Samba as member server in existing Active Directory domain

Hi,

Are there any instructions or tutorials on how to set up Samba with an existing Active Directory domain with openSUSE 11.1 and 3.2 Samba?

All of the ones I’ve found are for previous versions and have a note on them saying they need to be updated for the current version. They also don’t seem to work with the the version I have.

Most of the problems I’m seeing seem to be centered around LDAP. So if there is something on setting up LDAP for active directories that would also be appreciated.

Thanks,

Very Puzzled Baby Penguin

On Fri, 2010-02-19 at 14:16 +0000, gwardell wrote:
> Hi,
>
> Are there any instructions or tutorials on how to set up Samba with an
> existing Active Directory domain with openSUSE 11.1 and 3.2 Samba?

You could simply use YaST for this.

>
> All of the ones I’ve found are for previous versions and have a note on
> them saying they need to be updated for the current version. They also
> don’t seem to work with the the version I have.
>
> Most of the problems I’m seeing seem to be centered around LDAP. So if
> there is something on setting up LDAP for active directories that would
> also be appreciated.

The default will be to use winbind… all should work well.
I do this all of the time.

HI,

I did use Yast. I played with it all last night into the wee hours.

Sometimes it worked better then others, but it never worked right. The Linux box showed up in the Active Directory and network neighborhood but when clicked on it said path not found. (or sometimes it said access denied, I tried a few different settings.)

When I did ldapsearch -ZZ (as per one guide) on the Linux box it said ldpa_start_tls decoding error (-4)

I’m assuming there is a configuration problem in samba, kerberous, ldap, or winbind.

Could you share what you do all the time that works?

As I said, the guides in the wiki are for 10.0 or earlier and say they aren’t correct for 11.1. Indeed after running Yast when I look at the smb.cnfg file it doesn’t have half the entries that the guides on samaba.org say should be there, but I don’t mess with it.

Still puzzled, sleepy, and a bit frazzled.

I’m looking for a guide or tutorial, (url), that works for 11.1; if you don’t have time to hand hold here.

You have to take 2 steps

  1. Add the machine to the domain
  2. Set up a share for domain users to access.

This is quite common, if you were on a Windows machine, you’d have to take these same steps.

Both steps can be performed from YaST. I think this is quite an advantage for OpenSUSE (or SLEx for that matter) because it can be set up much quicker than on other distro’s.

Hi,

I was away from this problem for a few hours and I’m now more settled.

Thank you for the 2 steps. I have done both of those.

Let me review what I have configured.

First a little back ground about me. I have been working with windows networks and domains for almost 20 years. I am quite familiar with the idiosyncrasies of both windows domain and peer to peer networks. What is new to me is using a non-windows machine in a windows network.

This particular network has one domain controller running Active Directory and five member workstations and servers. This domain has been up for 5 years and runs smoothly now. Wins is also running on the domain controller. The domain controller is also running NTP and BIND.

In Yast under LDAP Client I have:

User Authentication

Use LDAP: checked

LDAP Client

Addresses of LDAP Servers: <the IP address of my domain controller>

LDAP Base DN: DC=gwsystems2,DC=com (The dns name of my domain. internal)

Advanced Configuration
Client Settings

User Map: DC=gwsystems2,DC=com
Password Map: DC=gwsystems2,DC=com
Group Map: DC=gwsystems2,DC=com
Pasword Change Protocol: exop (this was the default setting)
Group Member Attribute: member

Administration Settings

Configuration Base DN: DC=gwsystems2,DC=com

Administrator DN: <my user name> (I didn’t know what else to put>

<I didn’t know what to put for the following items so I left them blank>
Create Default Configuration Object
Home Directories on This Machine
Password Policy

One of the guides I looked at said to test LDAP by issuing the following command:

linux-hh3x:~ # ldapsearch -ZZ
ldap_start_tls: Decoding error (-4)

As you can see, it errors.

I’m not sure it’s worth going on since Kerberos depends on LDAP and SAMBA depends on Kerberos for authentication.

Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100

Under Kerberos Client I have:
Use Kerberos
Default Domain: gwsystems2.com
Default Realm: gwsystems2
KDC Server Address: <the IP address of my domain controller>

Advanced Settings
I didn’t change anything in here since it has to do with PAM and one of the guides I looked at said messing with PAM was dangerous.

Under NTP Configuration
General Settings
Runtime Configuration Policy: Auto
Synchronization Type: Server
Address: <The server dns name of my domain controller>

Security Settings
Run NTP Deamin in CHRoot Jail
Firewall is disabled <I have a hardware firewall>

Under Samba Server

Start Up
During Boot
Firewall is disabled

Shares
Available Shares
I added a couple shares to the default shares

Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100

Identity
Base Settings
Workgroup or Domain Name:
Domain Controller: Not a DC <The windows machine is my DC>
NetBIOS Hostname: Linux
WINS
Remote WINS Server: <the IP address of my domain controller>
Retrieve WINS via DHCP: no
Use WINS for Hostname Resolution: checked

Trusted Domain
<None>

Sharing by Users
Allow Users to Share Their Directories: Checked
Permitted Group: users
Maximum Number of Shares: 100
LDAP Settings
Passdb Back-End
Use LDAP Password Back-End: no
Use LDAP ldmap Back-ENd: no
<The rest of this tab is disabled>

Under Windows Domain Membership
Membership
Domain or Workgroup: gwsystems2
Also Use SMB information for Linus Authentication: checked

Under Expert Settings
UID Range
Minimum: 10000
Maximum: 20000
GID Range
Minimum: 10000
Maximum: 20000

Windows Internet Name Service
User WINS for Hostname Resolution: checked
Retrieve WINS server via DHCP: no

Mount Server Directories
<none>

Sharing by Users
Allow Users to Share Their Directories: Checked
Allow Guest Access: checked
Permitted Group: users
Maximum Number of Shares: 100

When I hit OK it asks about joining the domain, I click yes.
<I did this before but I unjoined the domain to restart everything for this report>

It asked me for a user name and password, just like with windows,

It’s taking a lot longer than it should.

Ok, it now says “Domain GWSYSTEMS2 joined successfully.”

Now, checking things.

ldapsearch still fails.

linux-hh3x:~ # net ads testjoin
[2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Join to domain is not valid: NT code 0xfffffffc

linux-hh3x:~ #
linux-hh3x:~ # net ads info
[2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Failed to get server’s current time!
LDAP server: 70.184.246.18
LDAP server name: ntserver2.gwsystems2.com
Realm: GWSYSTEMS2.COM
Bind Path: dc=GWSYSTEMS2,dc=COM
LDAP port: 389
Server time: Wed, 31 Dec 1969 19:00:00 EST
KDC server: 70.184.246.18
Server time offset: 0
linux-hh3x:~ #

linux-hh3x:~ # net ads status
[2010/02/20 00:20:12, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
Enter root’s password:
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
[2010/02/20 00:20:23, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Failed to issue the StartTLS instruction: Decoding error
linux-hh3x:~ #

and in the messages log I see this which I think if from when I reconfigured SAMBA:

