Samba & Active Directory

[jrssystemsnet]

Getting much closer.

Remove the "valid users" portion of your share definition, make sure the folder is chmodded 777, and try to browse to it again. (Always get "access at all" working before you try to get "access to some but not others" working.)

Although actually:

Code:

smbclient -U administrator -L 127.0.0.1
Enter administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Assuming you didn't fat-finger the Administrator password, that tells us right now that something else is up. Let's see the contents of /etc/nsswitch.conf, /etc/resolv.conf, and the Authentication portion of /etc/samba/smb.conf.

[Rokurosv]

nsswitch

Code:

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

resolv.conf

Code:

search domain.com
nameserver ip.of.our.dns

Also, now I changed access in the config, removed the valid users line and chmoded to 777 the test folder, and when I try to enter from a windows pc I get a "no process at the end of the pipe error"

[jrssystemsnet]

When you say "ip.of.our.dns", is that the IP of your Active Directory dns provider? Typically, this should be one of your DCs.

Forget the Windows PCs for now, stick to smbclient, and to posting exact commands and exact results tried.

[Rokurosv]

When you say "ip.of.our.dns", is that the IP of your Active Directory dns provider? Typically, this should be one of your DCs.

Forget the Windows PCs for now, stick to smbclient, and to posting exact commands and exact results tried.

Yes, it's the IP of our DC.

Ok I will stick to smbclient
Here I've tried with my user in the DC

Code:

smbclient -U ronald_erazo -L 127.0.0.1
Enter ronald_erazo's password:
session setup failed: NT_STATUS_PIPE_DISCONNECTED

[jrssystemsnet]

OK, look at the end of /var/log/samba/log.127.0.0.1 - anything interesting?

Similarly, look at the Event Viewer on the DC which you've configured as the admin server in krb5.conf - anything interesting?

[Rokurosv]

Here's what I found in my event viewer

Code:

During the previous 24 hour period, some clients attempted to perform LDAP binds that were either: 
(1) A SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP bind that did not request signing (integrity validation), or 
(2) A LDAP simple bind that was performed on a cleartext (non-SSL/TLS-encrypted) connection 
 
This directory server is not currently configured to reject such binds.  The security of this directory server can be significantly enhanced by configuring the server to reject such binds.  For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. 
 
Summary information on the number of these binds received within the past 24 hours is below. 
 
You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind.  To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. 
 
Number of simple binds performed without SSL/TLS: 781 
Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 27

Also when I run testparm I get a warning

Code:

rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)

And I could not find that log, there are various log files, but not one named log.127.0.0.1

[jrssystemsnet]

OK, so what log files do you have under /var/log/samba?

[Rokurosv]

log.smbd
log.wb-BUILTIN
log.winbindd
log.winbindd-idmap
log.nmbd
log.wb-DOMAIN
log.wb-HOSTNAME
log.winbindd-dc-connect

[jrssystemsnet]

Well, the first thing that tells me is that your Samba logging isn't Ubuntu standard configured, either.

Is this server already in use for production in any way, or is it still only being used for testing? Because honestly, I think you'd be better off reverting it to a known state - ie, Ubuntu default - and starting over, if that's feasible.

If it were me, I'd go to my DC and delete the machine from AD, go back to the Samba machine and apt-get remove samba and apt-get purge samba, rm -rf /etc/samba, rm /etc/nsswitch.conf, apt-get remove krb5-config, apt-get remove krb5-user, apt-get remove libkadm55, rm /etc/krb5.conf, undo anything you did following the other walkthrough... and then start over from the top.

There's just too much "well at this point not sure what's been done" going on right now for me to be able to give much help, as things stand. All I can tell you for absolute certain is that, if followed exactly from top to bottom on an Ubuntu Hardy server in otherwise default condition, that wiki article WILL produce a working Samba server joined to an AD 2003 domain.

[Rokurosv]

This server has not been used for anything other than our file server, which we're currently configuring. I'm using Ubuntu server 9.10 and trying to join a Windows Server 2008 R2 AD domain. Let me try to start from scratch.
Also what should a standard configured server look like? I'm guessing that the log part hints it. I installed samba at the moment of installing the server, perhaps that was the issue?