Linux authentication through Samba

I’ve been using samba for file and print sharing on my home network for a few years now, and decided to step up my game and make it a PDC so that I wouldn’t have to change my password on so many OSes on so many machines any more. I’ve gotten it set up so that it “works” insofar as I can join my Windows machines to the domain, logon, etc, and even have it set up to change the users linux password when a windows user changes their password. This all makes me happy.

But, when I try to set up a SuSE client to use the domain authentication, I get an error “Cannot use the workgroup ‘whatever’ for Linux authentication”. I’ve gotten this both when walking through the SuSE setup and when trying to convert a box that is already on the network.

Any ideas what I might be missing? Here is the global section of my smb.conf

   workgroup = whatever
    server string=Server
    netbios name = pdc
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    usershare allow guests = Yes
    add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
    passwd program = /usr/bin/passwd %u
    passwd chat = *password* %n

password %n
changed
unix password sync=yes
encrypt passwords=yes
passdb backend = tdbsam
security = user
use client driver = yes
os level=64
preferred master=yes
domain master=yes
local master=yes
wins support=yes
logon path =
domain logons=yes
log level=2
debug level=1
log file=/var/log/samba/log.%m
logon home = \homeserver%U\winprofile
logon script = %U.bat
admin users=fred

[netlogon]
path = /var/lib/samba/netlogon
read only = yes

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0600

Does anyone know if it’s possible to do linux authentication without running LDAP on the server? All of the examples I can find show an LDAP server. I’m trying to avoid that if I can. I can’t find a clear list of what the Server side requirements are for Linux authentication through a Samba PDC.

On Thu May 28 2009 09:36 am, x0ph3rl wrote:

>
> Does anyone know if it’s possible to do linux authentication without
> running LDAP on the server? All of the examples I can find show an LDAP
> server. I’m trying to avoid that if I can. I can’t find a clear list
> of what the Server side requirements are for Linux authentication
> through a Samba PDC.
>
>
x0ph3r1;

I confess to not being an expert on this, but as far as I know you can only
use LDAP for this (maybe also MySQL could be made to work). Even then the
POSIX (UNIX/LINUX) and SAMBA information are stored separately, albeit in a
single repository. As far as I know UNIX(LINUX) passwords can not be
converted to an NT hash and Window’s passwords can not use POSIX encryption.

There is a brief write up here:
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

[global]

workgroup = BLUE
netbios name = suse-blue
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
security = user
logon path =
logon drive = P:
passdb backend = tdbsam
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
name resolve order = wins bcast host lmhost
server string = “opensuse”
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
wins support = yes

[homes]

comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[profiles]

comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700

[printers]

comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]

comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]

comment = network logon service
path = /var/lib/samba/netlogon
write list = root

[datos]

comment = datos varios
force user = eduardo
guest ok = No
inherit acls = Yes
path = /home/eduardo/datos/
valid users = eduardo easgs user1
write list = eduardo easgs
read list = user1

that is a working example of a samba server running as a PDC using the tdbsam backend instead of LDAP, you can just copy paste it and adapt it to your needs, note that you must first create the users in Linux and then in samba by running the command smbpasswd -a User1 and so on for all your users

you must too map your linux groupS to windows groups, to do that run this:

net groupmap add ntgroup=”Domain Admins” unixgroup=root rid=512 type=d
net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d

You must first join your windows machines to your domain using a root user, what I did was create a user called administrator in the root group and I use that user to join the machines, if your windows clients are windows vista you must do the following

start -> run -> secpol.msc

Network Security: LAN Manager authentication level: Send NTLMv2 response only por Send LM & NTLM - use NTLMv2 session security if negotiated.

Note: in this example the roaming profiles are disabled by leaving the option logon path = blank.

Remember that you must enable samba server and netbios server in your firewall.

[global]

workgroup = BLUE
netbios name = suse-blue
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
security = user
logon path =
logon drive = P:
passdb backend = tdbsam
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
name resolve order = wins bcast host lmhost
server string = “opensuse”
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
wins support = yes

[homes]

comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[profiles]

comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700

[printers]

comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]

comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]

comment = network logon service
path = /var/lib/samba/netlogon
write list = root

[datos]

comment = datos varios
force user = eduardo
guest ok = No
inherit acls = Yes
path = /home/eduardo/datos/
valid users = eduardo easgs user1
write list = eduardo easgs
read list = user1

that is a working example of a samba server running as a PDC using the tdbsam backend instead of LDAP, you can just copy paste it and adapt it to your needs, note that you must first create the users in Linux and then in samba by running the command smbpasswd -a User1 and so on for all your users

you must too map your linux groupS to windows groups, to do that run this:

net groupmap add ntgroup=”Domain Admins” unixgroup=root rid=512 type=d
net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d

You must first join your windows machines to your domain using a root user, what I did was create a user called administrator in the root group and I use that user to join the machines, if your windows clients are windows vista you must do the following

start -> run -> secpol.msc

Network Security: LAN Manager authentication level: Send NTLMv2 response only por Send LM & NTLM - use NTLMv2 session security if negotiated.

Note: in this example the roaming profiles are disabled by leaving the option logon path = blank.

Remember that you must enable samba server and netbios server in your firewall.

[global]

workgroup = BLUE
netbios name = suse-blue
domain logons = yes
domain master = yes
local master = yes
os level = 65
preferred master = yes
security = user
logon path =
logon drive = P:
passdb backend = tdbsam
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
name resolve order = wins bcast host lmhost
server string = “opensuse”
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
wins support = yes

[homes]

comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[profiles]

comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700

[printers]

comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]

comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]

comment = network logon service
path = /var/lib/samba/netlogon
write list = root

[datos]

comment = datos varios
force user = eduardo
guest ok = No
inherit acls = Yes
path = /home/eduardo/datos/
valid users = eduardo easgs user1
write list = eduardo easgs
read list = user1

that is a working example of a samba server running as a PDC using the tdbsam backend instead of LDAP, you can just copy paste it and adapt it to your needs, note that you must first create the users in Linux and then in samba by running the command smbpasswd -a User1 and so on for all your users

you must too map your linux groupS to windows groups, to do that run this:

net groupmap add ntgroup=”Domain Admins” unixgroup=root rid=512 type=d
net groupmap add ntgroup=”Domain Users” unixgroup=users rid=513 type=d
net groupmap add ntgroup=”Domain Guests” unixgroup=nobody rid=514 type=d

You must first join your windows machines to your domain using a root user, what I did was create a user called administrator in the root group and I use that user to join the machines, if your windows clients are windows vista you must do the following

start -> run -> secpol.msc

Network Security: LAN Manager authentication level: Send NTLMv2 response only por Send LM & NTLM - use NTLMv2 session security if negotiated.

Note: in this example the roaming profiles are disabled by leaving the option logon path = blank.

Remember that you must enable samba server and netbios server in your firewall.

Thanks for posting that config- replacing my global section with that global section does fix the linux authentication issue. I’ll try to go through this weekend and figure out what my config is missing or needs removed to work.

Thanks!

If you are a spanish speaker you can check this tutorial openSUSE 11.1 como controlador de Dominio, la manera facil « Weblog Tecnologico here (thanks to the help of this forum) I explain step by step how to create a PDC with openSUSE 11.1 but it is only in spanish for the moment.

Turns out that my issues were client related, not server related- I was looking in the wrong place.

During install, the default openSuSE selections for a domain member will not work- the install does not open a hole in the firewall for smb communication, so the authentication fails. You have to disable the firewall during installation to get the Windows Domain authentication working, then enable and fix the settings after the install.