SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

Finally got a good method down and it works consistantly… You can read it in straight HTML too.
Everything done in this howto is done with root permissions. It is always best to start out with a completely updated machine:
yum upgrade

Next it is important to make sure that you have the Kerberos files on your machine:
yum install krb5-server krb5-workstation

Next you need to edit the /etc/krb5.conf file so that it looks similar to this (Case IS important. Bolded Items are things that need changing) :

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EDMONSON.KETSDS.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC

[realms]
EDMONSON.KETSDS.NET = {
kdc = ed151000d1.edmonson.ketsds.net
admin_server = 10.76.16.50:749
default_domain = edmonson.ketsds.net
}
[domain_realm]
.example.com = EDMONSON.KETSDS.NET
example.com = EDMONSON.KETSDS.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

Now it is a good idea to add your domain controller to your /etc/hosts file. That way if something happens to DNS you can still resolve out to it. We are on to editing the /etc//smb.conf file. There are several things to add and change here (again case is important and bolded items are what needs changed or added):
change: workgroup = EDMONSON
add: realm = EDMONSON.KETSDS.NET
change: server string = Linux Samba File Server
change: security = ADS
change: encrypt passwords = yes
change: preferred master = no
add: template shell = /bin/false
add: template homedir = /home/%D/%U
add: idmap uid = 10000-20000
add: idmap gid = 10000-20000
add: enhanced browsing = no
add: winbind use default domain = yes

After you get those edited then it is a good idea to run testparm and correct any errors that you get. With just the changes that I posted above there shouldn’t be any errors.
Next start SAMBA and join the machine to the domain using the commands:
/etc/init.d/smb start
net ads join -U bnorris@EDMONSON.KETSDS.NET

Again case is important. The program should ask you for your network password and then it should join the box to the network.
If all went well you need to stop SAMBA while you finish up the pieces:
/etc/init.d/smb stop

Now we need to edit /etc/nsswitch.conf and tell the machine to use Winbind to authenticate people.
change: passwd: files winbind
change: group: files winbind

Now we can start Winbind and SAMBA back up:
/etc/init.d/winbind start
/etc/init.d/smb start

Test to make sure it is working using wbinfo:
wbinfo -u
wbinfo -g

Those commands should give you a list of users and groups from your domain. If you have a particularly complex domain with lots of trusts and such to you might want to limit wbinfo to one domain with the --domain=EDMONSON option. If wbinfo hangs and never returns then you will need to stop and start Winbind in order to get it working again.

You can also get some info about your connection to the domain with:
net ads info

Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using. This will give you access to extended security settings similar to Windows file permissions. To change this we will need to edit /etc/fstab. You might not want to enable ACLs for all of your filesystems as it can induce some overhead that you might not need. Find the filesystem entry that you want to enable ACL for and edit the options field (the fourth field, usually says defaults). After the entries that are in there put ,acl

Now you need to unmount that filesystem and remount it. The easiest way to do that is to just reboot the machine, since sometimes there might be users with files open and you can’t unmount while that is going on.

Now if you are planning on give your users home folders you need to make their directories. I cheated a little and did the following to quickly create mine:
wbinfo -u --domain=EDMONSON | grep -v '$' | sort > ~/temp
for i in `cat ~/temp` ; do
mkdir -p /home/EDMONSON/$i
setfacl -m u:"EDMONSON\\$i":rwx /home/EDMONSON/$i
done

That should give you a directory for every user with them having full control of that directory. I think there is an option to SAMBA to get it to do this when a user connects to the machine, but I couldn’t find it quickly today to set it. If anyone knows what it is, just let me know and I will edit this to get it in there.

So there you go. You should now have a machine that will authenticate to the AD and show you the shares that you are allowed to access. If you want to add shares for specific users it isn’t too tough, just add them to /etc/samba/smb.conf
A good template share definition looks something like this:
[vivnenoi]
comment = wireless to connect field
path = /home/shares/vivnenoi
valid users = EDMONSON\lamar.miller EDMONSON\jcarnes EDMONSON\bnorris
public = no
writable = yes
printable = no
create mask = 0765

I have also written a shell script that can be accessed through a webpage to dynamically generate shares for groups of users. I will post in another entry soon.

This entry was posted in Journal and tagged , , , , . Bookmark the permalink.

