stories of war between boy and machine

Trouble in Sambadise; Issues with PBIS Active Directory and Samba

Continuing from the last post, with the original default configuration you could browse shares on the server, but with the updated configuration you can’t.


We have joined the server to Active Directory and there are likely no issues reported with running pbis status, so what could be wrong?

I had a look through some logs in /var/log/samba/, where there are logs for each machine that has tried to access a samba share. Open one of them and you’ll possibly see four errors occur (with the timestamp lines removed)

  get_schannel_session_key: could not fetch trust account password for domain 'Troliver'

  cli_rpc_pipe_open_schannel: failed to get schannel session key from server for domain Troliver.

  connect_to_domain_password_server: unable to open the domain client session to machine Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.

  domain_client_validate: Domain password server not available.

This is crazy; it seems like there is something wrong with joining the domain – but we are already on the domain and can change users! Ah ha, but I haven’t yet run the Samba-Interop installer, which allows you to integrate PBIS authentication with Samba.

Following this guide, for version 8.x, I ran /opt/pbis/bin/samba-interop-install  – but this failed!

Found smbd version 4.1.6-Ubuntu
Unsupported smbd version 4.1.6-Ubuntu

If anyone asks what the difference is when using Ubuntu over CentOS, one answer you might commonly find on Google is to do with how “up-to-date” Ubtuntu is, with new and updated packages all the time, compared to CentOS which may be lagging behind with older, more stable, releases. So at the time of writing, Ubuntu’s implementation of Samba – as installed by default – is at version 4.16 and PBIS is at 8.2.1.something. Both are the latest; yet they don’t work together when using the samba-interop-install to link PBIS with Samba, which only supports versions up to 3.5 it seems.

In fact, this seems to be a problem that has been around for a while. Its for PowerBroker to figure out and fix; but actually, they even only discuss version 3 in their installation guide. So we probably can’t use Samba 4 at all and there is no indication that that will change. In the meantime, you have to use an older version of Samba. But how?

[The hard way that I didn’t end up using] – Make Samba yourself

  • For this, you’ll need to have installed gcc and make. You then have to remove Samba, which should also prompt you to remove libnss-winbind, libpam-winbind, samba and winbind. Use apt-get purge to get rid of the local repository files too.
  • Next, you can find an appropriate version of Samba 3 to compile here (probably version 3.5 or below).
  • Download it with wget (package address), use tar -xvzf to extract it, go to the source3 folder and run ./configure. This can take a while..
  • Run make, more time again.
  • Finally do make install
  • If it all completes successfully, you can delete all of these files that you downloaded and extracted
  • The installation process should have put Samba into /usr/local/ – which is where any newly compiled stuff goes by default
  • After this, you need to do a few more things, but I found a much easier way to do it instead; see below.

[The easier way that I ended up using] – Install Samba from another repository

It looks like there is a way to get this working with an older version of Samba, build for Ubuntu 12. Thankfully, it worked fine – so referring to this link, the following had to be done:

  • Edit /etc/apt/sources.list to include the line “deb squeeze main”. This will add the sernet server as a package repository.
  • Attempt to perform  apt-get update, which will initially fail since you need to have a key to authenticate with the sernet server
  • As root (and you have to be, for this), write these two lines:
    • gpg –export –armor F4428B1A | apt-key add –
    • gpg –keyserver –recv-keys F4428B1A; 
  • You should now be able to perform an update successfully and install samba from this new repository with apt-get install sernet-samba.
  • After this, all other commands should work the same as it would with the original distribution of Ubuntu; you don’t have to use sernet-samba for every samba command you write

Running the samba-interop-install should now work fine and, at least in my case, everything fell into place. Hopefully everything will work better now for other people too – but if anyone has any issues, comments or suggestions, please feel free to discuss them or to get in touch.

, , , , ,

10 thoughts on “Trouble in Sambadise; Issues with PBIS Active Directory and Samba

  • Lori says:

    gpg –keyserver –recv-keys F4428B1A
    gives these errors:
    gpg: keyserver internal error
    gpg: keyserver receive failed: keyserver error

    Did you receive these errors too?

  • Kirill says:

    When I trying to install sernet-samba i am recieve message:

    root@backsrv:/opt/pbis# apt-get install sernet-samba
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:

    The following packages have unmet dependencies:
    sernet-samba : Depends: sernet-samba-common (= 2:3.5.22-31) but it is not going to be installed
    Depends: sernet-libwbclient0 but it is not going to be installed
    E: Unable to correct problems, you have held broken packages.

    What I can do with this?

  • Troliver says:

    Can you manually install those packages? Googling seems to show it to be a problem for some others too – could it be the repository order? What OS are you using, Ubuntu LTS 14.0.2?

  • Tamer Hassan says:

    Must uninstall Samba 4.1.x first
    # apt-get purge libwbclient0 samba-common

    The above command will also uninstall the following packages:
    cifs-utils* libpam-smbpass* libsmbclient* libwbclient0* python-samba*
    samba-common* samba-common-bin* samba-dsdb-modules* samba-libs*
    samba-vfs-modules* smbclient*

    then you will not get errors when you try to install:
    # apt-get install sernet-samba

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.