Using Samba to Authenticate GNU/Linux Against Active Directory

Samba 3.0 allows Linux to authenticate against Active Directory and access shared resources on a Windows 2000 server. Samba 3.0 is still beta. For info on the status, see the status page at This article will detail the procedure to get this running with Red Hat 8.0.

First, get the Samba distribution from Remove the old samba packages if installed and install the new one. We will also need the krb5-workstation-1.2.5-6 package:

[root@srv-34 rpms]# rpm -e samba-common-2.2.5-10 --nodeps
[root@srv-34 rpms]# rpm -e samba-client-2.2.5-10
[root@srv-34 rpms]# rpm -i samba-3.0alpha21-1.i386.rpm
Looking for old /etc/smb.conf...
Looking for old /etc/smbusers...
Looking for old /etc/lmhosts...
Looking for old /etc/MACHINE.SID...
Looking for old /etc/smbpasswd...
Moving tdb files in /var/lock/samba/*.tdb to /var/cache/samba/*.tdb
Installing stack version of /etc/pam.d/samba...
[root@srv-34 rpms]# rpm -i krb5-workstation-1.2.5-6.i386.rpm

We need to make sure that the dates match up, or things will go haywire. There is a cool utility with Red Hat called dateconfig. Now, srv-34 is one of the machines we manage through our serial port console mux dealie, so we need to export the display to use GUI utilities. On the machine we want to run the GUI on, run xhost +, which is srv-34’s IP address, then:

[root@srv-34 rpms]# export DISPLAY=u-1:0.0
[root@srv-34 rpms]# dateconfig
Shutting down ntpd:                                        [FAILED]
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]
[root@srv-34 rpms]#

Here is a shot of the time set utility. Time is good. Just make sure your Windows box is syncing time as well. Edit /etc/krb5.conf. Here is a copy of srv-34’s. Note that you do need to pay attention to the caps. First, Kerberos can’t find the entry if you don’t match case. Also, it appears that upper case is needed for Active Directory. When we tried to authenticate with signalqint.COM, all failed miserably with the error: KDC reply did not match expectations while getting initial credentials. Another problem is that we tested with administrator:

[root@srv-34 etc]# /usr/kerberos/bin/kinit administrator@SIGNALQINT.COM
Password for administrator@SIGNALQINT.COM:
kinit(v5): KDC has no support for encryption type while getting initial credentials

The event logs give a clue. Here is what shows up in the event log. Just reset the password. We also filled in the administrator name here. Once all is working OK with Kerberos, kinit should come back without errors:

[root@srv-34 etc]# /usr/kerberos/bin/kinit administrator@SIGNALQINT.COM
Password for administrator@SIGNALQINT.COM:
[root@srv-34 etc]#

Kerberos can connect and authenticate. Let’s hack out a minimal smb.conf file, which we’ll put in /etc/samba/:

[root@srv-34 etc]# cat /etc/samba/smb.conf
ads server =
security = ADS
encrypt passwords = yes
[root@srv-34 etc]#

Now, lets join srv-34 to the Active Directory:

[root@srv-34 samba]# net ads join
Joined 'srv-34' to realm 'SIGNALQINT.COM'
[root@srv-34 samba]#

On the Windows 2000 server, in the Active Directory Users And Computers tool, the properties for the computer srv-34 show up as this, and this. If we create a share called public and give adminsrator read only access:

[root@srv-34 samba]# smbclient // -k
added interface ip= bcast= nmask=
Doing spnego session setup (blob length=106)
Doing kerberos session setup
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: >
smb: > del testdoc.txt
NT_STATUS_ACCESS_DENIED deleting remote file 	estdoc.txt
smb: >
smb: > get testdoc.txt
getting file 	estdoc.txt of size 4 as testdoc.txt (0.1 kb/s) (average 0.1 kb/s)
smb: >

All is good.