OpenSuse 12.2 -> Active Directory Authentication Samba and LDAP

I’ve been spinning my wheels trying to get LDAPS authentication working to a WIndows Active Directory (I never got it working in 12.1, gave up and turned off SSL). I’m determined to get this working properly now but despeite following a bunch of howtos it’s still not working.

I’ve created a Self Signed cert on the AD side and imported it (not sure exactly where the guide I followed is at this point) but gnutls-cli does say the cert is good and trusted:

gnutls-cli -p 636 dc01.tripp.org -d 1 --print-cert
Processed 138 CA certificate(s).
Resolving ‘dc01.tripp.org’…
Connecting to ‘10.1.1.100:636’…
|<1>| Note that the security level of the Diffie-Hellman key exchange has been lowered to 512 bits and this may allow decryption of the session data

  • Peer’s certificate is trusted
  • The hostname in the certificate matches ‘dc01.tripp.org’.
  • Successfully sent 0 certificate(s) to server.
  • Session ID: FA:1A:00:00:D3:06:C2:6A:7D:D2:35:4A:65:57:DC:0C:F4:9A:3F:DB:6E:FE:58:CF:AD:1D:71:B0:8F:A3:49:13
  • Server has requested a certificate.
  • Certificate type: X.509
  • Got a certificate list of 1 certificates.
  • Certificate[0] info:
  • subject C=US,ST=NY,L=NY,O=tripp,OU=ad,CN=dc01.tripp.org', issuer DC=org,DC=tripp,CN=tripp-DC01-CA’, RSA key 1024 bits, signed using RSA-SHA1, activated 2012-09-29 20:31:04 UTC', expires 2014-09-29 20:31:04 UTC’, SHA-1 fingerprint `20e903642452c11c4eb702beacdfc9fee155de0e’
    Public Key Id:
    087465ae2b2391ebe8e701114a46719d9b2da2e8
    Public key’s random art:
    ±- RSA 1024]----+
    |.*…o o.o |
    |+ o. + o |
    |… . + . |
    | .o = + |
    |…+ . + S |
    |…o . |
    |. o.o . |
    | E o.o |
    |o.+. |
    ±----------------+

-----BEGIN CERTIFICATE-----
MIIFMjCCBBqgAwIBAgIKYf44/wAAAAAACDANBgkqhkiG9w0BAQUFADBEMRMwEQYK
CZImiZPyLGQBGRYDb3JnMRUwEwYKCZImiZPyLGQBGRYFdHJpcHAxFjAUBgNVBAMT
DXRyaXBwLURDMDEtQ0EwHhcNMTIwOTI5MjAzMTA0WhcNMTQwOTI5MjAzMTA0WjBd
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxCzAJBgNVBAcTAk5ZMQ4wDAYDVQQK
EwV0cmlwcDELMAkGA1UECxMCYWQxFzAVBgNVBAMTDmRjMDEudHJpcHAub3JnMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTViTnnZMwGFFfb3BEekm3Te9ni02k
EpY1dVIesgTFFXi0qR8P/rhmJ2BARz17m2qnyRZFbuwhi0Mm/V6auqpfvAtSHqh7
MtHla3HV4d7AiZ1/Qi+vIVOTCM2oXrX0x1W/Md9TAI+l9omu7pCkePZH4tUpCOOH
/I2RnbkKLXqUlwIDAQABo4ICjzCCAoswDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMHgGCSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4G
CCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFl
AwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYE
FIagcuZ5mCgpacYEH20hMAxLdLlVMB8GA1UdIwQYMBaAFLnz3a5UCKla/wrrIywi
4kL+XpQ+MIHGBgNVHR8Egb4wgbswgbiggbWggbKGga9sZGFwOi8vL0NOPXRyaXBw
LURDMDEtQ0EsQ049REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2Vydmlj
ZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz10cmlwcCxEQz1vcmc/
Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERp
c3RyaWJ1dGlvblBvaW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKG
gZ1sZGFwOi8vL0NOPXRyaXBwLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtl
eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dHJp
cHAsREM9b3JnP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZp
Y2F0aW9uQXV0aG9yaXR5MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBl
AHIwDQYJKoZIhvcNAQEFBQADggEBAJoyAXfR+J3fiO+taYUBinGhANvvYaVxBNjX
zTwtBmykacXO0P0adpP1CO6LUS6y996CDTCGy2o7QRd1GO5cvmyIuyNXdygvM5iK
r/ENjw03KwMCLouQX1vaX9XUOFfernKZVLJgzbwaepAwyTPMXkVzH6B6b8HqpZ+d
A7WLBcgNd85ilnzUZUhxn3w+gP+ljNIDxheW4fkXB+zfiTDNQ0+OkEE9K51JjNFQ
Pbq2D6uxQcRol2xLeRh15bPV6ohsJMO/auxhCxcrjm7EwcLGSr9B+uc2AY6EfIFt
Ct3UugpIRjWUsYHW7fIfZI0gpMLgE3zIk8OJXwEeWl31x8F0AAo=
-----END CERTIFICATE-----

