Samba file server on AD Kerberos Domain - SMB

This is a discussion on Samba file server on AD Kerberos Domain - SMB ; Hello, I'm new to samba. I would like to share files with our existing Windows AD Kerberos domain. I would like to have the AD domain take care of all authentication and I don't want to have to add accounts ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Samba file server on AD Kerberos Domain

  1. Samba file server on AD Kerberos Domain

    Hello,

    I'm new to samba. I would like to share files with our existing Windows
    AD Kerberos domain. I would like to have the AD domain take care of all
    authentication and I don't want to have to add accounts to /etc/passwd.

    I have configured smb.conf (below). I then created a computer account
    in the Active Directory. Finally I joined the domain with "net join"
    and was told "Joined SAMBASERVER to realm MYAD.DOMAIN".

    It seemed that all was well, but now when I browse to the file share
    from a Windows client it pops up with a dialog box asking for a username
    and password. The username field is greyed out and it seems to want to
    be "Guest".

    Can someone point me in the right direction?

    Thanks.
    -Matt

    #smb.conf
    [global]
    workgroup = MYAD
    netbios name = SAMBASERVER
    realm = MYAD.DOMAIN
    security = ADS
    encrypt passwords = yes

    idmap uid = 15000-20000
    idmap gid = 15000-20000

    [myshare]
    path = /myshare
    read only = No
    browseable = Yes
    comment = File Share


  2. Re: Samba file server on AD Kerberos Domain


    "Matt Crema" wrote in message
    news:cla4dc$6hr$1@news3.bu.edu...
    > Hello,
    >
    > I'm new to samba. I would like to share files with our existing Windows
    > AD Kerberos domain. I would like to have the AD domain take care of all
    > authentication and I don't want to have to add accounts to /etc/passwd.
    >
    > I have configured smb.conf (below). I then created a computer account in
    > the Active Directory. Finally I joined the domain with "net join" and was
    > told "Joined SAMBASERVER to realm MYAD.DOMAIN".
    >
    > It seemed that all was well, but now when I browse to the file share from
    > a Windows client it pops up with a dialog box asking for a username and
    > password. The username field is greyed out and it seems to want to be
    > "Guest".
    >
    > Can someone point me in the right direction?
    >
    > Thanks.
    > -Matt
    >
    > #smb.conf
    > [global]
    > workgroup = MYAD
    > netbios name = SAMBASERVER
    > realm = MYAD.DOMAIN
    > security = ADS
    > encrypt passwords = yes
    >
    > idmap uid = 15000-20000
    > idmap gid = 15000-20000
    >
    > [myshare]
    > path = /myshare
    > read only = No
    > browseable = Yes
    > comment = File Share
    >


    It could be a couple of things. The browser function needs to operate under
    a user account so it uses the nobody account. Check to see that you have a
    nobody account on the Linux box. It also could be the /etc/samba/smbusers
    file. The smbusers file maps the Windows accounts to the Linux accounts. It
    should have a line: nobody = guest pcguest smbguest.

    You also have to have a matching Linux account for every Windows account -
    or be running winbind.



  3. Re: Samba file server on AD Kerberos Domain

    Hi m,

    Thanks for your response.

    I do have a nobody account.

    The file /etc/samba/smbusers has the line you mentioned (and only this line)

    I do not want to have a matching linux account for each windows account,
    so I am running winbind.

    I have made some progress since my initial post:

    I am no longer being forced to be a "Guest". I think it is because I
    changed the idmap uid and idmap gid fields in smb.conf.

    wbinfo -t succeeds
    wbinfo -u succeeds (and returns many users including my samba server's
    account and my user account)
    wbinfo -g succeeds

    I found that I could try logging in with smbclient instead of Windows.
    However this fails. The following appears in /var/log/messages:

    nsswitch/winbindd_group.c:winbindd_getgrnam(307) name 'crema' is not a
    local or domain group: 1

    That's true. My AD user account is 'crema' but it's primary group is
    'Domain Users'. There is no AD group called crema.

    Any advice?

