Ubuntu Servers :: Use Samba+winbind To Authenticate Desktop Against A Windows 2008 R2 Domain
Aug 3, 2011
Intent is to use samba+winbind to authenticate Ubuntu desktop against a Windows 2008 R2 domain (seems like I was able to get it working temporarily but it stopped working after some time). Quick overview of the issue: winbind is failing to lookup group ID's for a domain user causing the domain user to receive group errors on login and an inability to use domain groups in other configuration (sudoers, etc)
- Very basic install, boot to Ubuntu Desktop 10.04 LTS 64bit install, basic install options, perform software updates
- Following an Ubuntu AD HowTo [URL]
- Install kerberos, samba, winbind packages
- Make changes to krb5.conf, smb.conf, files in pam.d/ (to make the home directory and restrict login based on group membership, which works even in the half-working state but requires SID instead of text name)
After a reboot I can login as a domain account but I get the following error(s):
groups: cannot find name for group ID #####
##### is usually a number that ranges from 10000 to 10020, based on the smb.conf line regarding idmap I will get multiple group errors (one for each group that the user belongs to that winbind can't lookup for whatever reason, some groups can be resolved - see below) If I log-out and then log-in as a local user I can run the following command: id username The output returns something similar to the following:
uid=10002(username) gid=10003(domain users) groups=10003(domain users),10033,10032,10031,10030,10029,10028,10027,1 0026,10025,10024,10023,10022,10021(some group),10020,10019,10018(some other group),10017,10016,10015,10014,10013,10012,10011(s ome other other group),10010,10009,10008,10007
On a working system (Ubuntu 10.10 and when 10.04 decides to work) each group is followed by parenthesis' and the name of the group, this result clearly shows that some groups can be looked up but for some reason other groups are failing An output of /var/log/samba/log.winbind produces the following entries (that are logged when you run the id command)
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
[2011/08/03 19:04:39, 1] winbindd/winbindd_ads.c:1137(lookup_groupmem)
lsa_lookupsids call failed with NT_STATUS_PIPE_BROKEN - retrying...
The above repeats for what looks to be each group that fails (based on count of entries)If I use wbinfo I can resolve text group name to SID and SID to GID
wbinfo -n groupname (returns proper SID)
wbinfo -s SID (returns proper text group name)
wbinfo -Y SID (returns proper linux mapped group ID)
Following that process for a group that my user belongs to that is not resolving (via the id username command) will return the group ID (GID) properly (even though id username fails to lookup info for that same GID) Version Information:
uname -a
Linux hostname 2.6.32-33-generic #71-Ubuntu SMP Wed Jul 20 17:27:30 UTC 2011 x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
[code]....
View 3 Replies
ADVERTISEMENT
May 13, 2010
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
[Code].....
View 9 Replies
View Related
Nov 12, 2010
Have recently setup Samba on a fresh install of Fedora 14 so that I can use it as a workstation in a Windows 2003 (win2k3) domain.
The install of Samba seems to have worked as I can connect to the Domain using ADS and kerberos. selinux and firewall have been disabled until I have it working 100%
The problem lies when i try to login to Gnome or TTY. It begins to create the home directory for the domain user logging in but after a certain process Fedora logs the user out of the system.
Have looked through several log files (/var/log/messages, log.winbindd, log.winbindd-dc-connect) but am unable to debug it any further.
Have posted the config files below which shows the Fedora machine is successfully connected to the domain as it lists its groups, users and validates logon credentials - it just won't logon!
Where i can go about debugging. Also if you need additional configs.
