Active Directory, SMB, and PCs

[stewarsh]

Hello every one, I’ve been wracking my brain and buring out google trying to solve this particular problem, and am out of ideas.

I have an XServe running 10.3.9, that is connected to my campus AD domain using Apple’s plugin. Users can sucessfully login to the box via the console, and SSH. However when trying to connect via Samba we have a break down. I have setup my smb.conf as described here and elsewhere and can sucessfully login when connecting from any AD bound Mac, and acoording to the debug this is all working thru Kerberos. The problem however comes into play when PCs and non-bound Macs try to connect. According to the debug the Samba finds the accounts in AD and pareses them fine, but when it trys to do the authentication step it’s falling back to NTLMv1, and failing. I’m also not certain where Apple’s Samba is looking for the NT MD4 hash as the debug isn’t clear, but wherever it is, it is not finding it. Also I have setup the GPOs to disable signing on the Windows side as suggested.

Okay, now the really strange part is that, after a crash during an update, I had to reload my OS from scratch as several libraries were wiped. Before the crash this was all working quite well. I have restore the DirectoryServices configs as well as the samba configs from backup before the crash and compared them to where I’m out now and as far as I can tell the system is setup the same way.

I have attached a copy of my smb.conf file below for your review. If anyone has any ideas I would greatly appreciate it.

Thanks,
Shawn

        workgroup = CS
        display charset = UTF-8-MAC
        print command = /usr/sbin/PrintServiceAccess printps %p %s
        lprm command = /usr/sbin/PrintServiceAccess remove %p %j
        security = ads
        guest account = unknown
        encrypt passwords = yes
        printing = BSD
        allow trusted domains = yes
        preferred master = no
        lppause command = /usr/sbin/PrintServiceAccess hold %p %j
        netbios name = xserve
        wins support = no
        max smbd processes = 0
        printcap =  
        wins server = XXX.XXX.XXX.10 
        server string = Mac OS X
        lpresume command = /usr/sbin/PrintServiceAccess release %p %j
        client ntlmv2 auth = no
        domain logons = yes
        lpq command = /usr/sbin/PrintServiceAccess jobs %p
        passdb backend = opendirectorysam guest
        dos charset = CP437
        unix charset = UTF-8-MAC
        realm = CS.UNIV.EDU
        auth methods = guest opendirectory
        local master = no
        domain master = no
        map to guest = Never
        use spnego = yes
        printer admin = @admin, @staff
        defer sharing violations = no
        log level = 9
        winbind separator = +

[Zeheeba]

Hey There,

I have a similar setup with a 10.3.9 Xserve. The differences I see between your conf file and mine are the following:

security = domain
auth methods = guest ntdomain opendirectory

If you open up Server admin, and view the settings for Windows, does it say that you are a “Domain member”? The mac can be bound to AD via the plugin and have auth working fine, but if the SMB portion isn’t listed as a domain member, I believe you will still have problems logging in from PC’s.

Good Luck.

Z

[stewarsh]

Thanks much for the suggestions, I made the changes and it seems that neither NTLM or Kerberos are working. Did you also have a password server specified?

As far as Server Admin, it has me listed as a PDC; though I didn’t change that. I assume it determined that from the smb.conf file. It also won’t let me change it to “domain member”. Not sure what changes when you do that.

Here is a snippet of the debug.

