Shaun Anderson
2015-Jan-14 23:33 UTC
[Samba] Kerberos Authentication problem "Username X is invalid on this system"
This is a new Samba config that has not yet worked. I have installed sernet-samba 4.1.14. [root at sltltfsee samba]# rpm -qa | grep sernet sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64 sernet-samba-common-4.1.14-10.el6.x86_64 sernet-samba-4.1.14-10.el6.x86_64 sernet-samba-libs-4.1.14-10.el6.x86_64 sernet-samba-winbind-4.1.14-10.el6.x86_64 sernet-samba-client-4.1.14-10.el6.x86_64 I have been added to the domain and all of that appears to work fine. I have created shares, however am unable to access them. Here are the contents of nsswitch.conf: [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#" passwd: compat winbindd files shadow: compat files group: compat winbind files hosts: files dns wins bootparams: nisplus [NOTFOUND=return] files ethers: db files netmasks: files networks: files dns protocols: db files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus krb.conf file: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYDOMAIN.ORG dns_lookup_realm = true ;dns_lookup_realm = false dns_lookup_kdc = true ;dns_lookup_kdc = false ticket_lifetime = 600 renew_lifetime = 7d forwardable = true [realms] MYDOMAIN.ORG = { kdc = SL1TDC3.MYDOMAIN.ORG kdc = SL1DC5.MYDOMAIN.ORG admin_server = SL1TDC3.MYDOMAIN.ORG default_domain = MYDOMAIN.ORG } [domain_realm] .mydomain.org = MYDOMAIN.ORG mydomain.org = MYDOMAIN.ORG MYDOMAIN.org = MYDOMAIN.ORG .MYDOMAIN.org = MYDOMAIN.ORG Smb.conf file: [root at sltltfsee samba]# cat /etc/samba/smb.conf [global] workgroup = SL1 netbios name = SLTLTFSEE server string = LTFSEE Server realm = SL1.MYDOMAIN.ORG security = ads encrypt passwords = yes idmap config * : range = 16777216-33554431 idmap config * : backend = tdb template shell = /bash/bin allow trusted domains = Yes client ntlmv2 auth = yes force unknown acl user = yes auth methods = guest sam winbind passdb backend = tdbsam groupdb:backend = tdb interfaces = eth1 lo username map = /etc/samba/smbusers guest ok = yes #LOGGING log level =3 log file = /var/log/samba/smb.ltfsee.log max log size = 50 #WINBIND winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind use default domain =true winbind offline logon = true winbind refresh tickets = Yes #GPFS items gpfs:sharemodes = yes gpfs:prealloc = yes gpfs:dfreequota = yes gpfs:hsm = yes gpfs:winattr = yes gpfs:leases = yes #General FS items vfs objects = acl_xattr map acl inherit = Yes store dos attributes = yes #SHARES [general] path = /gpfs/ltfsee/general read only = no valid users = @"Domain Users" Things such as winbind lookups work just fine: [root at sltltfsee samba]# wbinfo -a choatej%password plaintext password authentication succeeded challenge/response password authentication succeeded [root at sltltfsee samba]# wbinfo -i SL1\\choatej choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin [root at sltltfsee samba]# wbinfo -U 16777216 S-1-5-21-1823944398-2898753305-4095703837-125569 [root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569 SL1\choatej 1 User can authenticate using ntlm_auth: [root at sltltfsee samba]# ntlm_auth --username=choatej Password: NT_STATUS_OK: Success (0x0) Attempting to access share from a windows client gives "Access is denied" message. From the smb log "smb.ltfsee.log" [2015/01/14 16:26:02.882034, 3] ../source3/smbd/negprot.c:672(reply_negprot) Selected protocol SMB 2.??? [2015/01/14 16:26:02.887418, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2015/01/14 16:26:02.990573, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: choatej [Choate, James] [2015/01/14 16:26:02.990632, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG] [2015/01/14 16:26:02.991491, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username SL1\choatej is invalid on this system [2015/01/14 16:26:02.991554, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2015/01/14 16:26:02.996300, 3] ../source3/smbd/server_exit.c:221(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) Kerberos ticket was generated using 'net ads kerberos kinit -P' [root at sltltfsee samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hubijarm_u at SL1.STLUKES-INT.ORG Valid starting Expires Service principal 01/14/15 15:52:23 01/14/15 16:02:23 krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG renew until 01/21/15 15:52:23 I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed? Where is the 'Username X is invalid on this system" message coming from? Regards, Shaun Anderson "Aut viam inveniam aut faciam" DISCLAIMER: The information in this message (and any attachments hereto) may be confidential and protected from disclosure. If the reader of this message is neither the intended recipient nor an agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized disclosure of this information is strictly prohibited. Any unauthorized disclosure may cause the breaching party to be liable to ConvergeOne Holdings Corp. and/or its subsidiaries and affiliates for damages. If you have received this message in error, please notify the sender by replying to the e-mail message, and delete it from your computer without reading it or saving it in any manner.