  • Version: TLS1.0

  • Key Exchange: RSA

  • Cipher: AES-128-CBC

  • MAC: SHA1

  • Compression: NULL

  • Handshake was completed

  • Simple Client Mode:

The checks here: https://wiki.samba.org/index.php/Samba_&_Active_Directory

net ads testjoin Test
wbinfo -u
wbinfo -g

pass

except:
wbinfo -a

Which errors out with

Could not authenticate user nik@tripp.org with challenge/response

although I did try various combinations (username, username@tripp and the one above)

I am also failing to autheticate when trying to access my shares. Domain users are also not able to login to conolse (i haven’t rebooted so i still have some root console sessions opened as I’ve fubarred that before and been unable to change config files)

Below is my smb.conf

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2012-08-08
[global]
	netbios name = BLACKBOX
	socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
	idmap uid = 10000-20000
	winbind enum users = yes
	winbind gid = 10000-20000
	workgroup = TRIPP
	os level = 20
	winbind enum groups = yes
	socket address = 10.1.1.100
	password server = *
	preferred master = no
	winbind separator = +
	winbind use default domain = Yes
	winbind nested groups = Yes
	max log size = 50
	log file = /var/log/samba3/log.%m
	encrypt passwords = yes
	dns proxy = no
	realm = TRIPP.ORG
	security = ADS
	wins server = 10.1.1.2
	wins proxy = no
	idmap gid = 10000-20000
	template homedir = /home/%D/%U
	template shell = /bin/bash
	usershare allow guests = No
	winbind offline logon = yes
	winbind refresh tickets = yes
	passdb backend = ldapsam:ldap://dc01.tripp.org
	wins support = No
	idmap backend = ldap:ldap://dc01.tripp.org
	ldap group suffix = ou=Groups,ou=Shirotans
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Machines
	ldap passwd sync = Yes
	ldap suffix = #dc=tripp,dc=org
	ldap user suffix = ou=Users,ou=Shirotans
	ldap admin dn = administrator@tripp
[homes]
	comment = Home Directories
	valid users = %S, %D%w%S
	browseable = No
	read only = No
	inherit acls = Yes
[profiles]
	comment = Network Profiles Service
	path = %H
	read only = No
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
[users]
	comment = All users
	path = /home
	read only = No
	inherit acls = Yes
	veto files = /aquota.user/groups/shares/
[groups]
	comment = All groups
	path = /home/groups
	read only = No
	inherit acls = Yes
[printers]
	comment = All Printers
	path = /var/tmp
	printable = Yes
	create mask = 0600
	browseable = No
[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	write list = @ntadmin root
	force group = ntadmin
	create mask = 0664
	directory mask = 0775


## Share disabled by YaST
# [netlogon]


[storage]
	inherit acls = No
	path = /mnt/storage
	read only = No
	admin users = nik, aministrator@tripp.org
	browseable = Yes
	nt acl support = Yes
	valid users = %S, %D%w%S



my ldap.conf

i’ve tried various options for TLS_REQCERT


uri	ldaps://dc01.tripp.org 
base	dc=tripp,dc=org
TLS_CACERTDIR	/etc/ssl/certs
TLS_CACERT	/etc/ssl/certs/adcert.pem
TLS_REQCERT allow




my /etc/openldap.conf (different guides ask you to edit one or the other …)


uri	ldaps://dc01.tripp.org 
base	dc=tripp,dc=org
TLS_CACERTDIR	/etc/ssl/certs
TLS_CACERT	/etc/ssl/certs/adcert.pem
TLS_REQCERT allow



nsswitch.conf

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#


# passwd: files nis
# shadow: files nis
# group:  files nis


passwd:	compat winbind sss
shadow:	compat winbind
group:	compat winbind sss


hosts:	files dns wins
networks:	files dns


services:	files
protocols:	files
rpc:	files
ethers:	db files
netmasks:	files
netgroup:	files
publickey:	nisplus


bootparams:	files
automount:	files
aliases:	files



Any ideas or other info I should include?

No ideas? I would have thought this wouldn’t be an uncommon setup.

Hello Trippinnik, I am just writing to cheer you up rotfl!rotfl!but nothing more :X I always wanted to have a Linux box (specially Opensuse) to be an active directory or NT domain with windoze users profiles on linux box, but its was a real pain in the a$$.

I coworker of my get it working ubuntu, samba and NT domain samba emulation. But its really hard and you have to depend always on command line (I know its linux way)

It would be great if someone, someone rally guru or having real practice knowledge, that post a sticky guide giving some kind easy steps to create a linux box windows domain, users administration and share security.

Also it would be great to have a good GUI that works out of the box. I have installed several times Linuxes and every distro if you follow the steps after opening the Samba GUI it never works fine (because you have to syncro linux users with samba users, add machines, etc, etc)

If this could be done easily a lot of windows server users (with some kind of linux love) will surely kick away micro$oft… but, maybe we have to wait to Samba 4 lol!

Yeah i even went to the IRC for Samba, only suggestion I got was to use Samba 4. I did and it’s working fine. Much easier to get working as well. I never bothered to setup my init scripts poperly but not a big deal as i reboot the linux fileserver rarely.