View 1 Replies
View Related
May 22, 2009
I had an older fedora box (I think it was Core 3) that acted as my file server in my small network (4). It worked fine when I had all XP clients connecting to it. Recently we decided to get all new computers. So now I have a fedora 10 box acting as my file/print server and all Vista Home premium computers as the clients. For the life of me I can not get samba to work. When I try to map the network drives on windows it will not let me authenticate. I install swat and try it that way, still no luck. Here is a copy of my smb.conf file:
Code:
# Samba config file created using SWAT
# from UNKNOWN
# Date: 2009/05/19 21:47:31
[global]
workgroup = AIVILANET
server string = Bighat Samba Server
interfaces = eth0
null passwords = Yes
smb passwd file = /etc/samba/smbpasswd
passdb backend = tdbsam
username map = /etc/samba/smbusers
syslog only = Yes
announce version = 5.0
name resolve order = hosts wins bcast
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = CUPS
wins support = Yes
[HP-LaserJet-1200]
comment = HP LaserJet 1200
path = /var/spool/samba
read only = No
printable = Yes
printer name = HP-LaserJet-1200
oplocks = No
share modes = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[home]
path = /home/savona/
username = savona
valid users = @Users
admin users = savona
write list = savona
force user = savona
force group = savona
read only = No
hosts allow = 10.0.0.2
View 8 Replies
View Related
May 3, 2010
We're still using an NT Domain Server, and Samba is already configured properly. But the problem is if the shared folder is configured in samba to be accessed by group and not the domain username, authentication fails even if the user is member of the group.
Example#1: (authentication successful)
[sharedfolder]
valid users = domain+username
Example#2:
[sharedfolder] (authentication fails)
valid users = @domaingroup
Samba version is samba-3.0.33
View 2 Replies
View Related
Sep 27, 2010
i have a windows domain and linux ftp server. OSs windows 2003 server and centos 5.5. i would like to integrate this file server to windows domain. And would authenticate users from windows domain.
View 4 Replies
View Related
Dec 18, 2010
I've been configuring a PDC using samba I used this tutorial url as reference. It seems all went well during the installation and configuration not until when I try to join a windows machine to the domain.
Scenario: When the authentication dialog box prompts the username and password of the domain administrator. I supply root as username and its corresponding password. Then I will prompt an error "The user name could not be found. But, I have noticed that when I supply a wrong password of root the it will prompt "Login failure: unknown user name or bad password. It seems that the windows machine was able to recognize the account somehow.
View 8 Replies
View Related
Nov 26, 2010
First of all I am new user on fedora forum and I love Linux (special Redhat flavours) and want to replace windows into Linux Everywhere. I am having some issue in configuring PDC on Fedora,I want to replace my company Windows Domain controller and file server into fedora file and PDC, I tried from web and through 389-directory server but didn't succeed even once, how to configure PDC with Samba 4 + 389-directory Server, I have heard samba 4 is having awesome support and its better then windows DC, configuring Complete PDC. (Whatever need to configure PDC i.e. DNS, SAMBA 4, SWAT, WEBMIN, 389-Directory Server, Windows sync,).
View 4 Replies
View Related
Apr 6, 2010
Does anyone have a link to a tutorial on how to set up a DHCP server and SAMBA as a windows domain controller? I can't really find good detailed guides by searching google.
View 2 Replies
View Related
Apr 28, 2010
I feel ashamed for even asking this, since it seems like there's about 3 samba questions here every day. However after an hour of searching, I keep finding strange variants that aren't what I need.
My Goal: Create a single file share on an Ubuntu Server - share it via samba to Windows clients that are on a domain with active directory. It sure would be nice if AD authentication would work - so users don't have to type in a linux user/passsword each time they want to access the share.
In my adventures, I've found the following items (which may overlap)
1. Joining the server to a Windows Domain
2. Turning the server into a Windows Domain Controller
3. Authentication with LDAP (still not quite sure how/what this would do)
4. Stuff with Kerberos
5. Lots of people bickering about Samba 3/4 & how it's impossible to make Samba a PDC.
I'm not sure if I need to make the ubuntu server a domain controller or not...all I want to do is create a file share and share it on the domain...I don't need to make the ubuntu server a domain controller for that, right? Maybe just a member? Maybe nothing at all?
I guess if I want to authenticate stuff correctly (or forward authentication requests? Not sure), I probably need to join the ubuntu server to the domain...I think.
