HPE Community
Operating System - HP-UX
1834453 Members
2193 Online
110067 Solutions
New Discussion

Samba (CIFS) and winbind in ADS

 
Jason Ray
Frequent Advisor

‎10-31-2005 07:08 AM

‎10-31-2005 07:08 AM

Samba (CIFS) and winbind in ADS

I am running HP CIFS A.02.01.02 on HP-UX 11.23. I am trying to make Samba a member of ADS and use winbind to authenticate users. I have krb5.conf set up and when I ran the samba_setup, it said that samba joined the domain successfully. Only none of the wbinfo commands return anything and I can't authenticate users.

Here is my smb.conf:
# Global parameters
[global]
workgroup = HDQ
realm = HDQ.USS.COM
netbios name = DEV12
server string = Samba Server
security = ADS
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
wins server = 170.191.250.20
ldap ssl = no
idmap uid = 15000-15005
idmap gid = 15000-15005
winbind enum users = No
winbind enum groups = No
read only = No
short preserve case = No
dos filetime resolution = Yes


I have /etc/nsswitch.conf setup to use winbind:
passwd: files winbind
group: files winbind


Not sure what else I may have missed. Does CIFS know to look for libnss_winbind.so in /opt/samba/lib, or do I need to create a link to it somewhere?

Any ideas of things to check would be greatly appreciated.

Thanks in advance.
0 Kudos
Reply
11 REPLIES 11
Geoff Wild
Honored Contributor

‎10-31-2005 07:11 AM

‎10-31-2005 07:11 AM

Re: Samba (CIFS) and winbind in ADS

See my last post in my thread here:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

It might help you out on the steps.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-31-2005 07:13 AM

‎10-31-2005 07:13 AM

Re: Samba (CIFS) and winbind in ADS

Samba version?
Kerberos version? Widows 2003 server needs a patch to authenticate client versions below version 5.
\
http://www.interopsystems.com/tools/forum/fb.aspx?go=prev&m=7071&viewType=tm

http://us2.samba.org/samba/ftp/slides/ad-integration.pdf

http://docs.hp.com/en/B8725-90062/ch01s02.html

Hope these help.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
eric roseme
Respected Contributor

‎10-31-2005 08:23 AM

‎10-31-2005 08:23 AM

Re: Samba (CIFS) and winbind in ADS

Hi Jason,

I know this sounds ...... simplistic, but did you start winbind? If yes, then check the winbind log file: /var/opt/samba/log.winbind

Also, if you are unsure about Kerberos, email me and I can provide you with a Kerberos setup and troubleshooting whitepaper that I wrote. But it's 54Mb (!! - lots of screenshots).

eric.roseme@hp.com.
0 Kudos
Reply
Jason Ray
Frequent Advisor

‎11-01-2005 01:40 AM

‎11-01-2005 01:40 AM

Re: Samba (CIFS) and winbind in ADS

Here is my CIFS and LDAP version:

#swlist | grep LDAP
J4269AA B.03.30.02 LDAP-UX Integration

#swlist | grep CIFS
B8725AA A.02.01.02 HP CIFS Server

I don't have the full client version of Kerberos installed. Just the config files and binaries that were installed with the OS. Do I need to install all of the Kerberos libraries?

Thanks for all of the suggestions. I can try them now that the Windows admin is back.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎11-01-2005 02:20 AM

‎11-01-2005 02:20 AM

Re: Samba (CIFS) and winbind in ADS

Yes - you need to install the Kerberos client:

# swlist |grep -i ker
KRB5CLIENT C.1.3.5.01 Kerberos V5 Client Version 1.3.5.01

Like I said above - just follow my steps in my last post in this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Jason Ray
Frequent Advisor

‎11-02-2005 01:28 AM

‎11-02-2005 01:28 AM

Re: Samba (CIFS) and winbind in ADS

Well we're a little farther. I followed the steps from your thread Geoff. Except when I run the command to list users on a specific domain...I get this output:

#/opt/samba/bin/wbinfo --domain HDQ -u
WINBIND_LOOKUPNAME failed for user(HDQ\LORAIN$)
WINBIND_LOOKUPNAME failed for user(HDQ\NATIONALSTEEL$)
WINBIND_LOOKUPNAME failed for user(HDQ\DAS2018)

Any ideas?
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎11-02-2005 02:09 AM

‎11-02-2005 02:09 AM

Re: Samba (CIFS) and winbind in ADS

I get that as well - as I have a very large domain 5000 plus - try connecting from a windows machine - do you get authenticated?

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Jason Ray
Frequent Advisor

‎11-02-2005 02:24 AM

‎11-02-2005 02:24 AM

Re: Samba (CIFS) and winbind in ADS

Try mapping a drive to a share that I created in here and I'm not authenticating.

Here is the output in a log in /var/opt/samba, the log is my PC name:

#tail -10 log.psc-l601319
[2005/11/02 10:19:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2005/11/02 10:19:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2005/11/02 10:19:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2005/11/02 10:19:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2005/11/02 10:19:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!


Here is the smb.conf with the share:

# Global parameters
[global]
workgroup = HDQ
realm = HDQ.USS.COM
netbios name = DEV12
server string = Samba Server
security = ADS
syslog = 0
log file = /var/opt/samba/log.%m
max log size = 1000
wins server = 170.191.250.20
ldap ssl = no
idmap uid = 15000-15005
idmap gid = 15000-15005
winbind enum users = No
winbind enum groups = No
read only = No
short preserve case = No
dos filetime resolution = Yes

[homes]
comment = Home Directories
browseable = No

[tmp]
comment = Temporary file space
path = /tmp

[drsdev]
comment = Development DRS Share
path = /drsdev
valid users = HDQ\phi8254, HDQ\wj109t2

I am trying to come in as HDQ\wj109t2. It just keeps prompting for the ID and password over and over.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-02-2005 03:03 AM

‎11-02-2005 03:03 AM

Re: Samba (CIFS) and winbind in ADS

grep your logfile for crypt. This is what you want:

ads_secrets_verify_ticket: enc type [3] decrypted message !

[3] is MD5. If you are not getting that, then your config is wrong, and the bad-password popup is the symptom. I have just about every known config problem in the whitepaper I mentioned above.

Eric Roseme
0 Kudos
Reply
Jason Ray
Frequent Advisor

‎11-02-2005 05:05 AM

‎11-02-2005 05:05 AM

Re: Samba (CIFS) and winbind in ADS

I did a "grep -i crypt *" in /var/opt/samba and didn't come up with anything.

Is there somewhere that I can download the white paper or can you just email it to me?
I would like to take a look through it to see if kerberos is the problem.
0 Kudos
Reply
eric roseme
Respected Contributor

‎11-02-2005 07:59 AM

‎11-02-2005 07:59 AM

Re: Samba (CIFS) and winbind in ADS

I should have included that to get the Kerberos log entries you need "log level = 10" in smb.conf.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.