Trying to get Samba working with Active Directory and ACL's on an OS X
(Tiger) server. So far it hasn't been too easy. We were able to
finally recompile version 3.014 with ACL's on the server. Now we are
stuck trying to get AD integration to work. Ideally, we would like it
set up so that the OS X file server knows and uses all of the users
and groups from Active Directory without having to create our own
mapping file (does that make sense?). All of the clients are Win XP.
As of right now, the file server has been able to join the domain.
Issuing a wbinfo -u or wbinfo -g gives the expected output. Now,
whenever I try to log into the system using my AD credentials, I see
this in the log.smbd file:
Username DOMAIN\MFLATLEY$ is invalid on this system
Here is the Global section of our smb.conf file:
[global]
workgroup = DOMAINNY
display charset = UTF-8-MAC
unix charset = UTF-8-MAC
dos charset = CP437
realm = DOMAIN.ORG
encrypt passwords = yes
password server = adserv2
map acl inherit = yes
nt acl support = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
security = ADS
client ntlmv2 auth = yes
wins support = no
wins server = 10.0.11.17
guest account = unknown
allow trusted domains = no
netbios name = osx-fileserv2
max smbd processes = 0
server string = Mac OS X
local master = no
domain master = no
map to guest = Never
defer sharing violations = no
log level = 1
use spnego = yes
passdb backend = ldapsam smbpasswd
auth methods = guest opendirectory
username map = /etc/samba/private/smbusers
idmap uid = 10000-65000
idmap gid = 10000-65000
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
template primary group = "Domain Users"
Can anybody help us out with this?
Thanks!
mike
Hello Little different path to get AD users and groups to work on OS X. Far as I know, winbind won't work because nsswitch doesn't exist on OS X. As such, no way to tell the machine to use winbind for user/group names. The correct solution is to user OS X's Directory Access tool (/Applications/Utilies/Directory Access) to join the Windows domain. That said, there are know issues with 10.4 proper and directory access and SMB that are supposedly fixed in 10.4.1. I don't know, as I haven't had time to test yet.> Trying to get Samba working with Active Directory > and ACL's on an OS X > (Tiger) server. So far it hasn't been too easy. We > were able to > finally recompile version 3.014 with ACL's on the > server. Now we are > stuck trying to get AD integration to work. > Ideally, we would like it > set up so that the OS X file server knows and uses > all of the users > and groups from Active Directory without having to > create our own > mapping file (does that make sense?). All of the > clients are Win XP. > > As of right now, the file server has been able to > join the domain. > Issuing a wbinfo -u or wbinfo -g gives the expected > output.Best of Luck -Matt Yahoo! Mail Stay connected, organized, and protected. Take the tour: http://tour.mail.yahoo.com/mailtour.html