But let's say I do join it to the domain...then how to I create a file share that is authenticated via active directory rather than a local ubuntu server account? I see a dozen guides on joining the server to the domain, but nobody ever mentions sharing the folder over the domain.
The lines are also blurred between joining Ubuntu to the domain and making it a domain controller. What should I keep an eye out to avoid in these tutorials?
I get lost between the Kerberos/LDAP/Samba/WinBind etc...and I have a feeling I don't need all of these for something this simple.
View 1 Replies
View Related
Jul 5, 2010
I have too many problems to join my OpenSuSE 11.2 with Samba 3.5.4 in a Windows 2008 Active directory Forest (MYDOMAIN.LOCAL). I have updated Samba to 3.5.4 after read that default 11.2 version have too many bugs. Now, when I try to join the Domain MYDOMAIN.LOCAL via yast i have only an undebuggable error "unknown error". For yast, my Suse is joined but i'm unable to authenticate, i can't see "MYDOMAIN.LOCAL" at KDM login and if i try to lookup forest i have this error:
Code:
wbinfo -u
Error looking up domain users
but i'm able to retrive ticket via kinit
Code:
# kinit Administrator
Password for Administrator@MYDOMAIN.LOCAL:
[Code]...
have you a samba version tested against Active Directory 2008? can you link me the repository or help me to solve this?
View 2 Replies
View Related
Jul 3, 2010
I've been searching around the web for help and have been really pulling my hair on this one. I have a Windows 2003 Server w/ AD on it. I have two linux machine, both running the same version of RHEL 5 (compute-1, compute-4)
When I log into compute-1, and do an "id dhuynh", I get this:
uid=1501(dhuynh) gid=1500(domain users) groups=1500(domain users),2013(dusers),1501(certsvc_dcom_access),1507 (BUILTIN+users)
When I log into compute-4, do do the same command, I get this:
uid=1500(dhuynh) gid=1504(domain users) groups=1504(domain users),1505(certsvc_dcom_access),1501(BUILTIN+user s)
Notice that the uid and gid are different. How do I get them to be the same? This is affective the file permissions in certain shared directories. I've check /etc/samba/smb.conf and they are identical. I also check /etc/nsswitch.conf and they are identical too.
View 2 Replies
View Related
May 18, 2011
guide me to connect the SLED 11 SP1 to KEVIN.org (This is the name of my domain I created) Wich i created on windows server 2008.
View 9 Replies
View Related
May 20, 2011
I've done a bit of googling but have not been able to find a definitive answer. Can Samba4 replace the Active Directory on a Windows Server 2008 platform? I want to bring down my DC and replace it with a Samba4 server, but the AD is at 2008 level.
View 3 Replies
View Related
Sep 28, 2010
I have samba allowing only known users, and on the ubuntu side, I have the folder permission 777. I have the same exact samba smb.conf file(locations of course matching new server), but I can't get it to authenticate with the new server(Old server is up and running too) and I'm lost. I thought I had it figured out when I did my last server, but I seem to be missing something on this one.
View 1 Replies
View Related
Apr 13, 2009
if there are any repositories with the newest samba version? I'm having a hard time installing it with my W2k8 Server.
View 1 Replies
View Related
Jun 27, 2011
i need to allow window domain controller user to use file share of linux.windows DC user can see the share file and directories of linux file server but not able to access.
below is brief--
I have a Linux machine which is on my network but not on my domain. I have configured SAMBA FILESERVER for file sharing purpose. I have a Windows XP PC which is on the domain(windows server) that I am trying to connect to a share on the Linux box. I supply my credentials but regardless of which login I use I always get Logon Failure. I have created an account on the Linux machine with the same user name and password as my domain account but so far no luck. Can I connect from a domain PC to a non-domain Linux box? Is there something else I should be checking?