    Thanks.
    -Matt







    m.marien wrote:
    > "Matt Crema" wrote in message
    > news:cla4dc$6hr$1@news3.bu.edu...
    >
    >>Hello,
    >>
    >>I'm new to samba. I would like to share files with our existing Windows
    >>AD Kerberos domain. I would like to have the AD domain take care of all
    >>authentication and I don't want to have to add accounts to /etc/passwd.
    >>
    >>I have configured smb.conf (below). I then created a computer account in
    >>the Active Directory. Finally I joined the domain with "net join" and was
    >>told "Joined SAMBASERVER to realm MYAD.DOMAIN".
    >>
    >>It seemed that all was well, but now when I browse to the file share from
    >>a Windows client it pops up with a dialog box asking for a username and
    >>password. The username field is greyed out and it seems to want to be
    >>"Guest".
    >>
    >>Can someone point me in the right direction?
    >>
    >>Thanks.
    >>-Matt
    >>
    >>#smb.conf
    >>[global]
    >>workgroup = MYAD
    >>netbios name = SAMBASERVER
    >>realm = MYAD.DOMAIN
    >>security = ADS
    >>encrypt passwords = yes
    >>
    >>idmap uid = 15000-20000
    >>idmap gid = 15000-20000
    >>
    >>[myshare]
    >>path = /myshare
    >>read only = No
    >>browseable = Yes
    >>comment = File Share
    >>

    >
    >
    > It could be a couple of things. The browser function needs to operate under
    > a user account so it uses the nobody account. Check to see that you have a
    > nobody account on the Linux box. It also could be the /etc/samba/smbusers
    > file. The smbusers file maps the Windows accounts to the Linux accounts. It
    > should have a line: nobody = guest pcguest smbguest.
    >
    > You also have to have a matching Linux account for every Windows account -
    > or be running winbind.
    >
    >


  4. Re: Samba file server on AD Kerberos Domain


    "Matthew Crema" wrote in message
    news:clbu0n$oev$1@news3.bu.edu...
    > Hi m,
    >
    > Thanks for your response.
    >
    > I do have a nobody account.
    >
    > The file /etc/samba/smbusers has the line you mentioned (and only this
    > line)
    >
    > I do not want to have a matching linux account for each windows account,
    > so I am running winbind.
    >
    > I have made some progress since my initial post:
    >
    > I am no longer being forced to be a "Guest". I think it is because I
    > changed the idmap uid and idmap gid fields in smb.conf.
    >
    > wbinfo -t succeeds
    > wbinfo -u succeeds (and returns many users including my samba server's
    > account and my user account)
    > wbinfo -g succeeds
    >
    > I found that I could try logging in with smbclient instead of Windows.
    > However this fails. The following appears in /var/log/messages:
    >
    > nsswitch/winbindd_group.c:winbindd_getgrnam(307) name 'crema' is not a
    > local or domain group: 1
    >
    > That's true. My AD user account is 'crema' but it's primary group is
    > 'Domain Users'. There is no AD group called crema.
    >


    It could be the group mapping. On the Linux computer type "net groupmap
    list". I'm not sure how that should work with winbind, but there should be
    some mapping of Windows groups to Linux groups. When I used Samba as the
    PDC. I mapped the Windows groups to the Linux groups like this.

    [root@bigbertha mm]# net groupmap list
    System Operators (S-1-5-32-549) -> -1
    Replicators (S-1-5-32-552) -> -1
    Domain Users (S-1-5-21-1594439962-2018634598-1645551827-513) -> users
    Guests (S-1-5-32-546) -> -1
    Power Users (S-1-5-32-547) -> -1
    Print Operators (S-1-5-32-550) -> -1
    Administrators (S-1-5-32-544) -> -1
    Domain Guests (S-1-5-21-1594439962-2018634598-1645551827-514) -> nobody
    Domain Admins (S-1-5-21-1594439962-2018634598-1645551827-512) -> domadmin
    Account Operators (S-1-5-32-548) -> -1
    Backup Operators (S-1-5-32-551) -> -1
    Users (S-1-5-32-545) -> -1

    I have another system joined as a member server to a Windows 2000 AD but not
    using kerberos or winbind. The group mappings are all -1.



  5. Re: Samba file server on AD Kerberos Domain

    m,

    Looks like this could be it.

    bme1:~# net groupmap list
    System Operators (S-1-5-32-549) -> -1
    Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    Replicators (S-1-5-32-552) -> -1
    Guests (S-1-5-32-546) -> -1
    Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    Power Users (S-1-5-32-547) -> -1
    Print Operators (S-1-5-32-550) -> -1
    Administrators (S-1-5-32-544) -> -1
    Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    Account Operators (S-1-5-32-548) -> -1
    Backup Operators (S-1-5-32-551) -> -1
    Users (S-1-5-32-545) -> -1
    Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1

    I am a member of the Windows group AD\BME-Administrators and I would
    like this group to have full control of the samba share from Windows.

