I've attempted to create a Windows Server 2003 Native AD/Samba3 hybrid
network (for curiosity's sake). Read extensively through all resources I
could find and from what I can tell, I've set everything up as it should
be.
The Samba3 server properly authenticates to the Windows Server 2003 kdc,
pull down users and groups via winbind, and is able to view the Win2K3
shares via smbclient. Likewise, the Samba3 server is able to view itself
via smbclient. The Win2K3 server is unable to view the Samba3 server,
nor mount any Samba shares. WinXP clients have the same problem. Linux
clients are unable to view the Samba3 server via smbclient
(NT_STATUS_LOGON_FAILURE) BUT... they are able to mount the shares:
mount -t smbfs -o username=aduser,password=password //samba3/pub
/tmp/pub
I've verified that this is authenticating to the Win2K3 server because
only valid AD users are able to mount (I'm unable to discern which
entries in Windows' Security Logs match these auths) and these users do
not exist on the Samba server locally. One quirk I noticed here is that
using syntax DOMAIN\aduser does not work and returns
29965: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
I've tried both Samba3's default winbind separator '\' and
'+' which is
offered in the official docs (I'm unsure of why there's this
discrepency), both with same results. Another quirk is that from a
Windows client using + as the separator is not possible.
At this point I'm questioning whether my expectation of this
functionality is correct - the ability to use AD to authenticate users
on a Samba3 server and do away entirely with smbpasswd file and local
Linux users. Based on the successful mount from a Linux workstation it
appears I'm correct. I'm also unsure of the use of Win2K3 as there's
virtually no specific documentation in it's regard.
Any ideas would be appreciated
smb.conf
# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
security = ADS
auth methods = winbind
encrypt passwords = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
template shell = /bin/bash
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = \
# Shares
[public]
comment = Public Data Repository
path = /pub/
read only = No
krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.COM
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.COM = {
kdc = WIN2K3.DOMAIN.COM:88
default_domain = DOMAIN.COM
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
log.winbindd
[2003/12/13 12:55:12, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
krb5_cc_get_principal failed (No credentials cache found)
