Find the answer to your Linux question:
Results 1 to 6 of 6
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    CentOS 6.5 with Samba4 doing AD Authentication only

    Good morning,

    curious if anyone has gotten this working? In my environment, we are running CentOS 5.9 and 6.5 with Samba3 and using Active Directory for authentication. We are not using any other samba features.

    We are wanting to play with Samba4, and for the life of me, I can not get it to authenticate against AD. I can join the host, I can query available DCs, but I can not get wbinfo -u or -g to work, and is <username> returns nothing.

    /var/log/secure shows invalid ID.

    Configuration wise, we do not want these hosts to act as Samba4 DCs, and we don't want to share any file systems, all we are looking for is AD authentication.

    Environment is CentOS 6.5, Samba4, using winbind to authenticate with AD.


  2. #2
    Linux Engineer
    Join Date
    Apr 2012
    Virginia, USA
    Did you remember to restart/start the winbind service after joining AD?

  3. #3
    I replied, and it never showed up. Strange.

    Yes, restarting winbind service was also done.

    I will add more details when I know replying to this thread again wont lose everything I type.

  4. $spacer_open
  5. #4
    Here is what I posted on another forum, this should cover all the config questions;

    Good day,

    I am testing Samba4 in our environment, this will replace our samba3 AD Authentication solution. We only use samba for AD Authentication, we do not use it for samba shares, or DNS, and we do not want it acting as a domain controller. The only requirement I have is purely, AD Authentication. Samba3 is working as expected in this area. I have searched high and low for a good AD Authentication only guide, blog post, anything on google, as well as this board. I have not had any luck finding anyone talking about just Samba4 and AD Authentication without activating it as a DC, with DNS, etc.

    CentOS 6.5 OS
    yum installed Samba4 packages:
    - samba4-common-4.0.0-61.el6_5.rc4.x86_64
    - samba4-libs-4.0.0-61.el6_5.rc4.x86_64
    - samba4-client-4.0.0-61.el6_5.rc4.x86_64
    - samba4-winbind-clients-4.0.0-61.el6_5.rc4.x86_64
    - samba4-winbind-4.0.0-61.el6_5.rc4.x86_64
    Domain User: ad_user01
    Domain Controller windows version: Windows 2003 R2

    Configuration is consistent with what we have in place for samba3 (which is working):
    - workgroup = DC
    - password server =
    - realm = DC.DOMAIN.COM
    - security = ads
    - idmap config * : range = 16777216-33554431
    - template homedir = /home/%U
    - template shell = /bin/bash
    - winbind use default domain = true
    - winbind offline logon = false

    I can join the domain as expected;
    [/usr/bin/net join -w AD -S -U ad_user01]
    Enter ad_user01 password:
    Using short domain name -- DC
    Joined 'SERVER1' to realm ''
    Starting Winbind services: [ OK ]
    Starting oddjobd: [ OK ]

    I can register a kerberose ticket to the domain;
    local_user@server1 ~]$ kinit ad_user01@DC.DOMAIN.COM
    Password for ad_user01@DC.DOMAIN.COM:
    local_user@server1 ~]$ klist
    Ticket cache: FILE:/tmp/krb5cc_500
    Default principal: ad_user01@DC.DOMAIN.COM
    Valid starting Expires Service principal
    04/18/14 09:37:24 04/18/14 19:37:28 krbtgt/DC.DOMAIN.COM@DC.DOMAIN.COM
    renew until 04/25/14 09:37:24
    local_user@server1 ~]$

    I am not able to query domain users, or groups. wbinfo -u and -g both return to the command prompt without any output. "wbinfo --all-domains", however, returns the expected domains. not sure why one works, and the others do not.

    Additional information;
    - I can see a successful query on the DC in the event viewer logs for user "ad_user01"
    - There are no errors when I restart winbind
    - /var/log/secure shows the following entries when I attempt to log in with an AD user;
    Apr 18 09:29:49 server1 sshd[8962]: Invalid user ad_user01 from
    Apr 18 09:29:49 server1 sshd[8963]: input_userauth_request: invalid user ad_user01
    Apr 18 09:29:52 server1 sshd[8962]: pam_unix(sshd:auth): check pass; user unknown
    Apr 18 09:29:52 server1 sshd[8962]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
    Apr 18 09:29:52 server1 sshd[8962]: pam_succeed_if(sshd:auth): error retrieving information about user ad_user01
    Apr 18 09:29:55 server1 sshd[8962]: Failed password for invalid user ad_user01 from port 54321 ssh2
    Apr 18 09:29:55 server1 sshd[8963]: Connection closed by
    - Obvious stuff like /etc/nsswitch is configured properly;
    passwd: files winbind
    shadow: files winbind
    group: files winbind
    - NTP and DNS is working, and in sync (its syncing with the domain controller)

    At this point I am looking towards the community for some assistance. If requirements have changed between Samba3 and 4 where I now need to install samba4 server, I will, I have just not needed it for our samba3 AD Authentication.

    Thank you!

  6. #5
    Linux Engineer
    Join Date
    Apr 2012
    Virginia, USA
    I don't see pam_winbind in your log, have you setup your pam files to include winbind?

  7. #6
    Just Joined! jaysunn's Avatar
    Join Date
    Apr 2009
    New York City - USA
    How long is the hostname of the linux server? 15 or less I think AD connections. also this command is useful:

    net ads join -U Administrator
    Also the clock is super important on the linux machine.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts