HPE Community
Operating System - HP-UX
1833863 Members
1944 Online
110063 Solutions
New Discussion

Re: Samba 2.2.8 Windows 2003

 
A.Shepherd
New Member

‎11-11-2003 03:41 AM

‎11-11-2003 03:41 AM

Samba 2.2.8 Windows 2003

Im trying to control access to a share on our UNIX server using Windows 2003 AD authentification. We are running in mixed mode on the 2003 domain and have installed Samba 2.2.8 - when connecting to the share and enter our Windows domain information we just get incorrect username or password.

Ive modified SMB.CONF so

Security = domain
Workgroup = Mydomain.com
encrypt passwords = Yes
password server = TestPDC

Created the unix machine account and reset the account.

Ive then run smbpasswd -j mydomain -r TestPDC and get a reply saying the domian joined.

Ive set the GPO for microsoft network server: digitally sign communications to disabled.Ive even removed all GPO and completed a GPO update. Still no Joy

Looking in the server log file I can see the following error.

Domain_client_validate: could not fetch trust account password for domain mydomain.com.

Will Samba 2.2.8 allow authorization though Windows 2003 AD?

Or am i missing sothing?

Many Thank


0 Kudos
Reply
12 REPLIES 12
Stefan Farrelly
Honored Contributor

‎11-11-2003 03:48 AM

‎11-11-2003 03:48 AM

Re: Samba 2.2.8 Windows 2003

I think it will work ok. Samba on HP-UX doesnt use the /etc/passwd file, it has its own password file. Have you used smbpasswd to add them in ?
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎11-11-2003 03:54 AM

‎11-11-2003 03:54 AM

Re: Samba 2.2.8 Windows 2003

Your settings should work.

Your procedure looks solid.

Since you are using Windows for authentication, you will need to set up accountson the domain controller.

You will probably need to set up the users on your local machine if they are to own any Unix files.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Alzhy
Honored Contributor

‎11-11-2003 04:15 AM

‎11-11-2003 04:15 AM

Re: Samba 2.2.8 Windows 2003

Use the Samba setup script, provided:

/opt/samba/bin/samba_setup

This has always worked for us on HPUX. Although your procedure looks correct as we use the same on our Solaris boxen.
Hakuna Matata.
0 Kudos
Reply
Jan Shu
Regular Advisor

‎11-11-2003 05:19 AM

‎11-11-2003 05:19 AM

Re: Samba 2.2.8 Windows 2003

You can check/modify your pam.conf.

Jan
0 Kudos
Reply
A.Shepherd
New Member

‎11-11-2003 07:19 AM

‎11-11-2003 07:19 AM

Re: Samba 2.2.8 Windows 2003

Chhers 4 the replys, it looks like my issue is around the users configuration then.

The Window 2003 AD has all the user configured and a password set. The unix team set up the same accounts with a different password. I was under the impressions that that all the configuration needed as the Security = domain in SMB.conf would redirect the authentification to the windows 2003.

What configuration steps must I complete on the unix users or PAM.conf to enable this.

Many Thanks
0 Kudos
Reply
Alan Edwards
Frequent Advisor

‎11-11-2003 09:04 AM

‎11-11-2003 09:04 AM

Re: Samba 2.2.8 Windows 2003

With samba domain authentication, if the Windows AD account name is the same as the UNIX account name, the user can access Samba shares if windows has authenticated them.

If you want to allow windows users that do not have a UNIX account to access samba shares in read only mode, you have to do the following:

Add the line â map to guest = Bad Userâ to smb.conf
Add â guest ok = yesâ to the share to access.

This will allow access to the share as a guest, the default guest account name is â nobodyâ

With samba domain authentication, if the Windows AD account name is the same as the UNIX account name the user can access Samba shares if windows had authenticated them.

If you want to allow windows users that do not have a UNIX account to access samba shares in read only mode you have to do the following:

Add the line â map to guest = Bad Userâ to smb.conf
Add â guest ok = yesâ to the share to access.
This will allow access to the share as a guest, the default guest account name is â nobodyâ

I am not sure what you mean by GPO, but I recommend using â name resolve order = lmhosts hostâ only, and have the IP address of your password server in the lmhosts file. This will make the system look in lmhosts first for the PDC, and then do a normal UNIX lookup for anything else. The UNIX system should be able to do a normal host/NIS loo
Klatu Barada Nikto
0 Kudos
Reply
A.Shepherd
New Member

‎11-11-2003 09:31 PM

‎11-11-2003 09:31 PM

Re: Samba 2.2.8 Windows 2003

Sorry should have stated this earlier, What i'm trying to acheive is domain authentication using a Windows AD account. Using Windows 2000 connect to a Samba share on to the unix server and being able to create and delete files. I was going to use samba_setup on our HPUX 11i server as it looked the easist way to do it. Unfortunatly samba_setup isn't on the server - we have another unix server althouh a different flavour with samba connecting to an NT domain which does have samba_setup so I know where it should live.

