Verifying the Samba Integration

To verify that Samba and Verify Privilege Server Suite are working together correctly, you test if you can access Samba shares. If you upgraded existing shares, then you can test those; otherwise, you can verify the connection using the test share.

There are two key scenarios for testing whether Samba is configured properly for integration with the Authentication Service and Active Directory:

Accessing Samba from a UNIX Client Session

To test access to Samba shares on a Linux or UNIX computer, users should do the following:

To access Samba from a UNIX client session:

  1. Log on to the Linux or UNIX computer using the Active Directory account that has been granted access to the local computer’s zone.

  2. Run the following command:

    smbclient -k -L host_name

    The smbclient program displays information about Samba and the SMB shares that are available on the local computer. For example, you should see a listing similar to the following (where s.s.s is the Samba version):

    OS=[Unix] Server=[Samba s.s.s]  
      
     Sharename Type Comment  
     --------- ---- -------  
     samba-test Disk  
     IPC\$ IPC IPC Service (Samba-CDC)  
     sara Disk Home directories  
      
    OS=[Unix] Server=[Samba s.s.s]  
      
     Server Comment  
     --------- -------  
     Workgroup Master  
     -------- -------  
     ARCADE MAGNOLIA

If you are able to see the Samba shares as an Active Directory user logged on to the Linux or UNIX computer that is acting as the Samba server, you should next test accessing the Samba shares from a Windows desktop. For information about performing this test, see Accessing Samba shares from a Windows desktop.

Purging and Reissuing Kerberos Tickets on UNIX Computers

If you see an error such as NT_STATUS_LOGIN_FAILURE instead of the expected results when you run the smbclient program, you may need to purge your existing Kerberos tickets and have them reissued. Try running the following command to remove all of your Kerberos tickets:

/usr/share/centrifydc/kerberos/bin/kdestroy

Then run the following command to reissue tickets after you provide your Active Directory password:

/usr/share/centrifydc/kerberos/bin/kinit

You can then run the following command to list the Kerberos tickets that have been issued to you:

/usr/share/centrifydc/kerberos/bin/klist

After verifying the Kerberos tickets you have been issued, try running the smbclient program again.

Verifying the Version of Samba You Are Using

If purging and reissuing tickets does not resolve the problem, confirm the version of the smbstatus that is currently running using the following command:

smbstatus | grep version

The command should display the Samba version you have installed. For example:

Samba version s.s.s

(where s.s.s is the installed Samba version)

If the correct version of Samba is installed, run smbstatus again and note the names of any *.tdb files that do not exist, and try restoring them from your backup, then try running the smbclient program again.

If You Don’t See the Correct Samba Shares

If the smbclient program does not display the Samba shares you have defined in the configuration file, you should review the settings in the smb.conf file and then restart the DirectControl agent and run the adflush command.

Accessing Samba Shares from a Windows Desktop

To test access to Samba shares on a Linux or UNIX computer from a Windows desktop:

  1. Log on to a Windows computer that is joined to the domain with an Active Directory user account.

  2. Click Start > Windows Explorer, then navigate to the domain.

    For example, open My Network Places > Entire Network > Microsoft Windows Network > Arcade to view the Arcade.net domain.

  3. Select the Linux or UNIX computer that is integrated with Samba to view its Samba shares. For example:

    Windows Samba Share

  4. Click samba-test or browse other available Samba shares to verify that you can open existing files and create new files.

  5. Confirm from both Windows and the managed computer that the files in the share directories are owned by the correct users.

If you cannot browse the shares on the Linux or UNIX computer from the Windows desktop, you should:

  • Verify that there is network connectivity between the two systems.
  • Confirm that you do not have a firewall running on the managed computer that is blocking access to the SMB ports.
  • Make sure there are no stale Kerberos tickets on your Windows system. The tools to remove stale Kerberos tickets may already be installed on your system—see this site for more information about klist and kerbtray programs.