60 Responses to SAMBA 3 Authenticating to a Windows 2003 Active Directory HOWTO

  1. Pingback: Junji’s Blog Site

  2. Pingback: .: o-o-s.de :.

  3. jim beam says:

    Many thanks for the help. So far.
    How does one determine the exact realm name on a 2003 server? Is it the (case-sensitive) high-level name that appears in Domain.msc?

  4. Brent says:

    Yes I believe that would be the thing you are looking for.

  5. Santosh says:

    Thanks Brent,

    I have added my RHEL-4 machine to my windows 2003 ADS successfully. But i can’nt access shares on my linux box from windows, its asking me user name & password, if i supplied my user name & password its not accepting it.
    But i am able to access windows share from linux box. Can you pls help me to resolve this issue..

    Thanks in advance.

    Santosh

  6. Brent says:

    If you can’t get to the Linux shares from a Windows machine then something isn’t setup correctly. That is what this process is really all about. You don’t even really have to setup SAMBA to get from Linux to Windows.

    I would suggest going through the process again and making sure that everything is the way I said and that all the test commands return correctly. If they don’t then you need to work on that section and find out why it isn’t working right.

  7. Towlesd says:

    I’ve been working on same stuff for last few weeks and have modified a few files to allow most connection types to auth via AD, (ssh, samba, login screen etc). Basically at the same place but a few things to think about. Winbind needs to be started for this to work, but even when i add it with chkconfig it doesn’t work unless i first login with root, restart the service, after that i can log out and login fine but it has to be with root. Also if an account is ever renamed…….. basically their seen as a new user. I work for a university in a 30 thousand user environment so just the volume of shares becomes an issue. Also you can have the accounts homes created using “pam_mkhomedir.so”. Any comments, questions, or curses would be thankful.

  8. Rick D says:

    So, whaddya think about this: I have samba running on several linux servers (RHEL), and I can see both the server and the shares from XP workstation but only the server and NOT the shares from Win2K3 server. I have tried changing smb.conf to security – ADS, etc., but to no avail. I have even added my user to smbpasswd. Still no luck. Any ideas would be helpful. Thanks. Rick

  9. shanaf says:

    Hi, I have configurred a samba server, and my windows Active direcory users have been authenticated through WINBIND, there is no problem for authentication and accessing the shares.

    the problem comes when a user creating a folder or a file in the samba server, he cant allow or deny specific user for his file. i can change the permission for the currently listed users, but cant add or delete any other users.

    Its showing error ” cannot save changes for the share in the server”

    how can i solve this issue.

    Thanks in advance for the help

  10. Brent says:

    You need to read the above part about turning Access Control Lists on. That is a common problem when it is not turned on.

  11. tily.p says:

    hi
    nice tutorial .. very helpfull .. but perhaps you can help me and many other users regarding the folowing issue
    i joined samba to ads 2k3 rc2 with no problem .. no acl support in my samba and in kernel .. wbinfo ,getent work well .. BUT !!!!
    i create a share public with chmod 770 and one group sambausers in my ads
    chgrp sambausers /public and chmod 770 on /public .. in that group are 2 users user1 and user2 .. both users and only them have access to that share .. i remove one user and stil after 24 hours he still has access there until i restart samba and winbind .. same happends if i add a user to the group .. he has no access until samba restart … winbind cache is set up on 0 .. getent and wbinfo sees the group modifications, also another samba from another machine works well against this group modification (i can connect with smbclient) .. but NOT from windows xp stations or 2000 stations

    thanks for any help

  12. Brent says:

    That is a little hard to follow, I guess just because it is early, but I would say your problem stems from the fact that Windows doesn’t check groups again until a log off and back on.

    See the windows box caches the creditials that you supplied until a log off. So as long as a connection is still possible then it will always think it is in that group. When you restart SMB it looses the connection and tries to re-auth to the Linux machine. When it does this then everything gets ran by the AD again and the group members are updated. Then no access.

    I bet if you log out and back in on the Windows machine without restarting SMB and Winbind, it will have a similar effect. Or it is at least something to try.

