This site is now 100% read-only, and retired.

Samba ADS integration without Kerberos

Posted by simonw on Fri 5 May 2006 at 17:12

An article on Debian-Administration.org already covered ADS set up with Kerberos. But I was looking for the most lightweight and nimble ADS integration so I can achieve the less ambitious goal of single username and password.

Aim: Allow Debian Sarge box to join ADS domain without using Kerberos and create user accounts on the fly. The resulting Debian system should work for NT Domain users for most or all services being offered, with the same username and password without having to type the domain in each time.

Disclaimer/Caveats: I'm not a PAM expert, or a Samba expert, or a Debian expert. This configuration is something I worked out as a proof of concept since I wanted to integrate the Linux servers at work into the ADS, so users only have one password to remember/change. It is likely very wrong in places, hopefully public scrutiny will fix any major oversights. This was drawn from my notes, the actual procedure was far less linear, not least the installing the Etch version only happened after much head scratching.

This method of integrating ADS to Linux doesn't ensure that the UIDs and GIDs are consistent across multiple Linux servers (unlike say NIS/NIS+, or the RFC2307 type solutions). As such it is useful where you want to integrate a small number of Debian servers providing specific services into the ADS environment, and have no intention of networking those Linux boxes together using say NFS (except for purely administrative purposes).

Environment

 Windows 2000 servers, with 3 ADS server.
 The old fashioned NT Domain name is "NTDOMAIN"
 The ADS domain name is "ntdnsdomain.example.com"
 ADS servers are "server1.ntdnsdomain.example.com" (server2, server3).
 Hostname (and netbios name) of debian server "debtest"

Get Software Installed

Take Debian Sarge with winbind and samba

#apt-get install samba winbind

Fix the stable release as the default

/etc/apt/apt.conf -- added line

APT::Default-Release "stable";

Arrange to have testing as a less preferred release /etc/apt/apt.preferences -- created with

Package: *
Pin: release r=testing
Pin-Priority: 200

Arrange to have testing repository known to APT /etc/apt/sources.list -- added line

deb http://{your-nearest-debian-mirror}/ testing main

Learn what is in the new repository

#apt-get update

Get the testing version of this software

#apt-get -t testing winbind samba

Configure Software correctly.

Stop "winbind" and "samba"

#/etc/init.d/winbind stop
#/etc/init.d/samba stop

Ensure that the client machine is in the domain of the DNS servers

Either ensure that "/etc/resolv.conf" has

 search ntdnsdomain.example.com { optional other domains }

Or in our case we edited "/etc/dhclient.conf" to contain;

 supersede domain-name "ntdnsdomain.example.com"

Or update your DHCP server as appropriate.

Configure SAMBA by updating the /etc/samba/smb.conf file.

We updated/added the following entries, this isn't a complete file, just the lines that changed.

workgroup = NTDOMAIN
dns proxy = yes 
security = domain
password server = server1 server2 server3 # Actually only used server1 for testing, less event logs to check
netbiosname = debtest
winbind separator = . # This isn't used in the configuration anywhere

idmap uid = 15000-20000
idmap gid = 15000-20000

winbind enum users = yes
winbind enum groups = yes
template homedir = /home-ads/%U  # This template can include the domain name if required
template shell = /bin/bash
winbind use default domain = Yes # Allows login in as "username" instead of "NTDOMAIN.username" 

Start Samba

# /etc/init.d/samba start

Join the domain

Windows use of secure channels means all machines in a domain must be added by someone with appropriate authority. This will create an entry in the ADS "Users and Computers" admin tool for the computer "debtest".

#net rpc join -S server1 -U Administrator

Start winbind

# /etc/init.d/winbind start

Test membership of domain

#wbinfo -t

Configure Winbind to be used.

Modify /etc/nsswitch.conf

Lines;

passwd: compat
group: compat
shadow: compat
hosts: files dns

Replaced with;

passwd: files winbind
group: files winbind
shadow: files
hosts: files dns winbind

Modify PAM

We modify the "common" pam files so that NTDOMAIN usernames are usable everywhere.

/etc/pam.d/common-auth

Replace line;
 auth required  pam_unix.so nullok_secure
With;
 auth sufficient        pam_winbind.so
 auth required  pam_unix.so nullok_secure use_first_pass

The new line allows you to authenticate against winbind.

The "use_first_pass" reuses the password tried for winbind for the Unix login, allowing the pre-existing Unix users (like "root"!) to login, without having to enter a dummy password for the NTDOMAIN password prompt.

/etc/pam.d/common-account

Insert before line;
 auth required  pam_unix.so nullok_secure
Line reading;
 auth sufficient        pam_winbind.so

/etc/pam.d/common-session

Insert after line;
 session required       pam_unix.so
Line reading;
 session required       pam_mkhomedir.so skel=/etc/skel/ umask=0022

This line is to ensure that home directories for users who have never used the system before are added automatically. You can obviously choose your own umask and skel directory to suit.

Test

At this point you should be able to login as an NTDOMAIN user at a login prompt, or via ssh. A home directory should be created in /home-ads with the corresponding username.

Ctrl-Alt-F2
Login: Administrator
Password: asecret
administrator@debtest:~$ pwd
/home-ads/administrator

Dear Lazy-web, let me know what I got wrong by Monday, and I'll be happy

Sources

SAMBA HOWTO Chapter 23

Linux PAM HOW TO

ADS Integration Overview

Countless articles trying to understand all the weird errors, and debugging required to make this work

 

 


Re: Samba ADS integration without Kerberos
Posted by Anonymous (83.104.xx.xx) on Fri 5 May 2006 at 17:47
I ended up using "winbind separator = -" in my config.

