CentOS 5 Active Directory Integration Problem

Since I had CentOS 5 up and running on ESX Server in the test lab, I decided to try to validate my latest Linux-AD integration instructions on this installation.  Unfortunately, the instructions do not seem to work well at all with CentOS 5; here are some of the errors that I ran into:

  • When using “net ads join” to join the Active Directory domain, it didn’t recognize any existing Kerberos tickets.  I’d already run a “kinit <AD username>”, but “net ads” continued to either a) try to use the root account if I didn’t specify the “-U <AD username>” parameter, and b) prompt for password even when I’d already obtained a Kerberos ticket for the specified username.
  • When initially trying to join the Active Directory domain, “net ads join” threw this error:
    [2007/12/04 12:57:08, 0] libads/kerberos.c:create_local_private_krb5_conf_
    for_domain(594) create_local_private_krb5_conf_for_domain:
    failed to create directory /var/cache/samba/smb_krb5.
    Error was Permission denied

    This error persisted until I manually created the /var/cache/samba/smb_krb5 directory myself.  Why this directory wasn’t created automatically during the Samba installation is beyond me.  Once I created that directory, the error went away, but Samba still wouldn’t create the keytab or add entries to the keytab.
  • The “net ads keytab” command failed miserably; it would not create a keytab, nor would it add entries to a keytab.  No error message is reported; it just doesn’t work.

I inquired on the #samba IRC channel on irc.freenode.net, but the only person willing or able to respond didn’t have any information to provide (in fact, he’d actually used my Solaris-AD integration instructions as a guide for some of his own work).  Various Google searches also failed to provide any helpful information.

By the way, these tests were performed on a stock installation of CentOS 5, with all the latest packages installed using “yum update”.  The Samba version was 3.0.25b-1.el5_1.2.

In the end, I’ve given up on trying to make Samba work in the AD integration process and will instead fallback to the use of ktpass.exe to create the keytab file.  If you have any useful information to share, please let me know or post it in the comments.  Thanks!

Tags: , , ,

22 comments

  1. taking_a_stab_in_the_dark’s avatar

    You should make your smbd a bit more verbose. Perhaps
    that would give rise to something more informative
    in the logs.

    In your /etc/sysconfig/samba file change the line:
    SMBDOPTIONS=”-D”
    to
    SMBDOPTIONS=”-D -d 2″

    increase -d as you deem necessary.
    strace’ing the net command may be helpful as well.
    Perhaps net even has it’s own more verbose options.

  2. slowe’s avatar

    I actually did try the “-d 10″ parameter for the “net ads” command, which increases the debugging level to the maximum. The output from that option helped only minimally, unfortunately. I have not tried increasing the logging level for smbd, so I may have to try that. Thanks for the suggestions!

  3. Troels Arvin’s avatar

    I, too, experienced the strange “net ads join” “Permission denied” problem. On my system, it seems to be SELinux related: The “net” binary probably lacks some SELinux permissions. I used audit2allow and related tools to update the SELinux configuration on my server, so that “net ads join” would work.

  4. slowe’s avatar

    Troels,

    I thought I had disabled SELinux in the installation, but I’ll have to go back and double-check that just in case. Thanks for the tip!

  5. Blindauer’s avatar

    I’ve noticed that too, net ads does no more use kerberos for joining domain or to create accounts, since some releases. I’ve compiled an old samba release, in local, only to use the “net” utility. I don’t have selinux installed.

  6. Matthias Hubert’s avatar

    First of all I would thank you for your great instructions which helped me out of many problems.

    I had Samba 3.0.23c on my CentOS5 Box and experienced the same problem of not creating a keytab file. After upgrade of Samba to version 3.0.24 the net ads join worked like expected.

  7. Planet Malaysia’s avatar

    Try this link:
    How to join Fedora Core 6 Samba Server to Windows 2003 Active Directory
    http://www.planetmy.com/blog/?p=248

  8. Matt’s avatar

    Just a quick question why do you use pam_krb to do the authenticating as doesn’t pam_ldap do the same thing? I’m probably wrong but I just thought I would ask.

    Thanks for a fantastic site.

    Matt

  9. slowe’s avatar

    Matt,

    Good question. We certainly could use LDAP for authentication, but using Kerberos also allows us to leverage Kerberos’ design for authenticating to other services as well.

    You are correct, though–LDAP should work in this scenario.

    Thanks for reading!

  10. IanK’s avatar

    I got net ads join to work by upgrading Samba to a newer version than 3.0.25b.

    The problem with the password prompt after obtaining a ticket and trying to use the root user is a bug in the Samba distribution from yum install samba using default mirrors in Cent0S 5. The version CentOS 5 comes with is Version 3.0.25b-1.el5_1.4. There was a Samba version update that would fix this, version 3.0.26 and sequentially 3.0.26a and now 3.0.28 is the most recent. The bug is described here: http://enterpriselinuxlog.blogs.techtarget.com/2007/09/11/of-samba-bugs-and-3026a/

    Also check the samba installation documentation to ensure you have compiled Samba correctly for CentOS 5. Look at the Compiling Samba With Active Directory support document here:
    http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html

    Love your site.

