Samba – Set up Samba with Active Directory and local user authentication

active-directorycentos7kerberossambawinbind

My main goal is to set up a Samba-Server, to where users can connect to by using their Active-Directory credentials. Additionally, local linux users on the Samba-Server should be able to authenticate.

First I tried to configure the Samba-Server to authenticate the users against the Active-Directory but couldn't quite figure out how to do this.

The Samba-Server is in version 4.2.10 runs on CentOS 7. My Samba-Configuration looks like this:

/etc/samba/smb.conf

[global]
workgroup = AD
netbios name = clients-hostname

max log size = 50
log level = 3
log file = /var/log/samba3/log.%m

map untrusted to domain = Yes

winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes

os level = 20
winbind enum groups = yes
realm = AD.COMPANY.CPOM
security = ads
auth methods = winbind
passdb backend = tdbsam

client use spnego = yes

client ntlmv2 auth = yes

[aShare]
available = yes
path = /aShare
browseable = yes
writeable = yes
#read only = no
#inherit acls = yes
#inherit permissions = yes
create mask = 0777
directory mask = 0777
valid users = @"domain users@AD",localUser

The Kerberos configuration looks like this:

/etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false

ticket_lifetime = 24h
renew_lifetime = 7d

forwardable = true
rdns = false

default_realm = AD.COMPANY.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
AD.COMPANY.COM = {
kdc = DC.AD.COMPANY.COM
kpasswd_server = DC.AD.COMPANY.COM
admin_server = DC.AD.COMPANY.COM
default_domain = AD.COMPANY.COM
}

[domain_realm]
.ad.company.com = AD.COMPANY.COM
ad.company.com  = IN.ITM-CONSULTING.DE

The samba-server exists in the Active-Directory and I got a kerberos-ticket. wbinfo -u displays all the users in the Active Directory. What I noticed is in the past it displayed the users with the prefix AD\ now they don't have this prefix anymore.

The main problem is that I can't connect to the shares with an active directory user:

$ smbclient -L //10.0.0.2 -U aduser -W AD
Enter aduser's password:
session setup failed: NT_STATUS_LOGON_FAILURE

The logs show me this:
/var/log/samba3/log.10.0.0.2 [<– the local machines IP]

[2016/07/26 13:00:28.408563,  3] ../source3/smbd/oplock.c:1307(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/26 13:00:28.408626,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 0 of length 194 (0 toread)
[2016/07/26 13:00:28.408646,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBnegprot (pid 9538) conn 0x0
[2016/07/26 13:00:28.409162,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2016/07/26 13:00:28.409177,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2016/07/26 13:00:28.409183,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2016/07/26 13:00:28.409188,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LANMAN1.0]
[2016/07/26 13:00:28.409192,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LM1.2X002]
[2016/07/26 13:00:28.409197,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [DOS LANMAN2.1]
[2016/07/26 13:00:28.409202,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [LANMAN2.1]
[2016/07/26 13:00:28.409207,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [Samba]
[2016/07/26 13:00:28.409211,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LANMAN 1.0]
[2016/07/26 13:00:28.409216,  3] ../source3/smbd/negprot.c:576(reply_negprot)
  Requested protocol [NT LM 0.12]
[2016/07/26 13:00:28.651581,  3] ../source3/smbd/negprot.c:395(reply_nt1)
  using SPNEGO
[2016/07/26 13:00:28.651628,  3] ../source3/smbd/negprot.c:684(reply_negprot)
  Selected protocol NT LANMAN 1.0
[2016/07/26 13:00:28.652715,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 1 of length 160 (0 toread)
[2016/07/26 13:00:28.652741,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBsesssetupX (pid 9538) conn 0x0
[2016/07/26 13:00:28.652762,  3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X)
  wct=12 flg2=0xc843
[2016/07/26 13:00:28.652774,  3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2016/07/26 13:00:28.652782,  3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2016/07/26 13:00:28.653003,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/07/26 13:00:28.653391,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 2 of length 528 (0 toread)
[2016/07/26 13:00:28.653410,  3] ../source3/smbd/process.c:1489(switch_message)
  switch message SMBsesssetupX (pid 9538) conn 0x0
[2016/07/26 13:00:28.653432,  3] ../source3/smbd/sesssetup.c:614(reply_sesssetup_and_X)
  wct=12 flg2=0xc843
[2016/07/26 13:00:28.653438,  3] ../source3/smbd/sesssetup.c:144(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2016/07/26 13:00:28.653445,  3] ../source3/smbd/sesssetup.c:185(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2016/07/26 13:00:28.653466,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[aduser] domain=[AD] workstation=[clients-hostname] len1=24 len2=238
[2016/07/26 13:00:28.653518,  3] ../source3/param/loadparm.c:3653(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/26 13:00:28.653570,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/26 13:00:28.653637,  3] ../source3/param/loadparm.c:2596(lp_do_section)
  Processing section "[global]"
[2016/07/26 13:00:28.653758,  2] ../source3/param/loadparm.c:2613(lp_do_section)
  Processing section "[aShare]"
[2016/07/26 13:00:28.653826,  3] ../source3/param/loadparm.c:1493(lp_add_ipc)
  adding IPC service
[2016/07/26 13:00:28.654335,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface
[2016/07/26 13:00:28.654350,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[aduser]@[clients-hostname]
[2016/07/26 13:00:28.657067,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user AD\aduser via getpwnam(), denying access.
[2016/07/26 13:00:28.657091,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657104,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657139,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2016/07/26 13:00:28.660840,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)
2016/07/26 13:00:28.653758,  2] ../source3/param/loadparm.c:2613(lp_do_section)
  Processing section "[smbext4]"
[2016/07/26 13:00:28.653826,  3] ../source3/param/loadparm.c:1493(lp_add_ipc)
  adding IPC service
[2016/07/26 13:00:28.654335,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [AD]\[aduser]@[clients-hostname] with the new password interface
[2016/07/26 13:00:28.654350,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[aduser]@[clients-hostname]
[2016/07/26 13:00:28.657067,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user AD\aduser via getpwnam(), denying access.
[2016/07/26 13:00:28.657091,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [aduser] -> [aduser] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657104,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/26 13:00:28.657139,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(269) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2016/07/26 13:00:28.660840,  3] ../source3/smbd/server_exit.c:249(exit_server_common)
  Server exit (failed to receive smb request)

