GNU/Linux | Homebrew designs | Perl | Ruby | Administration | Backup/Recovery | Bugs/Fixes | Certification | Database | Email | File/Print | Hardware | Information Grab Bag | Interoperability | GNU/Linux ABCs | Monitoring | Name Resolution | Network Services | Networking | Remote Control | Security | Desktop | Web | BSD | Solaris | GIAGD | ERP | REALbasic

Last 30 Days | Last 60 Days | Last 90 Days | All Articles | RSS

·Homebrew designs
·Information Grab Bag
·GNU/Linux ABCs
·Name Resolution
·Network Services
·Remote Control
·All Categories

Using Samba to Authenticate GNU/Linux Against Active Directory
Topic:GNU/Linux   Date: 2002-12-31
Printer Friendly: Print   Mobile View: mobile

<<  <   >  >>


Samba 3.0 allows Linux to authenticate against Active Directory and access shared resources on a Windows 2000 server. Samba 3.0 is still beta. For info on the status, see the status page at This article will detail the procedure to get this running with Red Hat 8.0.

First, get the Samba distribution from Remove the old samba packages if installed and install the new one. We will also need the krb5-workstation-1.2.5-6 package:

[root@srv-34 rpms]# rpm -e samba-common-2.2.5-10 --nodeps
[root@srv-34 rpms]# rpm -e samba-client-2.2.5-10
[root@srv-34 rpms]# rpm -i samba-3.0alpha21-1.i386.rpm
Looking for old /etc/smb.conf...
Looking for old /etc/smbusers...
Looking for old /etc/lmhosts...
Looking for old /etc/MACHINE.SID...
Looking for old /etc/smbpasswd...
Moving tdb files in /var/lock/samba/*.tdb to /var/cache/samba/*.tdb
Installing stack version of /etc/pam.d/samba...
[root@srv-34 rpms]# rpm -i krb5-workstation-1.2.5-6.i386.rpm

We need to make sure that the dates match up, or things will go haywire. There is a cool utility with Red Hat called dateconfig. Now, srv-34 is one of the machines we manage through our serial port console mux dealie, so we need to export the display to use GUI utilities. On the machine we want to run the GUI on, run xhost +, which is srv-34's IP address, then:

[root@srv-34 rpms]# export DISPLAY=u-1:0.0
[root@srv-34 rpms]# dateconfig
Shutting down ntpd:                                        [FAILED]
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]
[root@srv-34 rpms]#

Here is a shot of the time set utility. Time is good. Just make sure your Windows box is syncing time as well. Edit /etc/krb5.conf. Here is a copy of srv-34's. Note that you do need to pay attention to the caps. First, Kerberos can't find the entry if you don't match case. Also, it appears that upper case is needed for Active Directory. When we tried to authenticate with signalqint.COM, all failed miserably with the error: KDC reply did not match expectations while getting initial credentials. Another problem is that we tested with administrator:

[root@srv-34 etc]# /usr/kerberos/bin/kinit [email protected]
Password for [email protected]:
kinit(v5): KDC has no support for encryption type while getting initial credentials

The event logs give a clue. Here is what shows up in the event log. Just reset the password. We also filled in the administrator name here. Once all is working OK with Kerberos, kinit should come back without errors:

[root@srv-34 etc]# /usr/kerberos/bin/kinit [email protected]
Password for [email protected]:
[root@srv-34 etc]#

Kerberos can connect and authenticate. Let's hack out a minimal smb.conf file, which we'll put in /etc/samba/:

[root@srv-34 etc]# cat /etc/samba/smb.conf
ads server =
security = ADS
encrypt passwords = yes
[root@srv-34 etc]#

Now, lets join srv-34 to the Active Directory:

[root@srv-34 samba]# net ads join
Joined 'srv-34' to realm 'SIGNALQINT.COM'
[root@srv-34 samba]#

On the Windows 2000 server, in the Active Directory Users And Computers tool, the properties for the computer srv-34 show up as this, and this. If we create a share called public and give adminsrator read only access:

[root@srv-34 samba]# smbclient // -k
added interface ip= bcast= nmask=
Doing spnego session setup (blob length=106)
Doing kerberos session setup
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: >
smb: > del testdoc.txt
NT_STATUS_ACCESS_DENIED deleting remote file 	estdoc.txt
smb: >
smb: > get testdoc.txt
getting file 	estdoc.txt of size 4 as testdoc.txt (0.1 kb/s) (average 0.1 kb/s)
smb: >

All is good.


Please read our Terms of Use and our Privacy Policy
Microsoft, Windows, Windows Server are either trademarks or registered trademarks of Microsoft Corporation. is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2013