    IanK

  11. DaveL’s avatar

    Having a similar problem, only at the next step: the join works, but then getent doesn’t return the user / group info from ADS. I’d just posted a question to the Samba mail list when I found this blog entry.

    DaveL

  12. mike’s avatar

    I was able to get my RHEL 5 machine added to the AD Domain. I am currently on RHEL 5.1 (/etc/redhat-release). So I’m wondering what I did that was different from the instructions? I am having a issue where my Samba server is having Windows XP machines (Not in the AD domain) to enter in there username and password every hour or so. I was wondering if anyone else is having this issue?

  13. Albe’s avatar

    Solution for the first post: just go for the firstconfig procedure (u can relaunch by /usr/sbin/firstconfig –reconfig) and in the firewall section disable the SELinux.

    This fixed this as well as other issues with my installation…

    Albe

  14. Maurizio’s avatar

    3.0.25a is bugged for other reasons, too :(
    As Graham pointed here:
    http://lists.samba.org/archive/samba/2008-March/139428.html
    “After groping around in the dark, I found some references to ldap passwd
    sync being broken, and changing this worked:

    ldap passwd sync = no

    For some reason, ldap passwd sync seems to be broken on samba 3.0.25b.”
    i have the same issue, i can’t change password using CtrlAltCanc Windows form

  15. Maurizio’s avatar

    Others of you has tried to make rpm binary using sources?
    i got
    “Wrote: /usr/src/redhat/RPMS/i386/samba-3.0.28a-1.i386.rpm”
    and all the others samba packages 3.0.28a
    but now i am very worried to install them on thsi Centos 5.1

    Someone did it and he is satisfied?

  16. Mike H’s avatar

    SELinux enable disable techniques:

    1. To see whether or not selinux is enforcing, permissive or disabled
    $ sudo /usr/sbin/getenforce

    2. To temporarily set selinux to permissive (doesn’t enforce any policies but will log alerts to syslog)
    $ sudo /usr/sbin/setenforce 0

    3. To set selinux back to enforcing
    $ sudo /usr/sbin/setenforce 1

    4. To permanently disable selinux (survives next reboot) edit /etc/selinux/config and change:
    SELINUX=enforcing
    to
    SELINUX=permissive

    permissive is nice because you can use it to debug selinux policy issues

  17. Gavin Adams’s avatar

    Scott,

    Thanks for documenting these solutions. Just an update that running an patched (yum update) CentOS 5.2 server, I was able to use the net ads -J command to create the computer object. All the other LDAP, nss, and kerberos changes in your other post worked fine.

    It did require configuring the member server settings in samba and starting it up, but that actually a good thing as now I connect to shares on the Linux server, assume I’m using kerberos for that.

    For some reason, getent simply does not return and values for passwd or groups. However, if I create a directory and set the UID/GID to values defined in the AD account UNIX tab, ls -l does show the proper values (principal names from AD). And ssh logins work, so that makes me happy.

    Things have changed dramatically since the Redhat 7.3 days… thank goodness!

  18. Tom’s avatar

    I have got a different problem with it. I use CentOS 5.2 I went through all mentiined problems but….

    I have 2 symstems on 1 PC. WinXP and CentOS 5.2 both are in a SBS Company domain.

    When I boot it up in Win XP once and next booted up in CentOS again I received Access Denied from the server.

    Domain Server NETLOGON: event ID: 5722

    The session setup from the computer HPXX failed to authenticate. The name(s) of the account(s) referenced in the security database is HPXX$. The following error occurred: Access is denied

    Any clue?

  19. Stephane Brodeur’s avatar

    I have similar problem, just would like to know what patch was applied to to the CentOS5.2 server.

    Thanks

  20. infrasty’s avatar

    If anyone interested in full instruction set on this problem – let me know, i-ll write it here. It just big though

    infrasty_at_gmail.com

    Short term explanation is because SAMBA is using it-s own kerberos configuration file when issuing requests to AD controllers. It doesnt bother to look if system krb5.conf is available and to use it.
    It does so for every request, so even if you-ll create your own in place where samba will put it-s own dynamically made krb5.conf, samba will overwrite your version with it-s own.

    Depending on version of linux / unix this file is located somewhere in
    (my case FreeBSD 7.X)
    /var/db/samba/smb_krb5

    One of dirty hacks was to set system immutable flag on file, so samba cannot change file even if there rwxrwxrwx permissions set.

    Problem with users and groups typically arise when SAMBA’s kerberos library still using UDP type requests to AD and unable to fetch information as it get replies – “too big to fit in UDP, use TCP instead” – shure, just let me force samba to use my version of krb5.conf

    Regards,
    Alexander

  21. Onno’s avatar

    Hi All,

    I don’t know if someone finds it interesting, but I followed v4 of latest Linux-AD integration instructions from Scott, and with minor mods I got my CentOS 5.5 clients authenticate successfully agains an w2k3 R2 DC.

    So Scott, for me your instructions worked great! Thanks!

    Kind regards,
    Onno.

Comments are now closed.