View 14 Replies
View Related
Oct 21, 2010
I have Windows 2008R2 Server acting as Domain Controller for Windows7/XP clients. and CentOS 5.3 Installed configured as Samba Server, I want to make it as ADS member server so any user to login to any machine, and be able to access their Samba share.
View 3 Replies
View Related
Jan 3, 2011
I have update my linux server from mandriva 9 to mandriva 2010
I was working using samba 2.2.8 and now I have samba 3.5.3.I have transfer all passwd and smbpasswd to new linux.I have convert smbpasswd to tdbsam
when i am using win xp to logon on samba domain the windows XP does not load profiles from samba. I think that the problem is NTUSER.DAT storing in /home/user/profile
The same profile is working using samba 2.2.8 but not working in samba 3.5.3..
View 1 Replies
View Related
May 2, 2011
I was trying to connect to Windows server from 11.04 I knew the connection worked from a Windows 7 PC
terminal services client (rdp or rdpv5)An error has occurred Details: recv: ~Connection reset by peer
Fix I'd forgotten about the Windows server security. Control Panel, System & Security, System Remote Settings, Remote Desktop has 3 radio buttons. I changed from most secure to medium security.
View 2 Replies
View Related
Apr 28, 2009
At the school i work in i have a server2k3 server that provides a domain to all the windows clients, aswell as a fedora server that acts as an imaging machine and webserver.
Im rather concious of the fact that if for any reason the Server2k3 server was to die there is no backup of active directory, or anything that can take its place whilst a replacement is found.
So is it possible to use a fedora machine with samba as a secondary domain controller? so it can be used as a login server, and has a copy of AD.
View 1 Replies
View Related
Mar 31, 2011
I am practising setting up a small network using UBUNTU as a PDC through SAMBA to service xp clients.
I have sucessfully setup DNS on the Ubuntu server using Bind9 and can nslookup from both the client and the server by FQDN and can also ping ipaddress.
I have setup a basic smb.conf file however when I try to add the xp client to the domain I get an error message saying a domain controller for the domain could not be contacted.
I have disabled the firewalls on both the server and the xp client and still get the same error message when trying to join the domain. I've checked my network settings on the client, its set to use a static IP address and the DNS server and WINS server are set as my Ubuntu Samba PDC address.
I haven't been able to see anything odd in the smb.conf file that might cause this issue. I can connect directly to the shares using the samba network account that I created by going to start run and typing in the unc path.
Not sure what the cause of this issue is, I thought it might be a DNS issue on the client. One odd thing I noticed is that when I do nslookup using just the server name and not the FQDN i get a message in dos saying that the default server cannot be found but says that the server name for the [ipadress] cannot be found. It does list the correct ip.
I'm not sure what is causing the problem of stopping my xp client from joining the Ubuntu Samba PDC. I'm using UBUNTU server 10.04.
View 1 Replies
View Related
Apr 13, 2011
My samba domain controller will not serve up scripts upon login, and acts very slow when not connected to the Internet. Also, network browsing from windows boxes shows no computers on the network once all this happens. Once the net connection comes back up, everything is fine.
Domain server:
Ubuntu 10.04.2 LTS
Samba 3.4.7
Router: Smoothwall Express 3.0-polar-i386 3.0 (update6). Router is set up as DHCP, and appears to be serving up normal IP's when the Internet connection goes down. I can ping the domain server at its normal IP when the connection goes down.
Heres my smb.conf:
Code:
[global]
log file = /var/log/samba/log.%m
passwd chat = *Entersnews*spassword:* %n
*Retypesnews*spassword:* %n
[code]....
This only happens when our internet connection goes down. When its up, everything is works fine.
View 2 Replies
View Related
Feb 26, 2011
We have a small group of linux servers, currently with local logins. I want to eliminate the local logins and authenticate against the corporate AD. I've been looking at PAM - but winbind requires each machine to be added to the AD. This becomes a pain if we create new virtual or physical servers. Is it possible to have one server authenticate directly with AD, and the other servers authenticate against this server, which defers to the one server that is registered in AD?
