Jun 27, 2005

Problems with Samba Authenticating to Windows 2000 Domain Controller

I've just set up our new intranet at work, and this time I was determined to get samba working better in our Windows network.

Samba lets you share files from a unix box just like you would share a folder in windows. The one hitch is that if you set this up simply, everyone you want to give access to this folder needs to be listed in your smbpasswd file. Synchronizing the passwords between this file and your windows accounts is a headache even with one user, and setting the password to something different requires the user to map the drive with a different username.

Luckily, Samba provides you with a way to ask the domain controllers on the network if a user is authenticated, and what groups they are in. Setting this up is a fairly nontrivial task, but not impossible.

There's a great howto at samba.org which will walk you through setting this up. If that works for you, congratulations.

If you find that you can't log into your samba share after going through those steps, it is quite likely that in the initial setup (before you ran into trouble and found my site through google) that an earlier connection to the domain controller left some improper accounts lying around.

At the end of the day last friday, I knew I have everything configured correctly, and it still wasn't working.

tail -f /var/log/samba/winbindd.log
showed me this:
idmap Fatal Error: UID range full!! (max: 20000)

When I initially connected to the domain controller, smb.conf still had the default values for the UID range to use, which was somewhere in the 16 million range. Now that I had specified the range to be between 10000 and 20000, those leftover values were throwing a wrench in things.

After a bit of searching (read: a day of bashing my head) I finally found a solution.

HowTo fix a bad join to an NT domain where winbind is used: (lifted from this linuxquestions thread and cleaned up a bit)

Stop your samba and winbind servers

/sbin/service winbind stop
/sbin/service smb stop

Delete secrets.tdb and smbpasswd

rm /etc/samba/secrets.tdb
rm /etc/samba/smbpasswd
rm /var/cache/samba/winbindd_idmap.tdb
Add a line to smb.conf to make it easier to get the login info
winbind trusted domains only = no
rejoin the domain
net rpc join -S SERVER_NAME -UAdministrator%AdminPassword
Restart winbind
/sbin/service winbind start
test to see if domain users were read
wbinfo -u
You should see a list of users from your Windows machine. This is nice, but we had this part working before.
If this information shows up without the domain, (for example Administrator instead of MYDOMAIN\Administratior, don't panic. It seems that newer versions of samba will drop the domain prefix when they are properly joined to a domain)
Now, lets see if we can get actual login information
getent passwd
This should show not only your local logins on the linux machine, but also from your windows domain
getent group
restart samba
/sbin/service smb start
Test the login from another computer

For me, I remoted back into my windows box, and accessed \\intranet\public. It let me in without even prompting for a password, because I was already properly authenticated.

Happy Sambaing!

1:05 am | permalink | /technology/linux | 0 writebacks |