Rokurosv
March 25th, 2010, 01:37 PM
So you've probably seen me ask around about Samba and AD, that's because we're doing a little project at work to make a file server with AD integration. Now what we've done so far is to be able configure Samba and Kerberos and to join the Ubuntu box to the AD, it shows up in computers in our AD.
We've followed this guide from Ubuntu and Samba
http://ubuntuwiki.net/index.php/Samba,_Active_Directory_with_Winbind
http://wiki.samba.org/index.php/Samba_%26_Active_Directory
Now we've followed the first one for configuring most of the server but in the Samba Wiki guide it says that we also have to modify our Pam directory.
With the first guide when a user tries to connect to one of our test share they get an auth pop up, even if they enter their correct username and password they get an error saying that they don't have the privileges to access the share.
Here are a couple of our logs:
nmbd log
Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 16:16:50, 0]nmbd/nmbd_browsesync.c:350(find_domain_master_name_quer y_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN<1b> for the workgroup DOMAIN. Unable to sync browse lists in this workgroup.
[2010/03/24 16:27:52, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 16:27:54, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009[2010/03/24 16:28:17, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 16:51:35, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 16:51:38, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 16:52:01, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 17:03:22, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 17:04:04, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:27, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
winbind log
[2010/03/24 16:29:25, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:34:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:39:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:44:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:49:38, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:55:06, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:00:34, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:03:24, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1)
[2010/03/24 17:04:04, 0] winbindd/winbindd.c:1244(main) winbindd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:04, 0] param/loadparm.c:7493(lp_do_parameter) Global parameter guest account found in service section![2010/03/24 17:04:04, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2010/03/24 17:04:09, 0] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Cannot contact any KDC for requested realm[2010/03/24 17:04:09, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:09:31, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:14:59, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:20:01, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:25:01, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:30:21, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:35:21, 1] winbindd/winbindd_util.c:303(trustdom_recv)
smbd log
2010/03/24 16:57:28, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:57:28, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 16:58:04, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:58:04, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 16:58:34, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:58:34, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 17:04:04, 0] smbd/server.c:1068(main) smbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:04, 0] param/loadparm.c:7493(lp_do_parameter) Global parameter guest account found in service section!
[2010/03/24 17:04:04, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:04:04, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:04:09, 0] smbd/server.c:456(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address already in use
[2010/03/24 17:04:09, 0] smbd/server.c:456(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address already in use
[2010/03/24 17:06:12, 0] param/loadparm.c:9783(widelinks_warning) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share.
[2010/03/24 17:06:13, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/24 17:06:35, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/24 17:09:12, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:09:12, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:15:18, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 17:15:18, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
domain log
[2010/03/24 15:45:32, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
[2010/03/24 15:53:45, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req) ads_krb5_mk_req: krb5_get_credentials failed for SERVER$@DOMAIN (Cannot resolve network address for KDC in requested realm)
[2010/03/24 15:53:45, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
[2010/03/24 15:55:56, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 15:58:21, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0)
[2010/03/24 15:58:23, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req) ads_krb5_mk_req: krb5_get_credentials failed for SERVER$@DOMAIN (Cannot resolve network address for KDC in requested realm)
[2010/03/24 15:58:23, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
[2010/03/24 15:58:23, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 16:03:27, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
[2010/03/24 17:03:24, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0)
[2010/03/24 17:04:05, 0] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Cannot contact any KDC for requested realm
[2010/03/24 17:04:09, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 17:06:24, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
I've used DOMAIN instead of our domain and SERVER instead of our AD server. The config files(krb5.conf, smb.conf, nsswitch.conf) look like the Ubuntu guide with our data in it. We haven't touched the pam.d dir yet.
We're authenticating against a server running Win Server 2008 R2, could that be an issue?
Your help regarding our little experiment will be greatly appreciated :D
Thanks for your time
We've followed this guide from Ubuntu and Samba
http://ubuntuwiki.net/index.php/Samba,_Active_Directory_with_Winbind
http://wiki.samba.org/index.php/Samba_%26_Active_Directory
Now we've followed the first one for configuring most of the server but in the Samba Wiki guide it says that we also have to modify our Pam directory.
With the first guide when a user tries to connect to one of our test share they get an auth pop up, even if they enter their correct username and password they get an error saying that they don't have the privileges to access the share.
Here are a couple of our logs:
nmbd log
Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 16:16:50, 0]nmbd/nmbd_browsesync.c:350(find_domain_master_name_quer y_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN<1b> for the workgroup DOMAIN. Unable to sync browse lists in this workgroup.
[2010/03/24 16:27:52, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 16:27:54, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009[2010/03/24 16:28:17, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 16:51:35, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 16:51:38, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 16:52:01, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
[2010/03/24 17:03:22, 0] nmbd/nmbd.c:71(terminate) Got SIGTERM: going down...
[2010/03/24 17:04:04, 0] nmbd/nmbd.c:854(main) nmbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:27, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) ***** Samba name server FSLX01 is now a local master browser for workgroup DOMAIN on subnet 10.10.12.70 *****
winbind log
[2010/03/24 16:29:25, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:34:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:39:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:44:30, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:49:38, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 16:55:06, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:00:34, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:03:24, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=1)
[2010/03/24 17:04:04, 0] winbindd/winbindd.c:1244(main) winbindd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:04, 0] param/loadparm.c:7493(lp_do_parameter) Global parameter guest account found in service section![2010/03/24 17:04:04, 0] winbindd/winbindd_cache.c:2578(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 1
[2010/03/24 17:04:09, 0] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Cannot contact any KDC for requested realm[2010/03/24 17:04:09, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:09:31, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:14:59, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:20:01, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:25:01, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:30:21, 1] winbindd/winbindd_util.c:303(trustdom_recv) Could not receive trustdoms
[2010/03/24 17:35:21, 1] winbindd/winbindd_util.c:303(trustdom_recv)
smbd log
2010/03/24 16:57:28, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:57:28, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 16:58:04, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:58:04, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 16:58:34, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 16:58:34, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/03/24 17:04:04, 0] smbd/server.c:1068(main) smbd version 3.4.0 started. Copyright Andrew Tridgell and the Samba Team 1992-2009
[2010/03/24 17:04:04, 0] param/loadparm.c:7493(lp_do_parameter) Global parameter guest account found in service section!
[2010/03/24 17:04:04, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:04:04, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:04:09, 0] smbd/server.c:456(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address already in use
[2010/03/24 17:04:09, 0] smbd/server.c:456(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address already in use
[2010/03/24 17:06:12, 0] param/loadparm.c:9783(widelinks_warning) Share 'IPC$' has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share.
[2010/03/24 17:06:13, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/24 17:06:35, 1] smbd/service.c:676(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/24 17:09:12, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:09:12, 0] printing/print_cups.c:103(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused
[2010/03/24 17:15:18, 0] lib/util_sock.c:537(read_socket_with_timeout)
[2010/03/24 17:15:18, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
domain log
[2010/03/24 15:45:32, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
[2010/03/24 15:53:45, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req) ads_krb5_mk_req: krb5_get_credentials failed for SERVER$@DOMAIN (Cannot resolve network address for KDC in requested realm)
[2010/03/24 15:53:45, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
[2010/03/24 15:55:56, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 15:58:21, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0)
[2010/03/24 15:58:23, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req) ads_krb5_mk_req: krb5_get_credentials failed for SERVER$@DOMAIN (Cannot resolve network address for KDC in requested realm)
[2010/03/24 15:58:23, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
[2010/03/24 15:58:23, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 16:03:27, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
[2010/03/24 17:03:24, 0] winbindd/winbindd.c:190(winbindd_sig_term_handler) Got sig[15] terminate (is_parent=0)
[2010/03/24 17:04:05, 0] libsmb/cliconnect.c:996(cli_session_setup_spnego) Kinit failed: Cannot contact any KDC for requested realm
[2010/03/24 17:04:09, 0] rpc_client/cli_pipe.c:687(cli_pipe_verify_schannel) cli_pipe_verify_schannel: auth_len 56.
[2010/03/24 17:06:24, 1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pdu) cli_pipe_validate_current_pdu: RPC fault code DCERPC fault 0x00000721 received from host SERVER.DOMAIN.com!
I've used DOMAIN instead of our domain and SERVER instead of our AD server. The config files(krb5.conf, smb.conf, nsswitch.conf) look like the Ubuntu guide with our data in it. We haven't touched the pam.d dir yet.
We're authenticating against a server running Win Server 2008 R2, could that be an issue?
Your help regarding our little experiment will be greatly appreciated :D
Thanks for your time