I'm using this server as a squid proxy with integrated NTLM athentication. I tried various other seperators, but couldn't get (eg) DOMAIN+uname, DOMAIN%uname etc. recognised by squidGuard.

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by simonw (84.45.xx.xx) on Fri 5 May 2006 at 18:22
[ View Weblogs ]
The winbind separator isn't used anywhere in this article, so the choice is arbitrary is this case.

I did note that when I was using the current "Sarge" version of the software, it would use "i" as the separator independent of what appeared in "smb.conf", a clear indication of a serious problem with the Sarge version of Samba.

Not sure what the appropriate bug reporting procedure is for a bug already fixed upstream. But the "i" as separator may indicate the bug is worthy of attention from the security people (although I guess running Samba in an insecure environment is kind of like running Windows in an insecure environment) since that looks like a pointer issue.

Unfortunately Samba is popular, and I lost the will to live ploughing through the existing bug reports. We now have two articles giving different ways of avoiding the Samba in Sarge, which makes me think Sarge has a problem here.

I noted also a bug report saying Samba doesn't work with Microsoft Vista, so clearly some testing needs to go on, and Etch needs to release before Vista, to keep everyone happy. Alternatively, don't buy Vista ;)

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by finley (81.208.xx.xx) on Mon 29 May 2006 at 12:47
Nice job!
I'm working on the same task, still having some problems like:

- When browsing LAN I don't want to be asked for username/pwd again...
- When NT passwrod expires? Is there an X interface to smbpasswd?

cheerio!

finley

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (84.45.xx.xx) on Thu 1 Jun 2006 at 13:30
If you are doing client size stuff on the Linux box you probably want to follow the explanation with Kerberos aluded to in the introduction.

Afraid I don't know the answers to your questions.

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Jubal (62.233.xx.xx) on Thu 22 Jun 2006 at 16:43
I used similar setup for some time...

It is usually all fine and dandy, but there are some warnings:

1) when you want to have any userid/groupid consistency between various machines, you'd better use common idmap cache.

2) in big AD environments (more than 2000 user / group objects) winbind shows how highly inefficient it is. A simple enumeration of users could choke the system on a really powerful machine (...and user/group enumeration is not that uncommon, for example mc does that at start). You can disable user/group enumeration, but with so much objects in AD winbind will choke anyway.

All in all, I found much more stable a solution that uses dual LDAP/kerberos (AD) for authentication and LDAP for keeping the user data. The Linux/Unix LDAP infrastructure is separate, but has the usernames synchronized with AD (by hand ATM, but this can be achieved by simple script).

Jubal

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (158.234.xx.xx) on Thu 7 Sep 2006 at 18:53
Hi

Congratulations by the job!

I have some problemes here!

When I access the samba server I put the user and password for the ADS domain and I can see the shares but when I try access someone share it request me use and password again and do not accept any user/password.

Thanks

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by ericleem (12.124.xx.xx) on Tue 23 Jan 2007 at 21:40
I am getting this error can anyone help?

[2007/01/23 15:21:07, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password user@OSCA.LOCAL failed: Improper format of Kerberos configuration file
[2007/01/23 15:21:07, 0] utils/net_ads.c:ads_startup(191)
ads_connect: Improper format of Kerberos configuration file

Unable to find a suitable server

Unable to find a suitable server

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (121.247.xx.xx) on Mon 22 Sep 2008 at 11:39
Hi!
This is a nice article, I got a prompt where I was asked for administrator password..... i still am working on and make a test ADS env for myself,,,, thanks for this article wonderfull article!!!!

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (121.247.xx.xx) on Tue 23 Sep 2008 at 07:35
Hum kamyab huye!!

Thanks to this article!!!

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (202.175.xx.xx) on Mon 17 Nov 2008 at 00:00
Can anyone suggest how to cache the logon credentials or is there any way I can allow all access when NTLM_auth is not able to connect to the Domain Controller for the times the DC is down for maintenance?

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (121.212.xx.xx) on Mon 23 Feb 2009 at 04:55
hi, i am having the same issue, did you manage to get it resolved? ie cache credentials

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (85.127.xx.xx) on Fri 29 Jan 2010 at 10:29
Hello
To pass the # wbinfo -t
checking the trust secret via RPC calls succeeded

I had to do smb.conf as this:
workgroup = DOMAINME
dns proxy = yes
security = domain
password server = 192.168.10.100
encrypt passwords = yes

#netbiosname = debtest

socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
wins server = 192.168.10.100



winbind separator = .
# This isn't used in the configuration anywhere

idmap uid = 15000-20000
idmap gid = 15000-20000

winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U

# This template can include the domain name if required
template shell = /bin/bash

winbind use default domain = Yes
# Allows login in as "username" instead of "NTDOMAIN.username"

I guess the error of error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) was due to netbios

[ Parent ]

Re: Samba ADS integration without Kerberos
Posted by Anonymous (85.127.xx.xx) on Fri 29 Jan 2010 at 11:57
This how to is very good. Actually it is even the only one about SAMBA + without kerberos, which deserves lot of thanks.

Actually no admins are interested into posting howtos... since they tell how to do things in linux, they sell their jobs and other can take it ... :) well this retention of knowledge will never bring anything positive. Linux is sharing.
Anyhow. Thanks for this great howto.

I am having an issue:

su username
Password:
su: Authentication failure

I followed very well the howto but still cannot login into. Root can with su username. ok, but from login, it is not possible to all the users.

id username
gives a right uig / gid number, all is working but the PAM.
Could someone post the content of the 3 files important into /etc/pam.d/
that can work?

thank you very much !

[ Parent ]