Thursday, May 10, 2007

Longhorn server and Ubuntu Active Directory Authentication

Longhorn server and Ubuntu do they still play together?

The best feature of Samba is being able to join an Active Directory domain and authenticate against for desktop logins, web applications and almost anything else you can think of that requires a user name and password. In the past I have used the Winbind authentication for email over POPS and IMAPS and found the features to be fantastic for any business that operates in a heterogeneous environment.

Microsoft have just released Longhorn Server Beta 3 which offers a fairly big change from previous windows server versions in the way it approaches network management with a large focus on role based servers. There real question however is can linux boxes still join and authenticate against Active Directory domains running at Native Longhorn Server levels. Well the answer a non surprising NO!

I spent around 8 hours trying to get this to work based on previous working configurations that I had for windows 2003 nothing worked at all

Below is a quick look at the configuration that I had which failed to work

I started with a stock standard Ubuntu 7.04 install and a base install of Longhorn Server beta 3 you can review my configurations below. Based on what I have found I believe that Microsoft have changed some major parts of Kerberos since the standard encryption for windows didn’t work. When I changed this to Auto negioation I was able to get a ticket however when I attempted to add the computer to the domain I continued to get different Kerberos errors.

#first step

odin749@odin749:~$ sudo su -


root@odin749:~# apt-get update

root@odin749:~# apt-get dist-upgrade

#enable remote login

root@odin749:~# apt-get install ssh

#Install Samba

root@odin749:~# apt-get install samba

#Install Winbind

root@odin749:~# apt-get install winbind

#Install Kerboras

root@odin749:~# apt-get install krb5-clients krb5-user


root@odin749:~# vi /etc/krb5.conf


default = FILE10000:/var/log/krb5lib.log


ticket_lifetime = 24000

default_realm = ASTECH.COM

default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc



kdc =

admin_server =

default_domain = ASTECH.COM


[domain_realm] = ASTECH.COM = ASTECH.COM


root@odin749:~# vi /etc/samba/smb.conf


workgroup = ASGUARD


security = ADS

password server =

domain master = No

idmap uid = 500-1000

idmap gid = 500-1000

template shell = /bin/bash

winbind separator = +

winbind use default domain = Yes

root@odin749:~# testparm

Load smb config files from /etc/samba/smb.conf

Loaded services file OK.

'winbind separator = +' might cause problems with group membership.


Press enter to see a dump of your service definitions


root@odin749:~# vi /etc/nsswitch.conf

passwd: compat winbind

group: compat winbind

shadow: compat

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis


root@odin749:~# vi /etc/pam.d/common-account

account sufficient

account required

root@odin749:~# vi /etc/pam.d/common-auth

auth sufficient

auth required nullok_secure use_first_pass

root@odin749:~# vi /etc/pam.d/common-password

password required nullok obscure min=4 max=50 md5

root@odin749:~# vi /etc/pam.d/common-session

session required umask=0022 skel=/ect/skel

session required

session optional


root@odin749:~# mkdir /home/ASTECH


root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials



root@odin749:~# kinit administrator@ASTECH.COM

kinit(v5): KDC has no support for encryption type while getting initial credentials

root@odin749:~# vi /etc/krb5.conf


default = FILE10000:/var/log/krb5lib.log


default_realm = ASTECH.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes



kdc =

admin_server =

default_domain = ASTECH.COM


[domain_realm] = ASTECH.COM = ASTECH.COM


pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false


root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:

kinit(v5): Clock skew too great while getting initial credentials

root@odin749:/var/log# kinit administrator@ASTECH.COM

Password for administrator@ASTECH.COM:


root@odin749:/var/log# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: administrator@ASTECH.COM

Valid starting Expires Service principal

05/04/07 23:59:09 05/05/07 09:59:02 krbtgt/ASTECH.COM@ASTECH.COM

renew until 05/05/07 23:59:09

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

root@odin749:/var/log# net ads join -U's password:

[2007/05/05 00:01:22, 0] utils/net_ads.c:ads_startup(289)

ads_connect: No such file or directory


Brian said...

Microsoft does its best to reinvent the wheel (aka improve its service) to keep at bay competitors by making them incompatible with its OS. I would suggest waiting some time until the dust settles.

Victor Rafael Rivarola (FANÁTICO y LOCO por Cristo) said...

This reminds me...Windows ain't done until Lotus won't run.

Its amazing how different things are from the good old DOS 5/Widows 3.0 days...NOT IN THIS CASE!!!

odin749 said...

Thanks of the comments brian and victor. I do believe that the good people over at Samba will have these problems fixed shortly as it is only minor kerberos changes.

Gerald Carter said...

Yup. We'll fix this for the Samba 3.0.26 release if not before.

odin749 said...


Thanks for the update I look forward to testing the new version of Samba once this is done.