  13. tily.p says:

    thanks for the answer
    but here is another problem regarding of what you said .. i can even restart my windows boxes .. no effect .. i still cannot logon (with my user as a member of that group)
    i forgot to mention that i tried with many versions and linux distros and even with obsd 3.9 (same problem) i asked a guy who had the same problem .. he couldn’t find the answer .. i tried also to sniff the network with ethereal from both sides to check the dialogs between server and client .. nothing
    PS: in win 2000 ADS all work well so it is a win 2003 problem as i see ..

    i have about 300 XP workstations and 3 samba servers and 2 2003 DC .. it is not so easy to restart services everytime a modification is made

  14. Brent says:

    hmm… Well that was my only shot at it then. Perhaps the samba lists could help you out with it? Please if you figure it out, post back. It will only help to get the word out on how to fix it.

  15. tily.p says:

    i already posted … no one answered back .. and i found someone who has the same problem but he also like me doesn’t know what to configure anymore .. i think it is a problem of how windows stations question the 2003ADS to get the rights .. in 2000 ADS all worked well .. someone said that it could be my domain controller problem .. ok.. i installed a new one and with a crossover cable connected it to a fresh samba install .. i configured everything but the same issue appeared

  16. Babu says:

    I get the below error after going through the said configuration…Any idea?

    utils/net_ads.c:ads_sratup(191)
    ads_connect: Transport endpoint is not connected

    This error is while i trying to join to the domain…

    Thanx Babu

  17. tily.p says:

    Hi Brent .. solved my problem … it was a pam configuration problem .. i needed to change teh config files in /etc/pam.d/samba and /etc/pam.d/login .. if someone has a problem you can find me on yahoo msg id: zaafiel_666 .. my samba works great now (win2k3 goups,users,acl and also i can change rights from windows explorer for the files and directories in samba) … please Brent if you can index this page to google so everyone who has this problem to solve it

  18. Sunny says:

    Hi Brent,

    It is really superb piece of work, and I think it would have helped many.
    I have joined the samba server against windows 2000 authentication without problem but now I have upgraded my windows server from 2000 to 2003 and the same configuration does not work here I am able to connect to ads server even wbinfo -u,g,t,a and getent passwd,group joining also works fine.
    but when I use this command this is the error.

    [root@starlinux root]# net ads testjoin
    [2006/11/17 20:38:50, 0] libads/kerberos.c:ads_kinit_password(136)
    kerberos_kinit_password STARLINUX$@STARBANG failed: Preauthentication failed
    [2006/11/17 20:38:50, 0] libads/kerberos.c:ads_kinit_password(136)
    kerberos_kinit_password STARLINUX$@STARBANG failed: Preauthentication failed
    Join to domain is not valid

    would you please help me on this.

    Thanks in advance.

  19. Pingback: Config Fun

  20. Ghys says:

    Great piece of work ! Glad to see that it is working for you coz for me it’s not working…for now 🙂

    I am having the same bug as Babu’s .

    Where did i miss something? I can’t figure out.
    I did restart all services : winbind, SMB.

    would be nice to have some sort of a solution from a working system. Also get a full printout of all needed files (without compromising infos 😉 ) that way we could compare and make adjustements.

    thanks again for all the effort and info .

  21. trance says:

    Good explaination, Had a q what if i dont want home directories created only want it for shares for particular groups who will never logon to linux server.

  22. Daniele says:

    Hi!
    My installation hangs infinetly after “net ads join -U xxxx@xxxx” with this message:

    [2007/03/08 14:10:51, 0] libads/ldap.c:ads_add_machine_acct(1405)
    ads_add_machine_acct: Host account for saenet01 already exists – modifying old account
    [2007/03/08 14:10:51, 5] libads/ldap_utils.c:ads_do_search_retry(56)
    Search for (objectclass=*) gave 1 replies

    I’m using Samba 3.0.24 on a RedHat Enterprise 3 with AD on Windows 2003: I have google and found others having same problem, but no solution found.

    If anyone has some hints…

    Thanks!

    Daniele

  23. Joo says:

    Hey!
    there is an error in your documentation. The option in the /etc/fstab is not alc, it’s acl 😉

    cheers Jo

  24. Zither says:

    Hello! Is there a way to make samba clients (like smbclient, nautilus, konqueror, etc) to use the authentication information (a kerberos ticket) whenever i access a network share, thus avoiding to ask for authentication? Assume that the client computer has already joined a windows2003 domain controller and the logged user is a domain user obtained with winbind.
    Thank you in advance!

