Trouble in Sambadise; Issues with PBIS Active Directory and Samba
Continuing from the last post, with the original default configuration you could browse shares on the server, but with the updated configuration you can’t.
We have joined the server to Active Directory and there are likely no issues reported with running pbis status, so what could be wrong?
I had a look through some logs in /var/log/samba/, where there are logs for each machine that has tried to access a samba share. Open one of them and you’ll possibly see four errors occur (with the timestamp lines removed)
get_schannel_session_key: could not fetch trust account password for domain 'Troliver' cli_rpc_pipe_open_schannel: failed to get schannel session key from server domaincontroller.troliver.com for domain Troliver. connect_to_domain_password_server: unable to open the domain client session to machine domaincontroller.troliver.com. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. domain_client_validate: Domain password server not available.
This is crazy; it seems like there is something wrong with joining the domain – but we are already on the domain and can change users! Ah ha, but I haven’t yet run the Samba-Interop installer, which allows you to integrate PBIS authentication with Samba.
Following this guide, for version 8.x, I ran /opt/pbis/bin/samba-interop-install – but this failed!
Found smbd version 4.1.6-Ubuntu Unsupported smbd version 4.1.6-Ubuntu Error: ERROR_PRODUCT_VERSION
If anyone asks what the difference is when using Ubuntu over CentOS, one answer you might commonly find on Google is to do with how “up-to-date” Ubtuntu is, with new and updated packages all the time, compared to CentOS which may be lagging behind with older, more stable, releases. So at the time of writing, Ubuntu’s implementation of Samba – as installed by default – is at version 4.16 and PBIS is at 8.2.1.something. Both are the latest; yet they don’t work together when using the samba-interop-install to link PBIS with Samba, which only supports versions up to 3.5 it seems.
In fact, this seems to be a problem that has been around for a while. Its for PowerBroker to figure out and fix; but actually, they even only discuss version 3 in their installation guide. So we probably can’t use Samba 4 at all and there is no indication that that will change. In the meantime, you have to use an older version of Samba. But how?
[The hard way that I didn’t end up using] – Make Samba yourself
- For this, you’ll need to have installed gcc and make. You then have to remove Samba, which should also prompt you to remove libnss-winbind, libpam-winbind, samba and winbind. Use apt-get purge to get rid of the local repository files too.
- Next, you can find an appropriate version of Samba 3 to compile here (probably version 3.5 or below).
- Download it with wget (package address), use tar -xvzf to extract it, go to the source3 folder and run ./configure. This can take a while..
- Run make, more time again.
- Finally do make install
- If it all completes successfully, you can delete all of these files that you downloaded and extracted
- The installation process should have put Samba into /usr/local/ – which is where any newly compiled stuff goes by default
- After this, you need to do a few more things, but I found a much easier way to do it instead; see below.
[The easier way that I ended up using] – Install Samba from another repository
It looks like there is a way to get this working with an older version of Samba, build for Ubuntu 12. Thankfully, it worked fine – so referring to this link, the following had to be done:
- Edit /etc/apt/sources.list to include the line “deb http://ftp.sernet.de/pub/samba/3.5/debian squeeze main”. This will add the sernet server as a package repository.
- Attempt to perform apt-get update, which will initially fail since you need to have a key to authenticate with the sernet server
- As root (and you have to be, for this), write these two lines:
- gpg –export –armor F4428B1A | apt-key add –
- gpg –keyserver wwwkeys.pgp.net –recv-keys F4428B1A;
- You should now be able to perform an update successfully and install samba from this new repository with apt-get install sernet-samba.
- After this, all other commands should work the same as it would with the original distribution of Ubuntu; you don’t have to use sernet-samba for every samba command you write
Running the samba-interop-install should now work fine and, at least in my case, everything fell into place. Hopefully everything will work better now for other people too – but if anyone has any issues, comments or suggestions, please feel free to discuss them or to get in touch.