Ubuntu – Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit

active-directorysambaUbuntu

I have an Ubuntu server joined to our office Active Directory domain (Windows 2008) and it all seems happy. I can ssh to the server using my AD credentials and home directories get created and all is fine.

I want to share a directory out from the server and use AD authentication (security = ads) using Samba.

Following the docs, I got to the situation where I can see the share externally, but my AD credentials do not allow me to connect.

Using the same credentials from the server itself works using mount.cifs — i.e. I can mount \\localhost\share using domain\me

I cannot get it to work from my desktop using my AD credentials, but I can connect using a set of Unix credentials so it seems that Samba can't resolve my AD details, but that confuses me as I can use AD credentials using mount.cifs as stated above.

Is there something about the way Windows provides the credentials that Samba doesn't understand?

Bonus question:

I haven't set up Subversion on the server yet, but when I do will I be able to use AD credentials to authenticate on HTTP access via Apache?

Best Answer

The first thing you should do is check your Samba logs, and if need be turn up the log level: http://oreilly.com/catalog/samba/chapter/book/ch04_08.html

Samba is fairly verbose and helpful when it comes to explaining why a connection was not permitted. You'll no doubt find some very good hints as to what your problem is in the logs. e.g. Find the original error message and do a Google search.

Related Solutions

Samba with Active Directory – shares are readonly, NT_STATUS_MEDIA_WRITE_PROTECTED

I've just spent an incredible amount of time similarly debugging my server and have come down to the realization that the share and the directory being shared cannot have the same name.

I have no idea why. I hope someone else stumbles across this earlier in their process than I did.

Samba – Joining Samba to Active Directory with local user authentication

You can do this fairly easily. You need to preform all the steps for configuring users to authenticate to linux via AD (KRB config, joining the domain), up to bot NOT including the PAM changes. Then you just set SAMBA to use winbind as the authentication source. Here is an old copy of an smb.conf I've used to achieve this same effect:

#======================= Global Settings =====================================

[global]

# Domain Authntication Settings
        workgroup = <my domain>
        server string = <Sever String>
        security = ads
        passdb backend = tdbsam
        realm = <mydomain.com>
        client use spnego = yes
        ldap ssl = no
# logging
        log level = 5
        max log size = 50
        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
;       max log size = 50

# User settings
        username map =  /etc/samba/smbusers
        idmap uid = 10000-20000000
        idmap gid = 10000-20000000
        idmap backend = ad
;       template primary group = <ad group>
        template shell = /sbin/nologin

# Winbind Settings
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups  = Yes
        winbind netsted groups = Yes
        winbind nested groups = Yes
        winbind use default domain = Yes

#Other Globals
        unix charset = LOCALE
        server string = <my server name>
        load printers = no
        printing =  cups
        cups options = raw

;       printcap name = /etc/printcap
        #obtain list of printers automatically on SystemV
;       printcap name = lpstat
;       printing = cups


#============================ Share Definitions ==============================


[share]
comment = <share comment>
path = /srv/smb/share
guest ok = yes
valid users = "DOMAIN+testUser"
read only = yes

Also, if you are using Ubuntu there is a bug in the version that was in the 10.04LTS up to a few months ago that just completely broke this setup (nobody can auth) - grab a version from the SAMBA site if this is the case

Related Topic