  25. Zenu says:

    Hallo All!
    SAMBA 3 Authenticating to a Windows 2003 Active Directory work with winbind and pam_mkhomedir.so greatly but the pam_mkhomedir.so make tha home folder for the machine.

    Can you pls help me to resolve this issue..

    Thanks.

    Zenu

  26. Pingback: CentOS5 (RHEL5) + 9TB Drive + AD + Win/OSX clients at From Sydney to 北京 & Vancouver

  27. Jackie says:

    Hi,

    When I run the kinit command, i got the following error msg:

    kinit @

    kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

    And I check that there’s no kdc.conf file or the log files specified in krb5.conf. Do I miss anything here?

    Regards,
    Jackie

  28. Jackie says:

    Hi,

    When I run the kinit command, i got the following error msg:

    kinit AD_userid@dns_of_AD_Server

    kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials

    And I check that there’s no kdc.conf file or the log files specified in krb5.conf. Do I miss anything here?

    Regards,
    Jackie

  29. Jason says:

    Just want to say THANK YOU BRENT!, exactly what I needed without having to read through miles of BS. Good Work mate!

    Regards
    Jason

  30. Pingback: Samba + activedirectory - SWiK

  31. irfan.farid says:

    this is my network scheme :

    CLIENT (WORK001)—————– ADS.SERVER (DOMAIN)
    SMB.SERVER (DEVEL) ————————-|

    the shared folders which set to writeable without “valid users” setting is working fine, but the one with contain “valid users = DOMAIN\user.name1 DOMAIN\user.name2” everytime i try to browse them, it keeps return asking login and password, i typed “DOMAIN\user.name” + the right password but the username back to “DEVEL\user.name”, i changed again but keep the same, is there something i did wrong with the config? Pls help,

    Thanks.

  32. Almir says:

    Great work! Thanks a lot for this article.

    regards,
    Almir

  33. Nico Kadel-Garcia says:

    It looks like you have a typo: where you say “put alc” in the fstab, it should be “put acl”. It would also be more clear if you emphasized the “acl” a bit.

  34. Francis says:

    Hi all,

    I’m trying to join my samba server to active directory on windows 2003. Here are my system’s details:

    SAMBA:
    samba3-3.0.28a-35
    samba3-utils-3.0.28a-35
    samba3-client-3.0.28a-35

    KERBEROS:
    krb5-auth-dialog-0.7-1
    krb5-libs-1.6.1-17.el5
    krb5-workstation-1.6.1-17.el5
    krb5-server-1.6.1-17.el5

    Operating System: Centos 5 with kernel version 2.6.18-53.1.14.el5 running on vmware server

    The specific problems that I have are the following:

    when I do a testjoin to my AD server:
    kerberos_kinit_password ADSERVE$@DOMAIN.COM failed: Preauthentication failed
    Join to domain is not valid: Logon failure

    This is strange, since I can get my ticket using kinit with no problem. When I do a join to my AD server:

    [2008/03/18 08:51:23, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
    Failed to join domain: Invalid credentials

    Again, this is strange considering I can get the ticket using klist. If it’s any help, I get kerberos errors on my AD server event logs. It says something to the effect that I might have duplicate machine accounts and local accounts. I do have duplicate accounts, but I removed it already from the client. Still, I get the same errors.

    This is all for now. We’ll work in this topic by topic I guess.

  35. ross says:

    hi
    ima using samba 3 in fedora 5 and windows AD 2000 , after configuring krb 5 and kinit it works fine
    but when i am trying to add ads getting error
    net ads join -U Administrator@GSADOMAIN.COM
    Administrator@GSADOMAIN.COM‘s password:
    [2008/05/15 15:38:04, 0] utils/net_ads.c:ads_startup(289)
    ads_connect: Operations error
    Pls help.

  36. Cheeseball says:

    Nice documentation, I’ve read a lot on this subject and yours seems to be spot on. Everyhing is working fine for me with one exception, I still cannot log into my Linux (CentOS 5.1) box with an active directory account.

    Kerberos is working and I can get tickets.
    Winbind and Samba seem to be working, I was able to join ADS and can get a list of users or groups with wbinfo.

