Since I had CentOS 5 up and running on ESX Server in the test lab, I decided to try to validate my latest Linux-AD integration instructions on this installation. Unfortunately, the instructions do not seem to work well at all with CentOS 5; here are some of the errors that I ran into:
- When using “net ads join†to join the Active Directory domain, it didn’t recognize any existing Kerberos tickets. I’d already run a “kinit <AD username>â€, but “net ads†continued to either a) try to use the root account if I didn’t specify the “-U <AD username>†parameter, and b) prompt for password even when I’d already obtained a Kerberos ticket for the specified username.
- When initially trying to join the Active Directory domain, “net ads join†threw this error:
[2007/12/04 12:57:08, 0] libads/kerberos.c:create_local_private_krb5_conf_
for_domain(594) create_local_private_krb5_conf_for_domain:
failed to create directory /var/cache/samba/smb_krb5.
Error was Permission denied
This error persisted until I manually created the /var/cache/samba/smb_krb5 directory myself. Why this directory wasn’t created automatically during the Samba installation is beyond me. Once I created that directory, the error went away, but Samba still wouldn’t create the keytab or add entries to the keytab. - The “net ads keytab†command failed miserably; it would not create a keytab, nor would it add entries to a keytab. No error message is reported; it just doesn’t work.
I inquired on the #samba IRC channel on irc.freenode.net, but the only person willing or able to respond didn’t have any information to provide (in fact, he’d actually used my Solaris-AD integration instructions as a guide for some of his own work). Various Google searches also failed to provide any helpful information.
By the way, these tests were performed on a stock installation of CentOS 5, with all the latest packages installed using “yum updateâ€. The Samba version was 3.0.25b-1.el5_1.2.
In the end, I’ve given up on trying to make Samba work in the AD integration process and will instead fallback to the use of ktpass.exe to create the keytab file. If you have any useful information to share, please let me know or post it in the comments. Thanks!
Tags: ActiveDirectory, CentOS, Kerberos, Samba
-
You should make your smbd a bit more verbose. Perhaps
that would give rise to something more informative
in the logs.In your /etc/sysconfig/samba file change the line:
SMBDOPTIONS=”-D”
to
SMBDOPTIONS=”-D -d 2″increase -d as you deem necessary.
strace’ing the net command may be helpful as well.
Perhaps net even has it’s own more verbose options. -
I actually did try the “-d 10″ parameter for the “net ads” command, which increases the debugging level to the maximum. The output from that option helped only minimally, unfortunately. I have not tried increasing the logging level for smbd, so I may have to try that. Thanks for the suggestions!
-
I, too, experienced the strange “net ads join” “Permission denied” problem. On my system, it seems to be SELinux related: The “net” binary probably lacks some SELinux permissions. I used audit2allow and related tools to update the SELinux configuration on my server, so that “net ads join” would work.
-
Troels,
I thought I had disabled SELinux in the installation, but I’ll have to go back and double-check that just in case. Thanks for the tip!
-
I’ve noticed that too, net ads does no more use kerberos for joining domain or to create accounts, since some releases. I’ve compiled an old samba release, in local, only to use the “net†utility. I don’t have selinux installed.
-
First of all I would thank you for your great instructions which helped me out of many problems.
I had Samba 3.0.23c on my CentOS5 Box and experienced the same problem of not creating a keytab file. After upgrade of Samba to version 3.0.24 the net ads join worked like expected.
-
Try this link:
How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory
http://www.planetmy.com/blog/?p=248 -
Just a quick question why do you use pam_krb to do the authenticating as doesn’t pam_ldap do the same thing? I’m probably wrong but I just thought I would ask.
Thanks for a fantastic site.
Matt
-
Matt,
Good question. We certainly could use LDAP for authentication, but using Kerberos also allows us to leverage Kerberos’ design for authenticating to other services as well.
You are correct, though–LDAP should work in this scenario.
Thanks for reading!
-
I got net ads join to work by upgrading Samba to a newer version than 3.0.25b.
The problem with the password prompt after obtaining a ticket and trying to use the root user is a bug in the Samba distribution from yum install samba using default mirrors in Cent0S 5. The version CentOS 5 comes with is Version 3.0.25b-1.el5_1.4. There was a Samba version update that would fix this, version 3.0.26 and sequentially 3.0.26a and now 3.0.28 is the most recent. The bug is described here: http://enterpriselinuxlog.blogs.techtarget.com/2007/09/11/of-samba-bugs-and-3026a/
Also check the samba installation documentation to ensure you have compiled Samba correctly for CentOS 5. Look at the Compiling Samba With Active Directory support document here:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.htmlLove your site.
