Cannot access list of users and groups in Active Directory

Markus KARG's picture

I have set up the turnkey fileserver appliance, then bound samba to my W2K3 domain using Webmin. It said that the appliance joined the domain successfully. The I restarted the domain and now want to set the allowed groups for /storage. But the selection of possible groups only shows the list of all the unix groups, not the list of the groups in the AD. What am I doing wrong? How do I tell the appliance that the lists of users and groups shall always be taken from AD?

Jeremy Davis's picture

I haven't tried to do what you are doing so I can't say for sure. Perhaps google will have some answers? FWIW the v12 appliances are based on Debian 6/Squeeze and by default it uses Samba3.

I suspect that you will need to take some additional steps to sync the Windows users to Samba users. AFAIK Samba users also need to have corresponding Linux user accounts. There should be some way of auto creating Samba users (and the corresponding Linux users) from the Windows users, but I don't know for sure how that works...

Markus KARG's picture

I googled for two days in fact and did not find a solution, but I found some indicators that seem to point out that your assumption is wrong and the problem is a bug of the TKL appliance:

All Samba tutorials say that the packages krb5 (aka Kerberos) and winbind are *definitively* needed to make this work out of the box, *and* many of the tutorials say that what I want is a common need. So I really wonder why both packages are not installed by default on the fileserver appliance.

I apt-get'ed them and configered manually the conf files (not using webadmin which seems to be rather buggy -- it does always say "Security default" even when setting "security = ADS" manually, and it asks for a workground name while in a windows domain there is no workgroup name but only a domain name) and restarted the appliance. It looks *a bit* better now but still is far from useable: The user list in webadmin now magically contains all the ActiveDirectory domain users *without* any need to add them manually as UNIX users! Unfortunately, the groups still are *not* taken from the AD.

Also, when I pick such a user and try to NET USE * \\myIp\storage (as the samba tutorials say), it says my password is wrong -- which is definitively not (I tried with several users and passwords that are working great with Windows-based SMB servers in the same domain -- only the TKL app fails).

Conclusion: Samba 3 *can* do what I want and it is common. *No* manual addition of UNIX users is needed as winbind (a part of Samba) does that automatically. Webadmin is buggy as it always shows "Security default" instead of "Security ADS". Packages for winbind and Kerberos are missing. When following the original Samba tutorials it still does not work in TKL. To sum up, this is a clear and sole problem of TKL.

I really love the TKL idea, but I need to say that the fileserver appliance is *far* from being an appliance in the senso of "turn key and run". It is simply a 50% pre-installed Debian server plus a buggy web console. Each of my (also Linux based) physical NAS-appliances did the same job with a *really* simple interface, and did not force me to learn Linux administration and dive into config files, bugs and missing packages. I would really beg the authors of the fileserver appliance to fix this ASAP, so that it makes any sense for AD users to even download the ISO image. If it can only be solved by learning how to config samba using KRB5 and smb.conf, I do not see any good reason to use TKL at all. Sorry for this critics, but the fileserver appliance just looks like not being finished at all. If the target is only a UNIX environment, do not tell it comes with SMB support and strip Samba.

Jeremy Davis's picture

What you say may well be true, as I have said I have never tried what you are doing. But as has been documented widely Samba 3.x is compatible with NT domains (up to Win Server2k). I know that it does not strictly do the AD thing but was under the impression that it could still join and act as a usable server... but perhaps not. 

A quick thought, in your setup are their corresponding Linux users? AFAIK that is a requirement.

I suspect what you really want is Samba 4. There was a great open source project called Resara Server which was a nice implementation of Samba 4 setup as a drop in AD domain controller (AFAIK fully compatible with Server 2k3/2k7 domains), but unfortunately they went bust. They have promised that they will release all the rest of their code and documentation but who knows... Anyway... from what I have read the vanilla Samba 4 works quite well (it is in the repos, but it is under quite heavy development so you may be better off intalling from upstream source).

As for your suggestion perhaps you are right. Perhaps you can fully document your setup as you go and convert it into a TKLPatch which could go into the next TKL release. Although I say, I think that Samba 4 is probably a better starting point...

As for the fileserver being turnkey - I don't think that it was ever intended for the usage scenario that you are trying to achieve (ie a fully functioning Windows domain member server) - but more of a simple SOHO fileserver - and for that it works quite well. I have used it to share files (via SMB/CIFS ie Samba) with both XP and Win7 and it works fine for me (although I set up the users manually). Don't get me wrong I'm not saying that what you are wanting wouldn't be great, but I don't think that was ever the intention... Perhaps in your scenario you would be better served (excuse the pun) by other products out there...

FWIW if it was aimed at only Linux filesharing then it wouldn't have Samba at all and would come with NFS preinstalled...

As I say, if you want it for a different purpose then please feel free to 'fix' it and share your patch. There are probably others who would appreciate your work.

Markus KARG's picture

I think that Samba 4 is not needed to solve it, as the tutorials about winbind are basing on Samba 3. But I am not a Samba expert. If I would be one, I wouldn't download the TKL fileserver appliance, obviously. So I doubt that I am able to provide a patch.

No I do not have UNIX users by intention, since the idea of winbind is that one does not need to create them.