    I created a local account (on the linux box) called sambaadmin and tried:
    net groupmap add unixgroup=sambaadmin ntgroup=AD\\BME-Administrators
    net groupmap add unixgroup=sambaadmin ntgroup="AD\\Domain Users"

    net groupmap add unixgroup=sambaadmin ntgroup=BME-Administrators
    net groupmap add unixgroup=nobody ntgroup="Domain Users"

    The response is:
    No rid or sid specified, choosing algorithmic mapping
    Successully added group AD\Domain Users to the mapping db

    Now net groupmap list returns

    System Operators (S-1-5-32-549) -> -1
    Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    Replicators (S-1-5-32-552) -> -1
    Guests (S-1-5-32-546) -> -1
    Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    AD\Domain Users (S-1-5-21-954465794-838544005-959611792-1199) -> nobody
    Power Users (S-1-5-32-547) -> -1
    Print Operators (S-1-5-32-550) -> -1
    Administrators (S-1-5-32-544) -> -1
    AD\BME-Administrators (S-1-5-21-954465794-838544005-959611792-2001) ->
    sambaadmin
    Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    Account Operators (S-1-5-32-548) -> -1
    Backup Operators (S-1-5-32-551) -> -1
    Users (S-1-5-32-545) -> -1
    Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1

    If I browse to the share from a windows workstation I see the share. I
    look at the permissions and see a group called BME1\BME-Administrators,
    but not AD\BME-Administrators. I also see a group called "Everyone". I
    am still unable to edit permissions.

    Any other ideas?

    Thanks so much for your help.

    -Matt



    m.marien wrote:
    > "Matthew Crema" wrote in message
    > news:clbu0n$oev$1@news3.bu.edu...
    >
    >>Hi m,
    >>
    >>Thanks for your response.
    >>
    >>I do have a nobody account.
    >>
    >>The file /etc/samba/smbusers has the line you mentioned (and only this
    >>line)
    >>
    >>I do not want to have a matching linux account for each windows account,
    >>so I am running winbind.
    >>
    >>I have made some progress since my initial post:
    >>
    >>I am no longer being forced to be a "Guest". I think it is because I
    >>changed the idmap uid and idmap gid fields in smb.conf.
    >>
    >>wbinfo -t succeeds
    >>wbinfo -u succeeds (and returns many users including my samba server's
    >>account and my user account)
    >>wbinfo -g succeeds
    >>
    >>I found that I could try logging in with smbclient instead of Windows.
    >>However this fails. The following appears in /var/log/messages:
    >>
    >>nsswitch/winbindd_group.c:winbindd_getgrnam(307) name 'crema' is not a
    >>local or domain group: 1
    >>
    >>That's true. My AD user account is 'crema' but it's primary group is
    >>'Domain Users'. There is no AD group called crema.
    >>

    >
    >
    > It could be the group mapping. On the Linux computer type "net groupmap
    > list". I'm not sure how that should work with winbind, but there should be
    > some mapping of Windows groups to Linux groups. When I used Samba as the
    > PDC. I mapped the Windows groups to the Linux groups like this.
    >
    > [root@bigbertha mm]# net groupmap list
    > System Operators (S-1-5-32-549) -> -1
    > Replicators (S-1-5-32-552) -> -1
    > Domain Users (S-1-5-21-1594439962-2018634598-1645551827-513) -> users
    > Guests (S-1-5-32-546) -> -1
    > Power Users (S-1-5-32-547) -> -1
    > Print Operators (S-1-5-32-550) -> -1
    > Administrators (S-1-5-32-544) -> -1
    > Domain Guests (S-1-5-21-1594439962-2018634598-1645551827-514) -> nobody
    > Domain Admins (S-1-5-21-1594439962-2018634598-1645551827-512) -> domadmin
    > Account Operators (S-1-5-32-548) -> -1
    > Backup Operators (S-1-5-32-551) -> -1
    > Users (S-1-5-32-545) -> -1
    >
    > I have another system joined as a member server to a Windows 2000 AD but not
    > using kerberos or winbind. The group mappings are all -1.
    >
    >


  6. Re: Samba file server on AD Kerberos Domain

    Some additional info:

    When I log in with smbclient I can authenticate with my Active Directory
    username. I can create directories in my folder. I can then browse
    through those directories from a Windows workstation (as long as I am
    logged in with my username).

    However, upon examining the permissions I find that the directories are
    owned by a the user S-1-5-21-95.... I can not edit these permissions.
    When I try to make changes and hit apply, these changes simply disappear.

