Using Samba in Linux-AD Integration

Tuesday, December 19, 2006 in Interoperability by slowe | 14 comments

Suggestions to use Samba in Linux-AD integration scenarios appeared in the comments for the following articles:

Linux, Active Directory, and Windows Server 2003 R2 Revisited
Kerberos-Based SSO with Apache

The idea was that Samba could be used to help automate the process of creating the appropriate service principals in Active Directory.  Previously, I had recommended the use of ktpass.exe and separate user accounts for each service principal (i.e., HOST/ or host/, HTTP/, etc.) because of the limitations of ktpass.exe and adding service principals in Active Directory.  However, a number of readers pointed out that Samba’s “net ads join” and “net ads keytab” commands could help automate and streamline this process.

Since one of my Linux servers had crashed anyway, I decided to try out the Samba toolset while integrating this new Linux server into my existing Active Directory infrastructure.  Here’s what I found and the process that I used to successfully integrate the new Linux server into AD with the Samba tools.

  1. First, the Kerberos client had to be configured properly.  I’ll refer you back to any one of the various Linux-AD integration articles I’ve written for more information on how to setup the /etc/krb5.conf file.  You should be able to do a successful “kinit username@AD.DOMAIN.NAME” when /etc/krb5.conf is configured correctly.
  2. Next, Samba must be properly configured.  I used the following settings in /etc/samba/smb.conf: 
    workgroup = <NetBIOS name of AD domain>
security = ads
realm = <DNS name of AD domain>
use kerberos keytab = true
password server = <Space-delimited list of AD DCs>
  3. For full Linux-AD integration, you must configure the nss_ldap client.  Again, I’ll refer you to any one of the various AD integration articles I’ve written for more details on a suggested nss_ldap configuration.  When nss_ldap is correctly configured, you should be able to do a “getent password <username>” and get back a list of properties (including UID, home directory, login shell, etc.) for that username.
  4. Use “kdestroy” to kill any Kerberos credentials you may have established during testing, and then run “kinit <administrative account>@AD.DOMAIN.NAME” to get a Kerberos ticket for an administrative user in the AD domain.
  5. If the DNS domain of your Linux server will be different than the DNS domain of the AD domain (for example, perhaps your Linux server will be web1.linux.corp.com whereas Active Directory uses ad.corp.com), then create a computer account in Active Directory.  If the Linux server’s DNS domain will be the same as the DNS domain for AD, then we can have Samba create it for us.  (I ran into problems here since the Linux server does use a different DNS domain than Active Directory, and pre-creating the computer account was the only way to make it work.)
  6. Run “net ads join” to join the Linux server to Active Directory.  As part of this process, it will add various SPNs to the computer account in Active Directory automatically and create the appropriate entries in the local Kerberos keytab (/etc/krb5.keytab, by default).  No more ktpass.exe!

At this point, you can configure PAM appropriately (again, refer to one of the previous integration articles for full details on PAM configuration) and login to the Linux server with an Active Directory account.

I used this process to integrate a new CentOS 4.4 server into Active Directory without any problems whatsoever.  I used the Kerberos, LDAP, nsswitch.conf, and PAM configurations from this Linux-AD integration article within the framework of the steps listed above and ran into only one problem (that was the issue with the differing DNS domains).  Otherwise, it worked just fine.

Thanks to those readers who suggested the use of Samba!

Tags: , , , , , ,

  2. Alex’s avatar

    Alex on Sunday, January 7, 2007 at 3:25 am

    Hi, need help.

    I got getent password to work ok ,but steel have problem with samba:
    from /var/log/messages:

    smbd[XXXX]: GSSAPI Error: Miscellaneous failure (No credentials cache found)

    smb.conf configured as above.
    any idea why?

  3. slowe’s avatar

    slowe on Sunday, January 7, 2007 at 8:19 am

    Alex,

    “getent passwd” tells us if the LDAP configuration is working (which it is, apparently), but you also need to configure Kerberos. I didn’t put Kerberos configuration details in this article because I’ve covered it several times in other articles; refer to this article for more information:

    http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/

    That should give you the information you need to configure Kerberos properly. Once Kerberos is properly configured, you should be able to use “kinit username” (assuming the default Kerberos realm) and successfully authenticate. “klist” will then show a Kerberos ticket.

    Hope this helps,
    Scott

  4. Victor Meghesan’s avatar

    Victor Meghesan on Wednesday, February 21, 2007 at 7:18 am

    I think that you can skipp step 5 if in step 6 you use ‘net ads join -I IP.ADDR.OF.CG.DC.FOR.ad.corp.com -S DNS.NAME.OF.CG.DC.FOR.ad.corp.com -U Administrator’

  5. Arthur’s avatar

    Arthur on Saturday, January 5, 2008 at 6:13 pm

    Help !!

    I’m have OpenSuse 10.3 and im trying to join it to a Win2k ADS. When i try to net join -S IP.ADDR -U administrator%password i get: utils/net_rpc_join.c:net_rpc_join_newstyle(350)
    Error in domain join verification (credential setup failed): NT_STATUS_INVALID_COMPUTER_NAME Unable to join domain COMBI. The strange thing is I get computerobject in the ADS. I have the same configuration as your previous articles. Kerberos is working fine.

    any ideas??

  6. Victor Meghesan’s avatar

    Victor Meghesan on Tuesday, January 15, 2008 at 11:28 pm

    Hi Arthur,

    More important that the disto version you’re running is the Samba version, you can find this using for ex. net -V

    You should first check that you can reach the domain CG.DC.FOR.ad.corp.com by using for ex. ping IP.ADDR.OF.CG.DC.FOR.ad.corp.com, if you will use -I, or that you can resolve and reach the host DNS.NAME.OF.CG.DC.FOR.ad.corp.com, if you will use -S, for ex. host/nslookup/dig DNS.NAME.OF.CG.DC.FOR.ad.corp.com and ping DNS.NAME.OF.CG.DC.FOR.ad.corp.com

    you can find the list of SRV’s using AD DNS and query for SRV records of type _ldap._tcp.gc._msdcs.