IanK
-
Having a similar problem, only at the next step: the join works, but then getent doesn’t return the user / group info from ADS. I’d just posted a question to the Samba mail list when I found this blog entry.
DaveL
-
I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I’m wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue?
-
Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig –reconfig) and in the firewall section disable the SELinux.
This fixed this as well as other issues with my installation…
Albe
-
3.0.25a is bugged for other reasons, too
As Graham pointed here:
http://lists.samba.org/archive/samba/2008-March/139428.html
“After groping around in the dark, I found some references to ldap passwd
sync being broken, and changing this worked:ldap passwd sync = no
For some reason, ldap passwd sync seems to be broken on samba 3.0.25b.”
i have the same issue, i can’t change password using CtrlAltCanc Windows form -
Others of you has tried to make rpm binary using sources?
i got
“Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm”
and all the others samba packages 3.0.28a
but now i am very worried to install them on thsi Centos 5.1Someone did it and he is satisfied?
-
SELinux enable disable techniques:
1. To see whether or not selinux is enforcing, permissive or disabled
$ sudo /usr/sbin/getenforce2. To temporarily set selinux to permissive (doesn’t enforce any policies but will log alerts to syslog)
$ sudo /usr/sbin/setenforce 03. To set selinux back to enforcing
$ sudo /usr/sbin/setenforce 14. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change:
SELINUX=enforcing
to
SELINUX=permissivepermissive is nice because you can use it to debug selinux policy issues
-
Scott,
Thanks for documenting these solutions. Just an update that running an patched (yum update) CentOS 5.2 server, I was able to use the net ads -J command to create the computer object. All the other LDAP, nss, and kerberos changes in your other post worked fine.
It did require configuring the member server settings in samba and starting it up, but that actually a good thing as now I connect to shares on the Linux server, assume I’m using kerberos for that.
For some reason, getent simply does not return and values for passwd or groups. However, if I create a directory and set the UID/GID to values defined in the AD account UNIX tab, ls -l does show the proper values (principal names from AD). And ssh logins work, so that makes me happy.
Things have changed dramatically since the Redhat 7.3 days… thank goodness!
-
I have got a different problem with it. I use CentOS 5.2 I went through all mentiined problems but….
I have 2 symstems on 1 PC. WinXP and CentOS 5.2 both are in a SBS Company domain.
When I boot it up in Win XP once and next booted up in CentOS again I received Access Denied from the server.
Domain Server NETLOGON: event ID: 5722
The session setup from the computer HPXX failed to authenticate. The name(s) of the account(s) referenced in the security database is HPXX$. The following error occurred: Access is denied
Any clue?
-
I have similar problem, just would like to know what patch was applied to to the CentOS5.2 server.
Thanks
-
If anyone interested in full instruction set on this problem – let me know, i-ll write it here. It just big though
infrasty_at_gmail.com
Short term explanation is because SAMBA is using it-s own kerberos configuration file when issuing requests to AD controllers. It doesnt bother to look if system krb5.conf is available and to use it.
It does so for every request, so even if you-ll create your own in place where samba will put it-s own dynamically made krb5.conf, samba will overwrite your version with it-s own.Depending on version of linux / unix this file is located somewhere in
(my case FreeBSD 7.X)
/var/db/samba/smb_krb5One of dirty hacks was to set system immutable flag on file, so samba cannot change file even if there rwxrwxrwx permissions set.
Problem with users and groups typically arise when SAMBA’s kerberos library still using UDP type requests to AD and unable to fetch information as it get replies – “too big to fit in UDP, use TCP instead” – shure, just let me force samba to use my version of krb5.conf
Regards,
Alexander -
Hi All,
I don’t know if someone finds it interesting, but I followed v4 of latest Linux-AD integration instructions from Scott, and with minor mods I got my CentOS 5.5 clients authenticate successfully agains an w2k3 R2 DC.
So Scott, for me your instructions worked great! Thanks!
Kind regards,
Onno.
Site Sponsors
22 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2007/12/04/centos-5-active-directory-integration-problem/trackback/