[2005/07/12 13:30:48, 4] auth_ods.c:opendirectory_account_ok(754)
  opendirectory_account_ok: Checking SMB password for user sstewart
[2005/07/12 13:30:48, 4] auth_ods.c:opendirectory_opendirectory_ntlm_password_check(596)
  opendirectory_ntlm_password_check: Checking NT MD4 password
[2005/07/12 13:30:48, 1] auth_ods.c:opendirectory_auth_user(212)
  User "sstewart" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14481) :(
[2005/07/12 13:30:48, 1] auth_ods.c:opendirectory_smb_pwd_check_ntlmv1(427)
  opendirectory_smb_pwd_check_ntlmv1: [-14481]opendirectory_auth_user
[2005/07/12 13:30:48, 3] auth_ods.c:opendirectory_opendirectory_ntlm_password_check(605)
  opendirectory_ntlm_password_check: NT MD4 password check failed for user sstewart
[2005/07/12 13:30:48, 5] /SourceCache/samba/samba-60.2/samba/source/auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: opendirectory authentication for user [sstewart] FAILED with error NT_STATUS_WRONG_PASSWORD
[2005/07/12 13:30:48, 2] /SourceCache/samba/samba-60.2/samba/source/auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [sstewart] -> [sstewart] FAILED with error NT_STATUS_WRONG_PASSWORD
[2005/07/12 13:30:48, 5] /SourceCache/samba/samba-60.2/samba/source/auth/auth_util.c:free_user_info(1322)
  attempting to free (and zero) a user_info structure
[2005/07/12 13:30:48, 3] /SourceCache/samba/samba-60.2/samba/source/smbd/error.c:error_packet(105)
  error string = No such file or directory
[2005/07/12 13:30:48, 3] /SourceCache/samba/samba-60.2/samba/source/smbd/error.c:error_packet(129)
  error packet at /SourceCache/samba/samba-60.2/samba/source/smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2005/07/12 13:30:48, 5] /SourceCache/samba/samba-60.2/samba/source/lib/util.c:show_msg(464)
[2005/07/12 13:30:48, 5] /SourceCache/samba/samba-60.2/samba/source/lib/util.c:show_msg(474)

[Zeheeba]

**EDIT**

Okay, I just ran through the process on another of my servers that I needed to set up anyway. Here are the exact steps.

1.) Setup Directory access so you are bound to the AD domain. Make sure the AD domain is showing up in your authentication path.

2.) Open up Server admin. Go to the “OpenDirectory” bubble. Click on the Settings tab. Click on the “Join Kerberos” Button. You will need to authenticate as a user on AD that has permissions to do this. There is no real message that saying this succeceded. I think it will tell you if it fails due to permissions and such.

3.) Click on the Windows Bubble in ServerAdmin. Stop SMB Services.
vi into your /etc/smb.conf. Make the following changes:

security = domain
WORKGROUP = “your domain name” IN our case its ZREALM.ORG and I needed to use just ZREALM without the org”
use spnego = yes

Close and save conf file.

4.) Go back into ServerAdmin and click on the Windows bubble. Before you start service click on the Settings tab. Select “Domain Member” from the drop down menu. Now keep in mind that a bunch of ” I can’t save this info” boxs will appear, click to close them and forget about them. Fill in the Domain box with the same info you entered in the conf file, in my case ZREALM. Once that data is complete, click save. It will then ask you to authenticate again. Enter the username and password and click okay.

5.) Now start up Windows services. Click refresh on the top bar and you should see that “Domain Member” sticks. If all went correctly, you should be all set up for domain kerb authentication.

My fingers are crossed for ya.

Regards,

Z

[stewarsh]

That did it dude! Thanks! After restoring the orginal smb.conf file and making the changes you described everything is much happier now.

Also when I used my Win Domain Admin account, rather than local admin, to set the Domain Member server setting it accepted w/o any complaints.

My final config file is below in case others are interested.

        log level = 9
        display charset = UTF-8-MAC
        print command = /usr/sbin/PrintServiceAccess printps %p %s
        lprm command = /usr/sbin/PrintServiceAccess remove %p %j
        security = domain
        guest account = unknown
        encrypt passwords = yes
        printing = BSD
        allow trusted domains = no
        preferred master = no
        lppause command = /usr/sbin/PrintServiceAccess hold %p %j
        netbios name = xserve
        wins support = no
        max smbd processes = 0
        printcap =  
        wins server = xxx.xxx.xxx.10 
        server string = Mac OS X
        lpresume command = /usr/sbin/PrintServiceAccess release %p %j
        client ntlmv2 auth = no
        domain logons = no
        lpq command = /usr/sbin/PrintServiceAccess jobs %p
        passdb backend = opendirectorysam guest
        dos charset = CP437
        unix charset = UTF-8-MAC
        auth methods = guest ntdomain opendirectory
        local master = no
        use spnego = yes
        map to guest = Never
        domain master = no
        printer admin = @admin, @staff
        defer sharing violations = no
        workgroup = CS

[Zeheeba]

Thats great man, glad it worked! In 10.4 all of this was taken care of on the fly, so all you have to do is setup the Directory Services, and join the Kerb domain. After that, smb is automatically a domain member.

It only spent a couple days messing around with settings to figure out this process only to have Apple fix it. LOL. Better for it to be fixed, its much easier.

Gratz,

Z

[Author]

Posts