2

I have an Ubuntu server joined to our office Active Directory domain (Windows 2008) and it all seems happy. I can ssh to the server using my AD credentials and home directories get created and all is fine.

I want to share a directory out from the server and use AD authentication (security = ads) using Samba.

Following the docs, I got to the situation where I can see the share externally, but my AD credentials do not allow me to connect.

Using the same credentials from the server itself works using mount.cifs -- i.e. I can mount \\localhost\share using domain\me

I cannot get it to work from my desktop using my AD credentials, but I can connect using a set of Unix credentials so it seems that Samba can't resolve my AD details, but that confuses me as I can use AD credentials using mount.cifs as stated above.

Is there something about the way Windows provides the credentials that Samba doesn't understand?

Bonus question:

I haven't set up Subversion on the server yet, but when I do will I be able to use AD credentials to authenticate on HTTP access via Apache?

nickd
  • 5,052
  • 2
  • 17
  • 14
  • I cannot get this to work and have other matters that are more pressing. I have for the moment allowed guest access to the share in question, bypassing AD. – nickd Mar 22 '10 at 12:34

2 Answers2

2

The first thing you should do is check your Samba logs, and if need be turn up the log level: http://oreilly.com/catalog/samba/chapter/book/ch04_08.html

Samba is fairly verbose and helpful when it comes to explaining why a connection was not permitted. You'll no doubt find some very good hints as to what your problem is in the logs. e.g. Find the original error message and do a Google search.

David Harrison
  • 441
  • 2
  • 5
  • I had unwound some of my settings and now I am having trouble even getting as far as I was. I can still ssh to the box, but I can't mount.cifs anymore. Samba log file is saying `create_connection_server_info failed: NT_STATUS_ACCESS_DENIED` – nickd Feb 10 '10 at 18:08
  • If you are seeking an answer you need to post more information. e.g. Your Samba configuration and the error logs you are seeing. Turning up the log level in Samba will display the source of the NT_STATUS_ACCESS_DENIED message which you can then Google, post here, or on the Samba mailing list. – David Harrison Feb 23 '10 at 15:49
1

When connecting from a windows machine to a share like that you need to specify the domain:

domain\user

This is only necessary when the windows machine is not joined to the domain.

With regards to you second question, the answer is yes. Example config: 

<Location /svn>
DAV svn
SVNParentPath /path/to/svn
AuthType Basic
AuthName "SVN"
AuthBasicProvider ldap
AuthLDAPBindDN "CN=BINDUSER,CN=Users,DC=domain,DC=com"
AuthLDAPBindPassword BINDPASSWORD
AuthLDAPURL "ldap://ldap.server.hostname:389/OU=Users,DC=company,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative off
Require valid-user

It's important to note that AD will not allow anonymous binds so you'll need to create a user to bind with. Something like svnauth, and replace BINDUSER/BINDPASSORD above.

sideh
  • 316
  • 1
  • 2
  • 7