I dont think its a names resolution issue as the Unix server has registered itself with WINS and the SMBPASSWD -j Mydomain.com -r myserver states thats its joined the domain -so names resolution must have taken place.

We are also able to use smbclient to connect to our 2000 file server giving the ad username and password when prompted.

Any help is greatfully received.
0 Kudos
Reply
hein coulier
Frequent Advisor

‎11-11-2003 11:21 PM

‎11-11-2003 11:21 PM

Re: Samba 2.2.8 Windows 2003

As far as i know, all ad-users should be created on your samba-box.

I don't think it's possible to hook samba in the pam.conf-file.

If you do not want to create the users on the samba-box, it might be possible to use ldap-hpux. But again, even in that scenario, i think the user must be in /etc/passwd.

0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎11-12-2003 12:48 AM

‎11-12-2003 12:48 AM

Re: Samba 2.2.8 Windows 2003

I just accomplished this task successfully. 1st thing you need to know is that your not going to get all the windoze file perm levels. All samba does is try to match unix bits to windows bits. We have it working OK.
Took a long time with trial and error.
I am using SAMBA in DOMAIN mode authenticating strictly through the NT domain. The only users.map entry I have is for admins. The only entry in users.map is a group I created called OPERATORS. OPERATORS ON THE NT SIDE HAVE RULE OF THE HOUSE.
'OPERATORS=user1 user2 and so on.' Then give OPERATORS admin rights through swat or edit the smb.conf file.

The only difference is that I am running samba on a Linux system and controlling everything through the NT domain, works pretty well. Main thing is to be sure winbind is running. If it is running correctly, you'll see (from the NT side) when you look at properties. the users names will look readable and you wont see that lon PID or SID # next to the name, or whatever the windoze people call that. Winbind is a must.

I'll paste my config here:
# Global parameters
[global]
workgroup = IHS-DOMAIN
netbios name = MAHIMAHI
server string = Samba Server
interfaces = eth0
security = DOMAIN
encrypt passwords = Yes
obey pam restrictions = Yes
password server = *
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
wins server = 172.16.8.51
winbind uid = 10000-40000
winbind gid = 10000-40000
winbind use default domain = Yes
alternate permissions = Yes
guest account =
admin users = IHS-DOMAIN\gmurrow IHS-DOMAIN\rmenefee IHS-DOMAIN\gwassman IHS-DOMAIN\maestro
force create mode = 0744
force security mode = 0700
directory mask = 0750
force directory mode = 0770
directory security mask = 0770
printing = cups

Start winbind and let me know if things start to link together. I also had to build ACL support into the UNIX kernel. This is a must also. Get these steps accomplished, then start to build the permission heirarchy. Post if you need more info...

RPM



UNIX IS GOOD
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎11-12-2003 12:51 AM

‎11-12-2003 12:51 AM

Re: Samba 2.2.8 Windows 2003

ALSO A MUST IS AN UPGRADE TO 2.2.8a. This version stopped a lot of my problems. Plus ACL support is ready to go.
UNIX IS GOOD
0 Kudos
Reply
Alan Edwards
Frequent Advisor

‎11-12-2003 03:25 AM

‎11-12-2003 03:25 AM

Re: Samba 2.2.8 Windows 2003

The smbpasswd command does not do any name resolution as you are specifying a domain controller when you run it. This is separate from the settings in smb.conf.

If you post your [global] smb.conf settings I think that would help.
Klatu Barada Nikto
0 Kudos
Reply
A.Shepherd
New Member

‎11-12-2003 10:05 PM

‎11-12-2003 10:05 PM

Re: Samba 2.2.8 Windows 2003

Sorry we are running 2.2.8.A

We don't have wind bind running - I take it all I have to do is add the following entries into SMB.conf and then start Windbind and Samba.

Winbind uid = 10000 - 40000
Winbind gid = 10000 - 40000
Winbind use default domain = yes

Heres a copy of of my SMB.CONF

# Global parameters
[global]
workgroup = DMZAD01.AS.CO.UK
Netbios name = AS02157
server string = ClearCase Interop Server [HPUX] %v
security = DOMAIN
password server = AS02151
encrypt passwords = Yes
null passwords = Yes
username map = /usr/local/samba/lib/users.map
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
wins server = 10.28.41.10
kernel oplocks = No
guest account = ccuser
read only = No
create mask = 0775
directory mask = 0775
guest ok = Yes
short preserve case = No
oplocks = No
dos filetime resolution = Yes
[sharetest]
comment = CR77 Filestore test
path = /opt/app/rational/sharetest
[vobstore]
comment = ClearCase Vobs
path = /opt/app/rational/vobstore
[viewstore]
comment = ClearCase Views
path = /opt/app/rational/viewstore
[rat_store]
comment = Rational store (installs, patches ...)
path = /opt/app/rational/rat_store
short preserve case = Yes
[policy]
comment = storage for policy enforcement using ClearTrigger
path = /opt/app/rational/cleartrigger/policy
short preserve case = Yes
[apply$]
comment = storage for ClearApply
path = /opt/app/rational/cleartrigger/apply
short preserve case = Yes

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.