Feb 20 00:01:28 linux-hh3x su: (to nobody) root on none
Feb 20 00:02:50 linux-hh3x su: (to nobody) root on none
Feb 20 00:03:32 linux-hh3x nmbd[4385]: [2010/02/20 00:03:32, 0] nmbd/nmbd.c:terminate(68)
Feb 20 00:03:32 linux-hh3x nmbd[4385]: Got SIGTERM: going down…
Feb 20 00:03:32 linux-hh3x su: (to nobody) root on none
Feb 20 00:03:41 linux-hh3x net: [2010/02/20 00:03:41, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:03:41 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:03:41 linux-hh3x net: [2010/02/20 00:03:41, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:03:41 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:03:56 linux-hh3x net: [2010/02/20 00:03:56, 0] libads/kerberos.c:ads_kinit_password(356)
Feb 20 00:03:56 linux-hh3x net: kerberos_kinit_password LINUX-HH3X$@GWSYSTEMS2.COM failed: Client not found in Kerberos database
Feb 20 00:03:57 linux-hh3x net: [2010/02/20 00:03:57, 0] libads/kerberos.c:ads_kinit_password(356)
Feb 20 00:03:57 linux-hh3x net: kerberos_kinit_password LINUX-HH3X$@GWSYSTEMS2.COM failed: Client not found in Kerberos database
Feb 20 00:04:37 linux-hh3x net: [2010/02/20 00:04:37, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:04:37 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:04:37 linux-hh3x net: [2010/02/20 00:04:37, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:04:37 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:13:07 linux-hh3x nmbd[4668]: [2010/02/20 00:13:07, 0] nmbd/nmbd.c:terminate(68)
Feb 20 00:13:07 linux-hh3x nmbd[4668]: Got SIGTERM: going down…
Feb 20 00:13:08 linux-hh3x smbd[4878]: [2010/02/20 00:13:08, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:13:08 linux-hh3x smbd[4878]: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:13:08 linux-hh3x smbd[4878]: [2010/02/20 00:13:08, 0] printing/nt_printing.c:nt_printing_init(664)
Feb 20 00:13:08 linux-hh3x smbd[4878]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
Feb 20 00:17:52 linux-hh3x net: [2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:17:52 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:17:52 linux-hh3x net: [2010/02/20 00:17:52, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:17:52 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error
Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error

However, despite all of this I see the Linux machine in the AD Users and Computers MMC
And in the Windows Server Manager it shows the Net Logon service for Linux-HH3X as Disabled.
And it shows in the Network Neighborhood with the shares and I can browse the shares and copy files out an in.
BUT, browsing the server and manipulating files on the shares is much slower that it should be. To me it’s obvious that it’s having problems, probably due to the errors listed above.

I’m not sure why it seems to work better now than before, but like I said it’s slow and the erorrs, I think, are problematic.

What I want to eventually achieve is the ability to browse shares on the Linux box from the windows network. And, browse share on the windows network from the Linux box. And to be able to print to a shared windows printer from the Linux box. Authentication of Linux logons by Active Directory would be nice, but not necessary, but it’s probably needed to copy files to Linux shares.

An update…

I left it and went out. When I came beck several hours later it had dropped from the domain.

I checkled and the domain name in Samba had mysteriously changed fomr lower case to upper case!!!

How could that be??? In Ldap the domain name is lower case???

I change it back to lower case and it rejoined the domain. What? I thought it was already joined??

For that matter why was it not in the domain and not just not listed in network neighborhood?

Anyway, an hour later when I checked, it was again uppercase!!!

What’s going on? Why does it keep changing the case of the domain name, and how can that be stopped?

What should I do about these errors?

Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0] lib/smbldap.c:smb_ldap_start_tls(596)
Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS instruction: Decoding error

gwardell wrote:
> What should I do about these errors?
>
> Feb 20 00:19:32 linux-hh3x net: [2010/02/20 00:19:32, 0]
> lib/smbldap.c:smb_ldap_start_tls(596)
> Feb 20 00:19:32 linux-hh3x net: Failed to issue the StartTLS
> instruction: Decoding error
>
>

Sigh… just for completeness (and to show how easy this is supposed to be):

http://endlessnow.com/ten/Video/samba-ad-os112.ogv

Enjoy…

(From a DEFAULT install of openSUSE 11.2 to being a member server in just a few clicks with a login test)

Obviously, there are many ways to do things… I’m just illustrating
the easiest way.

Thank you for the movie.

I had missed the last steps about setting up the authentication source and rebooting the computer.

On Wed, 2010-02-24 at 09:36 +0000, gwardell wrote:
> Thank you for the movie.
>
> I had missed the last steps about setting up the authentication source
> and rebooting the computer.

Well… I didn’t have to show the User auth stuff… I could have
done all of that at the time I set up the domain (what I clicked on
there in the user area took me back to the domain join panel again).

With regards to the reboot… that was done out of expediency and is
NOT required. Just the easiest thing for me to do at the time.
If you can’t reboot, I can show you the steps to make it effective
without the reboot.