Centrify Express and Samba 4 integration
07-28-2016 07:05 AM
I have centrify express dc client install on a linux box and I'm able to successfully login via AD credentials, but I'm having problems getting the samba shares working.
I've installed samba4 and centrifydc-adbindproxy, and I've run the perl script adbindproxy.pl. The per script completes and restarts all services restart successfully. I'm unable to access the samba shares via linux or windows.
smbclient -k -L <hostname> (on the smb server) gives this error:
session setup failed: NT_STATUS_ACCESS_DENIED
smbclient -L <hostname> (on the smb server and another linux server) gives this error (after prompting for password):
session setup failed : NT_STATUS_LOGON_FAILURE
The /var/log/samba/log.smbd shows these errors:
../source3/auth/auth_domain.c:265 (domain_client_validate) domain_client_validate: Domain password server not available.
I can successfully run a kinit on both servers and klist shows the kerberos ticket.
I default smb.conf installed by the perl script is currently setup, with no modifications (yet).
samba3 was working correctly on this server prior to installing centrify express.
Any guidance? I could post my smb.conf file if needed, but it is the default samba4 smb.conf that was modified by the centrify-ad-proxy script.
Solved! Go to Solution.
07-28-2016 07:25 AM
a) Operating system, architecture and version (e.g. CentOS 64 bit 6.5)
b) Version of Centrify Express (the supported community version is 5.3.x)
In the case of Samba Integration, keep in mind that Centrify does not provide an enhanced Samba Server. We provide an Identity Mapper that exposes Samba 4 servers (adbindproxy is not designed for Samba 3).
Finally, the integration guide provides guidance for installation and configuration.
07-28-2016 08:18 AM
I'm using Centrify Express 5.3.0., CentOS 6.6 64 bit.
This integration is the guide I've been following and what directed me to upgrade to Samba 4, install the centrify-adproxy, and run the perl script.
07-28-2016 10:10 AM
Note that your messages are "Access Denied"; I would check permissions at the share and filesystem level.
In addition, if you're testing on different systems (e.g. running smbclient from a different system) both should have the same versions of Centrify software.
Not much more we can guide you through.
We've released 5.3.1 in May and I know of at least one issue being resolved by the upgrade from one of our community members.
07-28-2016 11:11 AM
You might want to try running the /usr/share/centrifydc/bin/adbindproxy.pl adbindproxy script again. When you get to the step that says:
"Please specify the stock samba winbindd listen path(dir) if it is not in [/run/samba/winbindd]"
Try entering this instead of the default response:
I ran into the same issue when upgrading from the previous CentrifyDC-Samba package to the CentrifyDC-adbindproxy-5.3.0 package with the CentOS supplied samba4, samb4-common, samba4-winbind and samba4-winbind-clients packages.
Also make sure the the centrifydc-samba daemon is set to start on boot in run levels 3,4, and 5 by running the following command:
chkconfig --level 345 centrifydc-samba on
I documented these steps in this post that was tagged as the accepted solution:
07-29-2016 09:38 AM
Thanks for providing feedback to the community guys!!!! Great job.
04-05-2017 06:15 AM
Welcome to the Centrify forums.
You can download Centrify adbindproxy from the same download site where you get Express:
Just look to the right side below the agent download like here:
@horto wrote a nice blog post on this topic that can help you set up: http://community.centrify.com/t5/TechBlog/Server-Suite-2016-Samba-with-adbindproxy/ba-p/24052
And yes, adbindproxy follows the Express freemium model that allows you to deploy on a limited number of systems.