 domain accounts but AD is really just software on top of
    LDAP), mapping Windows "UIDs" with Unix "UIDs" and Samba mounting of the
    home share.

    This does not strike me as an abnormal situation and I'm sure others
    have managed to do this in the past.

    > For all I know (and no, I am not inclined to go research it) your
    > problem is answered in big letters at the top of a README file.


    Alas it is not - otherwise I would not be here...


  13. Re: [Samba] Authenticating to AD


    Hi guys - you should try sending stuff to the samba mailing list - help is
    usually a little bit more forthcoming.

    I usually look over archives (I can't remember where the archives are published) and if there are a ton of people having the same problem, there usually isn't afix.

    I haven't had a chance to try samba 3 yet, we're still in 2.2.9 - I think....


    /dev/rob0 wrote:
    > In article ,
    > Andrew DeFaria wrote:
    >> problems or can offer any help? Is anybody seeing my posts at all? Could
    >> somebody please response if only to say "Yeah we see your posts but have


    > Don't feel bad, everyone ignores me too. Next time you wonder about
    > something like that, look up your post on Google. If it's there, it
    > probably got out.
    > --
    > /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
    > or put "not-spam" or "/dev/rob0" in Subject header to reply


+ Reply to Thread