If I am using local users (= UNIX users converted to Samba users) it is indeed working, but this is good for nothing, as I have to provide the users passwords in the webadmin -- but I do not know that passwords! That's the sole reason why I want the domain integration: The users do not want to have a different password the the TKL fileserver, and I do not know the users' passwords.

See the problem?

It would be great if one of the TKL fileserver authors could provide instructions how to set up the box so that I do not have to know the passwords of all users... In fact it would be cool to have any kind of usage manual for the appliance (instead of linking to the Samba original conf reference)...

Jeremy Davis's picture

But from my quick read about Winbind (in the official Samba docs), it seems that Winbind allows usage of Samba/Windows user account as native Linux user accounts - but only if it can get access to the LDAP database (that should be running on your Win server). From what I can gather you are correct in that you shouldn't need to also create Linux accounts (but I didn't read enough to be sure).

As for the appliance docs go, yes it would be great, but basically the appliance is TKL Core with Samba3 (from the repos) installed on top. Then basic configuration to make Samba work as a simple fileserver (as opposed to an NT domain controller - like the PDC appliance is). So with your usage scenario, perhaps the PDC appliance would be a better starting point (again I don't know because it's not something I've actually tried)? Although it's still only an NT level DC (which use a workgroup, rather than AD). As you have discovered, to make Samba3 compatible with AD you need additional stuff (like Kerbios).

So bottom line is that neither of the Samba appliances (Fileserver nor PDC) are designed to address your usage scenario (to be an AD member server). That does not make them incomplete - just not designed to address your requirements. You wouldn't say that a toothbrush is incomplete because it doesn't include dental floss would you?!? Or that a ball pein hammer is incomlete because it doesn't allow you to pull nails?!? Point is, different tools for different jobs and the TKL appliance range doesn't include an appliance that is the ideal tool for the job you want to do...! But it's not personal, there's lots of other things that could have TKL appliances for that task, but they don't exist either... In fairness to you, perhaps all this should be more clearly stated on the relevant appliance pages...

This leaves you with a number of options. As I see it the obvious ones are:

  • Learn how to configure Samba3 to do what you want (and to be a good open source citizen and a diligent sys admin document and share your final working process). From my quick googling there are a multitude of tutorials on how to do this (if you find one that works for you be nice if you posted back).
  • Start from scratch (either with TKL Core or some other Linux distro) and learn Samba4 config (which I still think would be a better starting point because Samba4 is designed from the ground up to address the problems that you are encountering without the need to cobble different pieces of software together). Again there seem to be a number of tutorials on how to do this (and again if you take this course and find something that works a link back would be great).
  • Find another Linux server/appliance that is preconfigured to acheive your ends (because there isn't a TKL one designed to do it). (This would also be good to hear back about if you find something like this. I am not aware of anything like this 'off the shelf' - as I said there was Resara Sever but it no longer exists).
  • Give up and fork out ~$800+ and buy a licence for MS Server and be done with it...
Markus KARG's picture

Please before telling me what a good open source citizen is, google me and you'll learn that I spend most of my time contributing to lots of open source projects. I just needed a *quick* installation of a CIFS file server without the need to repeat passwords. What you still not understand is that neither Samba 4 nor becoming a DC is needed for that. All you need is adding winbind and krb5 (which I already did) and a *correct* configuration (which I also managed but does only work in part -- despite all the nice tutorials). I learned that winbind is a brilliant magic that is *part of Samba* (so don't say "Samba based" if winbind is missing) and that rather "fully automatically" provides linux with the capacity of using the AD users and groups instead of the local ones, for this it comes with NSS and PAM. Great. But it does not work on the TKL appliance. :-(

The point about incomplete is: The tutorials all say that it is really simple to set up (but it needs hours to learn about it) and the TKL fileserver appliance comes with a nice GUI that looks like it will do it. It has nice buttons for binding to a domain and sync'ing users automatically (what effectively winbind plus krb5 will perform for that GUI if the appliance authors would have installed and configured it). BUT THAT BUTTONS ARE NOT WORKING. SO THIS IS SIMPLY A BUG WHICH HAS TO BE FIXED.

To make that existing buttons work, the appliance HAS TO BE COMPLETED. Or just drop them. I hope you got the point now?

I do not ask for becoming a domain member or a DC. All I ask for is to make the EXISTING FUNCTIONALITY work. Not more. The difference between "some preinstalled debian plus samba plus webadmin" to "being an appliance" is the sole fact that an applicane *only* has that buttons that are needed to fulfil the appliance's job. So as that buttons are there, users assume they are working.

The options you are telling are nice but have to do *nothing* with TKL. I mean, hey, for what shall I download an appliance if it has non-working buttons when the solution to this is: You can learn linux, samba, winbind and krb5 to build your own appliance from scratch?

To sum up: Just remove that buttons or make them work. Everything else is not a *TKL*-based solution.

As someone has to pay my work, and as it needs lots of time to learn about linux, samba, winbind and krb5, in fact the investment of 100$ into a Windows 7 desktop licence (which can do the job) is less money than paying me for one week to learn all that. Sad, but true. :-(

In fact in my spare time I actually try to find the configuration failure and will post the solution once I found it, certainly. But that is simply my own fun and not something to be *expected* to make EXISTING BUTTONS work in a "TURN KEY" solution. I hope you got my point. :-)

Post new comment