    -Matt




    Matthew Crema wrote:
    > m,
    >
    > Looks like this could be it.
    >
    > bme1:~# net groupmap list
    > System Operators (S-1-5-32-549) -> -1
    > Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    > Replicators (S-1-5-32-552) -> -1
    > Guests (S-1-5-32-546) -> -1
    > Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    > Power Users (S-1-5-32-547) -> -1
    > Print Operators (S-1-5-32-550) -> -1
    > Administrators (S-1-5-32-544) -> -1
    > Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    > Account Operators (S-1-5-32-548) -> -1
    > Backup Operators (S-1-5-32-551) -> -1
    > Users (S-1-5-32-545) -> -1
    > Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    > Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    > Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1
    >
    > I am a member of the Windows group AD\BME-Administrators and I would
    > like this group to have full control of the samba share from Windows.
    >
    > I created a local account (on the linux box) called sambaadmin and tried:
    > net groupmap add unixgroup=sambaadmin ntgroup=AD\\BME-Administrators
    > net groupmap add unixgroup=sambaadmin ntgroup="AD\\Domain Users"
    >
    > net groupmap add unixgroup=sambaadmin ntgroup=BME-Administrators
    > net groupmap add unixgroup=nobody ntgroup="Domain Users"
    >
    > The response is:
    > No rid or sid specified, choosing algorithmic mapping
    > Successully added group AD\Domain Users to the mapping db
    >
    > Now net groupmap list returns
    >
    > System Operators (S-1-5-32-549) -> -1
    > Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    > Replicators (S-1-5-32-552) -> -1
    > Guests (S-1-5-32-546) -> -1
    > Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    > AD\Domain Users (S-1-5-21-954465794-838544005-959611792-1199) -> nobody
    > Power Users (S-1-5-32-547) -> -1
    > Print Operators (S-1-5-32-550) -> -1
    > Administrators (S-1-5-32-544) -> -1
    > AD\BME-Administrators (S-1-5-21-954465794-838544005-959611792-2001) ->
    > sambaadmin
    > Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    > Account Operators (S-1-5-32-548) -> -1
    > Backup Operators (S-1-5-32-551) -> -1
    > Users (S-1-5-32-545) -> -1
    > Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    > Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    > Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1
    >
    > If I browse to the share from a windows workstation I see the share. I
    > look at the permissions and see a group called BME1\BME-Administrators,
    > but not AD\BME-Administrators. I also see a group called "Everyone". I
    > am still unable to edit permissions.
    >
    > Any other ideas?
    >
    > Thanks so much for your help.
    >
    > -Matt
    >
    >
    >
    > m.marien wrote:
    >
    >> "Matthew Crema" wrote in message
    >> news:clbu0n$oev$1@news3.bu.edu...
    >>
    >>> Hi m,
    >>>
    >>> Thanks for your response.
    >>>
    >>> I do have a nobody account.
    >>>
    >>> The file /etc/samba/smbusers has the line you mentioned (and only
    >>> this line)
    >>>
    >>> I do not want to have a matching linux account for each windows
    >>> account, so I am running winbind.
    >>>
    >>> I have made some progress since my initial post:
    >>>
    >>> I am no longer being forced to be a "Guest". I think it is because I
    >>> changed the idmap uid and idmap gid fields in smb.conf.
    >>>
    >>> wbinfo -t succeeds
    >>> wbinfo -u succeeds (and returns many users including my samba
    >>> server's account and my user account)
    >>> wbinfo -g succeeds
    >>>
    >>> I found that I could try logging in with smbclient instead of
    >>> Windows. However this fails. The following appears in
    >>> /var/log/messages:
    >>>
    >>> nsswitch/winbindd_group.c:winbindd_getgrnam(307) name 'crema' is not
    >>> a local or domain group: 1
    >>>
    >>> That's true. My AD user account is 'crema' but it's primary group is
    >>> 'Domain Users'. There is no AD group called crema.
    >>>

    >>
    >>
    >> It could be the group mapping. On the Linux computer type "net
    >> groupmap list". I'm not sure how that should work with winbind, but
    >> there should be some mapping of Windows groups to Linux groups. When I
    >> used Samba as the PDC. I mapped the Windows groups to the Linux groups
    >> like this.
    >>
    >> [root@bigbertha mm]# net groupmap list
    >> System Operators (S-1-5-32-549) -> -1
    >> Replicators (S-1-5-32-552) -> -1
    >> Domain Users (S-1-5-21-1594439962-2018634598-1645551827-513) -> users
    >> Guests (S-1-5-32-546) -> -1
    >> Power Users (S-1-5-32-547) -> -1
    >> Print Operators (S-1-5-32-550) -> -1
    >> Administrators (S-1-5-32-544) -> -1
    >> Domain Guests (S-1-5-21-1594439962-2018634598-1645551827-514) -> nobody
    >> Domain Admins (S-1-5-21-1594439962-2018634598-1645551827-512) -> domadmin
    >> Account Operators (S-1-5-32-548) -> -1
    >> Backup Operators (S-1-5-32-551) -> -1
    >> Users (S-1-5-32-545) -> -1
    >>
    >> I have another system joined as a member server to a Windows 2000 AD
    >> but not using kerberos or winbind. The group mappings are all -1.
    >>


  7. Re: Samba file server on AD Kerberos Domain


    "Matthew Crema" wrote in message
    news:clj32u$d6u$1@news3.bu.edu...
    > m,
    >
    > Looks like this could be it.
    >
    > bme1:~# net groupmap list
    > System Operators (S-1-5-32-549) -> -1
    > Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    > Replicators (S-1-5-32-552) -> -1
    > Guests (S-1-5-32-546) -> -1
    > Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    > Power Users (S-1-5-32-547) -> -1
    > Print Operators (S-1-5-32-550) -> -1
    > Administrators (S-1-5-32-544) -> -1
    > Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    > Account Operators (S-1-5-32-548) -> -1
    > Backup Operators (S-1-5-32-551) -> -1
    > Users (S-1-5-32-545) -> -1
    > Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    > Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    > Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1
    >
    > I am a member of the Windows group AD\BME-Administrators and I would like
    > this group to have full control of the samba share from Windows.
    >
    > I created a local account (on the linux box) called sambaadmin and tried:
    > net groupmap add unixgroup=sambaadmin ntgroup=AD\\BME-Administrators
    > net groupmap add unixgroup=sambaadmin ntgroup="AD\\Domain Users"
    >
    > net groupmap add unixgroup=sambaadmin ntgroup=BME-Administrators
    > net groupmap add unixgroup=nobody ntgroup="Domain Users"
    >
    > The response is:
    > No rid or sid specified, choosing algorithmic mapping
    > Successully added group AD\Domain Users to the mapping db
    >
    > Now net groupmap list returns
    >
    > System Operators (S-1-5-32-549) -> -1
    > Domain Guests (S-1-5-21-954465794-838544005-959611792-514) -> -1
    > Replicators (S-1-5-32-552) -> -1
    > Guests (S-1-5-32-546) -> -1
    > Domain Admins (S-1-5-21-954465794-838544005-959611792-512) -> -1
    > AD\Domain Users (S-1-5-21-954465794-838544005-959611792-1199) -> nobody
    > Power Users (S-1-5-32-547) -> -1
    > Print Operators (S-1-5-32-550) -> -1
    > Administrators (S-1-5-32-544) -> -1
    > AD\BME-Administrators (S-1-5-21-954465794-838544005-959611792-2001) ->
    > sambaadmin
    > Domain Users (S-1-5-21-954465794-838544005-959611792-513) -> -1
    > Account Operators (S-1-5-32-548) -> -1
    > Backup Operators (S-1-5-32-551) -> -1
    > Users (S-1-5-32-545) -> -1
    > Domain Admins (S-1-5-21-848115496-1524922173-1168901340-512) -> -1
    > Domain Guests (S-1-5-21-848115496-1524922173-1168901340-514) -> -1
    > Domain Users (S-1-5-21-848115496-1524922173-1168901340-513) -> -1
    >
    > If I browse to the share from a windows workstation I see the share. I
    > look at the permissions and see a group called BME1\BME-Administrators,
    > but not AD\BME-Administrators. I also see a group called "Everyone". I
    > am still unable to edit permissions.
    >
    > Any other ideas?
    >
    > Thanks so much for your help.
    >
    > -Matt
    >


    The groupmap command is not all that clear. I found this and it worked for
    me:

    net groupmap modify ntgroup="Domain Users" unixgroup=users
    net groupmap modify ntgroup="Domain Admins" unixgroup=root
    net groupmap modify ntgroup="Domain Guests" unixgroup=nobody

    This only maps the three you need, but you could map all the rest. There is
    one more command that you may want to use:

    net groupmap cleanup

    This deletes all the (foreign) mappings that aren't needed. If you changed
    the domain membership, there may be old mappings hanging around. It worked
    on my test system, but I didn't have it connected to ADS. Just dump your
    group mappings to a file before just in case it gets too zealous.



+ Reply to Thread