View 3 Replies
View Related
Apr 20, 2010
I've been working for hours with Samba on Ubuntu Server 9.10 (Samba version 3.4.0), trying to get it setup simply as a fileserver that performs authentication to an NT 4 server (yes, I know, old and out of date). After much struggling, I finally realized that my configuration *was* working when the clients connecting (from XP, and Win2k clients, mostly) were actually joined to the domain (where the PDC is the NT 4 Server) and logged into the domain.For various reasons, many of the Windows clients at this location don't actually log into the domain, even though they have login/passwords that are valid users on the domain and they'll typically have some drives mapped to the PDC.
By the way, I have this working on another Linux box running Samba 3.0.28, so I'm sure it's possible, I'm just lost as to how to do it.I can provide plenty more information if it would help diagnose the situation. Does anyone have an idea of how I can get this to work? I'm sure it's possible, since the exact scenario worked in a recent version of Samba.
View 1 Replies
View Related
Jun 23, 2010
we are using LucidLynx Linux, 64-bit,with ActiveDirectory accounts via samba/winbind 64-bit.I have 2 separate 32-bit applications:IBM MQ Toolkit (32-bit java-based) and Acrobat Reader
View 2 Replies
View Related
Sep 2, 2011
I'm trying to connect to a Samba share on a VirtualBox'ed Windows 7 that is connected to an openSUSE host in bridged mode. For reasons beyond my comprehension I cannot use the shared folders feature, so I'm using Samba instead. I configured a share through openSUSE's Samba server configuration tool:
[iTunes]
inherit acls = Yes
path = /home/myusername/iTunes
read only = No
valid users = myusername
I also set a password for this user using smbpasswd -a myusername. I can go to smb://192.168.1.6 on the host machine and log in to the share successfully, but on Windows 7 I see this: What am I doing wrong? I can connect to the shares list without any problems. It's just the login that doesn't work.
Update: I noticed that my Samba server is part of the WORKGROUP domain.
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.5.7-1.17.1-2505-SUSE-SL11.4-x86_64]
Sharename Type
[code]....
View 2 Replies
View Related
Sep 6, 2010
I'm stuck with this problem of adding Windows machine to Linux domain. for which samba has been configured as PDC .
operating system : Cent OS 5.3 with updates ., with hostname tester.com
Dnsdomainname = com Code: [global]
workgroup = TESTER
netbios name = TESTER
server string = Samba Server Version %v
interfaces = lo, eth0, 192.168.1.1/24, 192.168.1.2/24
passdb backend = tdbsam
code....
guest ok = Yes now everything work well i.e windows client can access their share. also permissions are set appropriately. Also account for users and particular XP machine are also created.when I try add windows machine to samba domain by changing windows machines domain name to the tester . Windows client gives error of can not connect to domain.If anyone has any idea about this problem of adding windows machines to SAMBA domain pls reply.
View 2 Replies
View Related
Feb 27, 2011
My Windows 2003 domain has three domain controllers. All of them are configured as global catalog servers, but my krb.conf and krb5.conf only contain a reference to one of them. What if the DC referenced is down? Should my files reference the other DCs? The contents of my files follow...
krb.conf
--------
MYDOMAIN.COM dc01.MYDOMAIN.COM:88
MYDOMAIN.COM dc01.MYDOMAIN.COM:749 admin server[code]...........
View 1 Replies
View Related
Jul 15, 2010
I have set up Samba to act as a domain login for a Windows 7 PC. The Windows 7 PC has the two correct registry compat entries.
So, I've added "root" to smbpasswd and the Windows machine tries the "LINNIS" server. Authentication is successful, as stated in the Samba log but the Windows machine fails with the following:
"The specified computer account could not be found. Contact an administrator to verify the account is in the domain. If the account has been deleted, unjoin, reboot and rejoin the domain."
I feel like I'm doing something dumb, but the authentication passed so what is it talking about?
Slack 13.1 (Samba 3.5.x)
View 11 Replies
View Related