How can I let the users log in to samba with their credentials from the Active Directory?

Best Answer

(Writing this frome my phone, so just trying to remember what I did once upon a time) :-)

Okay I am assuming you have already done the samba-tool provision and confirmed that Active Directory have been configured.

For reference use the official Wiki as reference:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

In order to get Linux users to login to the machine running the Samba Active Directory PDC you need to have libnss-winbind and libpam-winbind installed.

With those two modules installed you need to run pam-auth-update.

Here you should be able to choose Active Directory authentication as one of the ways users can authenticate against your machine.

You will also need to update /etc/nsswitch.conf so winbind is included in the lines starting with passwd: and group:.

And finally you should also edit smb.conf so it contains at least the lines:

template homedir = /home/%D/%U
template shell = /bin/bash

Beyond that I can't remember if anything else is needed, but it will get you started in the right direction.

Related Solutions

Samba: AD authentication for local users

Make sure the winbind service is running.

Set up in your /etc/pam.d/samba:

account     [default=bad success=ok user_unknown=ignore]  pam_winbind.so
account     required      pam_permit.so

password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     required      pam_limits.so

auth       required pam_nologin.so
auth sufficient pam_winbind.so use_first_pass
auth required   pam_deny.so

Pam changes sometimes require a winbind restart. Shouldn't, but practical experience says do it anyway.

In smb.conf you also need:

realm = YOURKERBEROSREALMNAME
password server = the host or IP of your ADC
idmap backend = rid:DOMAIN=5000-100000000
idmap uid = 10000-10000000
idmap gid = 10000-10000000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes

Where DOMAIN is your workgroup or domain name and realm matches what is in your krb5.conf

Restart samba services after the changes in smb.conf

Samba – Joining Samba to Active Directory with local user authentication

You can do this fairly easily. You need to preform all the steps for configuring users to authenticate to linux via AD (KRB config, joining the domain), up to bot NOT including the PAM changes. Then you just set SAMBA to use winbind as the authentication source. Here is an old copy of an smb.conf I've used to achieve this same effect:

#======================= Global Settings =====================================

[global]

# Domain Authntication Settings
        workgroup = <my domain>
        server string = <Sever String>
        security = ads
        passdb backend = tdbsam
        realm = <mydomain.com>
        client use spnego = yes
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <my server name>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups


#============================ Share Definitions ==============================


[share]
comment = <share comment>
path = /srv/smb/share
guest ok = yes
valid users = "DOMAIN+testUser"
read only = yes

Also, if you are using Ubuntu there is a bug in the version that was in the 10.04LTS up to a few months ago that just completely broke this setup (nobody can auth) - grab a version from the SAMBA site if this is the case

Best Answer

Related Solutions

Samba: AD authentication for local users

Samba – Joining Samba to Active Directory with local user authentication

Related Topic