    However, for the life of me I still cannot get the box set up to allow me to actually log into it with a domain account.

    I suspect it’s a PAM configuration problem, but I’m not sure.

    Even when I’ve verified that winbind and smb are running, I can swtich to a different TTY and try to log into a console session with an AD account but still get a “Login Incorrect” message returned.

    Any ideas on what I am missing?

  37. Pingback: Your page is now on StumbleUpon!

  38. Aplon NS says:

    Follow Brent suggestion on top of this forum… especially the krb5.conf and nsswitch.conf. I had the same problem, smb and winbind running but still getting a windows authentication window when i connect. Happy now.

  39. santhosh says:

    Hi all

    When i try to connect, i am getting this error:
    net ads join -U santhosh@xxxx.xxxxx.com
    santhosh@xxxx.xxxxxx.com‘s password:
    [2008/08/01 20:53:00, 0] utils/net_ads.c:ads_startup(281)
    ads_connect: Invalid or incomplete multibyte or wide character

    please help me for sort out this problem

  40. Thomas says:

    I was looking at a printable version of this page when I was following the instructions… the comments weren’t there. I noticed that when editing the fstab he had “alc” instead of “acl” but I figured he knew what was right so I put that in.

    Now, after a reboot. I cannot edit ANY files and even the root user cannot modify the fstab file to correct it. I’m completely screwed. Do I have to rebuild my server from scratch?!

  41. Brent says:

    Most likely your root filesystem is just mounted readonly. if you are at the recovery console you should be able to remount it read write and edit the fstab

    the command would be something like this

    mount / -o remount,rw

    but check the man page for mount to get the correct one. you might want to check it on a machine that isn’t the one that is having the problem. Above article fixed… sorry I thought I had already fixed it.

  42. Thomas Deliduka says:

    I got it fixed after a few hour work. I looked online and saw stuff like modifying the kernel parameters to have init=/bin/bash to have just the shell come up. i then would do the command you mention above and for some reason it would still read the fstab because it would give me “Unrecognized option alc” and simply not mount properly.

    So, even after reading a post that this wouldn’t work… I booted with the fedora core 6 CD, went into recovery mode which put the volume under /mnt/sysvol or something like that. from there I edited the fstab and everything is fine.

    After tweaking some things including the iptables firewall I was able to get this to work. Your blog post has been invaluable so I thank you. Just please, if you haven’t already, correct the spelling on the fstab section!

  43. Pingback: unix86.org » Samba integrate into Windows AD

  44. Fernando Galvao says:

    good day…sorry my English is that I am using a translator on-line. I need its aid for the sharing of folders: I have a called folder given and inside of it he has some folders of each department then I want to place permissions in the folders inside of data for users and groups as I make? I can make this right-hander of windows 2003 or have that to make direct of linux? an example: ‘ the user Pablo has access alone has access to the sharing //files/DP (it only can here read) the user michael alone has access to the commercial sharing //files/commercial (it can save, record, excrever here and erase) all users have access to the //files/Q sharing (only reading and total access apra administrator) all these users are of Ad windows 2003.

  45. CJ says:

    Dear Brent .. Thanks your for your cool site. I had learn lots of things

    however , when i try to use “command” setfacl -m user:”domain\user”:rwz foldername

    my system gives me aerfacl foldername: Operation not supported

    do you have any ideas about this ?

  46. Brent says:

    Sounds like you didn’t enable ACL support on that filesystem and then unmount it and remount it

  47. Fernando Galvao says:

    and on my problem somebody can help me?

  48. Pingback: CentOS5 (RHEL5) + 9TB Drive + AD + Win/OSX clients + BackupEXEC - Blog - Networks | Email | Mobile | Websites | Online Marketing - Vancouver, Canada - Chatswood Computer Consultants Ltd.

  49. Tank Abbot says:

    Does anyone know if this same procedure will work using a Windows 2008 AD Domain? I use RHEL 5.3 and Fedora 10. Thanks! Great site!!

  50. Geoff White says:

    After getting this working a couple of times, I have found that it usually needs a reboot of both the DC and the Linux box to get it working properly.

    Normally you can join the domain, but there are problems getting windbind to fetch users and groups.

Leave a Reply

Your email address will not be published. Required fields are marked *