    Also if something is not working, restart by first deleting from AD the incomplete entry for the Samba machine and don’t use -S with IP, use -S name or use -I IP, or use -I IP and -S name in the net cmd

  7. Drew’s avatar

    Drew on Wednesday, March 26, 2008 at 4:04 pm

    What’s up guys… I’ve got a quick question (hopefully). I’ve got samba up and running and joined the ad domain and all that business.

    The issue i’m having is when I log on to my shared drive ‘MyShare’ it works fine but i see it creates a directory for me called drew (ad domain name)… i’ve tried to log in but can’t. But I can log into the regular samba share..any ideas?

  8. JohnJ’s avatar

    JohnJ on Wednesday, December 3, 2008 at 6:48 pm

    Win2k3 and Win2k3 R2 do not appear to support the service principal credentials as you would expect.

    A samba net ads join will create a keytab, will populate it with SPNs, will create an AD computer account, and will populate the serviceprincipalnames field for it — however, I have not found a mechanism by which they are directly usable.

    IE: kinit -kt /etc/krb5.keytab host/hostname.myfqdn should work, but with SPNs it fails.

    What apparently needs to be done, and what ktpass does, is to map the userprincipalname under the account, but unfortunately AD only supports one userprincipalname per user account.

    You can create a valid keytab entru by doing net ads join and using the createupn field accordingly, it would seem.

  9. guoping’s avatar

    guoping on Friday, March 5, 2010 at 10:19 am

    The paramter ‘use kerberos keytab = true’ did not work on my RHEL client.

    [root@ ]# net ads join -U Administrator
    [2010/03/05 15:06:50, 0] param/loadparm.c:7444(lp_do_parameter)
    Ignoring unknown parameter “use kerberos keytab”
    Enter Administrator’s password:
    Using short domain name — ADTEST
    Joined ‘WODAO2′ to realm ‘adtest.corp.net’
    No DNS domain configured for wodao2. Unable to perform DNS Update.
    DNS update failed!

    Here is testparm output (unknown parameter):

    [root@wodao2 pam.d]# testparm
    Load smb config files from /etc/samba/smb.conf
    Unknown parameter encountered: “use kerberos keytab”
    Ignoring unknown parameter “use kerberos keytab”
    Loaded services file OK.

  10. Michael’s avatar

    Michael on Thursday, June 17, 2010 at 6:57 am

    Request help !

    i have an linux open suse version 11.1 and trying to join in an Win 2003 R2 server…
    but at i’ve got the following error in BASH

    (net join -W krafft.local -I 192.168.2.1 -U Administrator%passwrd)

    [2010/06/17 15:44:12, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(393)
    Error in domain join verification (credential setup failed): NT_STATUS_INVALID_COMPUTER_NAME
    Unable to join domain

    ____________________________________________________________
    winbindd running
    nsbd running
    smb running
    SAMBA version (smbclient -V) = 3.2.4-5.2-1985-SUSE-CODE11

    any suggestions?

  11. Rajsekhar’s avatar

    Rajsekhar on Thursday, September 29, 2011 at 5:23 am

    Help Required Please!!!!

    I have winbind, samba,HTTPS,appserver, everything is in running mode.

    I did all the configurations as above and also some other config changes specified in some other parts of web.

    The command “net rpc join -U Administrator” joined fine.
    But when given “wbinfo -u” the users in the local machine are showed up not the DC machines user.
    But the linux machine is showing up in the DC machine under computers added.

    i’m getting the SSO pop-up asking for the username and password.
    But when i give the credentials “Internal server Error” is coming .

    When i see the error_log of IBMHTTPS it is saying

    [2011/09/28 18:32:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
    Got NTLMSSP neg_flags=0xa2088207
    [2011/09/28 18:32:38, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
    Got user=[administrator] domain=[] workstation=[SIMPRO359] len1=24 len2=24
    [2011/09/28 18:32:38, 0] utils/ntlm_auth.c:winbind_pw_check(515)
    Login for user []\[administrator]@[SIMPRO359] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.]
    [Wed Sep 28 18:32:38 2011] [error] [client 172.18.2.153] (20014)Internal error: ntlm_auth reports Broken Helper: BH NT_STATUS_ACCESS_DENIED, referer: http://msi-vmpl3cord10:81/
    [2011/09/28 18:32:38, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(776)
    NTLMSSP BH: NT_STATUS_ACCESS_DENIED

    Can any one please help me it’s already 2 weeks over my dead line… please ……

  12. Rajsekhar’s avatar

    Rajsekhar on Thursday, September 29, 2011 at 5:26 am

    and when i change the permissions other than “750″ the winbind service is going to dead state but the pid is still reserved.

    please help me ….

    Thanks for help …… in advance…. please help me ….

  13. slowe’s avatar

    slowe on Friday, September 30, 2011 at 12:20 pm

    Rajsekhar, I really can’t help you—I didn’t do very much testing with Winbind, and the testing that I did do was almost 5 years ago. Perhaps another reader can help.

    Good luck to you!

  14. Rajsekhar’s avatar

    Rajsekhar on Monday, October 3, 2011 at 1:17 am

    Thanks Slowe for your imm response.

    I’m hoping the same from last 2 weeks that any readers will give me a +ve response but the same as you .

    But i never lost the hope …..

    waiting for the person who can help me …

    and thanks for moderating my post…