Rowland Penny
2015-Jan-15 09:23 UTC
[Samba] Kerberos Authentication problem "Username X is invalid on this system"
On 14/01/15 23:33, Shaun Anderson wrote:> This is a new Samba config that has not yet worked. I have installed sernet-samba 4.1.14. > > [root at sltltfsee samba]# rpm -qa | grep sernet > sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64 > sernet-samba-common-4.1.14-10.el6.x86_64 > sernet-samba-4.1.14-10.el6.x86_64 > sernet-samba-libs-4.1.14-10.el6.x86_64 > sernet-samba-winbind-4.1.14-10.el6.x86_64 > sernet-samba-client-4.1.14-10.el6.x86_64 > > I have been added to the domain and all of that appears to work fine. I have created shares, however am unable to access them. > > Here are the contents of nsswitch.conf: > [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#" > > > passwd: compat winbindd files > shadow: compat files > group: compat winbind files > hosts: files dns wins > > bootparams: nisplus [NOTFOUND=return] files > > ethers: db files > netmasks: files > networks: files dns > protocols: db files > rpc: files > services: files > netgroup: files > publickey: nisplus > automount: files > aliases: files nisplus > > krb.conf file: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = MYDOMAIN.ORG > dns_lookup_realm = true > ;dns_lookup_realm = false > dns_lookup_kdc = true > ;dns_lookup_kdc = false > ticket_lifetime = 600 > renew_lifetime = 7d > forwardable = true > > [realms] > MYDOMAIN.ORG = { > kdc = SL1TDC3.MYDOMAIN.ORG > kdc = SL1DC5.MYDOMAIN.ORG > admin_server = SL1TDC3.MYDOMAIN.ORG > default_domain = MYDOMAIN.ORG > } > > [domain_realm] > .mydomain.org = MYDOMAIN.ORG > mydomain.org = MYDOMAIN.ORG > MYDOMAIN.org = MYDOMAIN.ORG > .MYDOMAIN.org = MYDOMAIN.ORG > > Smb.conf file: > [root at sltltfsee samba]# cat /etc/samba/smb.conf > [global] > > workgroup = SL1 > netbios name = SLTLTFSEE > server string = LTFSEE Server > realm = SL1.MYDOMAIN.ORG > security = ads > encrypt passwords = yes > idmap config * : range = 16777216-33554431 > idmap config * : backend = tdb > template shell = /bash/bin > allow trusted domains = Yes > client ntlmv2 auth = yes > force unknown acl user = yes > auth methods = guest sam winbind > passdb backend = tdbsam > groupdb:backend = tdb > interfaces = eth1 lo > username map = /etc/samba/smbusers > guest ok = yes > > #LOGGING > log level =3 > log file = /var/log/samba/smb.ltfsee.log > max log size = 50 > > #WINBIND > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind use default domain =true > winbind offline logon = true > winbind refresh tickets = Yes > > > #GPFS items > gpfs:sharemodes = yes > gpfs:prealloc = yes > gpfs:dfreequota = yes > gpfs:hsm = yes > gpfs:winattr = yes > gpfs:leases = yes > > #General FS items > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = yes > > #SHARES > > [general] > path = /gpfs/ltfsee/general > read only = no > valid users = @"Domain Users" > > Things such as winbind lookups work just fine: > [root at sltltfsee samba]# wbinfo -a choatej%password > plaintext password authentication succeeded > challenge/response password authentication succeeded > > [root at sltltfsee samba]# wbinfo -i SL1\\choatej > choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin > > [root at sltltfsee samba]# wbinfo -U 16777216 > S-1-5-21-1823944398-2898753305-4095703837-125569 > > [root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569 > SL1\choatej 1 > > User can authenticate using ntlm_auth: > [root at sltltfsee samba]# ntlm_auth --username=choatej > Password: > NT_STATUS_OK: Success (0x0) > > Attempting to access share from a windows client gives "Access is denied" message. > > From the smb log "smb.ltfsee.log" > [2015/01/14 16:26:02.882034, 3] ../source3/smbd/negprot.c:672(reply_negprot) > Selected protocol SMB 2.??? > [2015/01/14 16:26:02.887418, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/01/14 16:26:02.990573, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: choatej [Choate, James] > [2015/01/14 16:26:02.990632, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG] > [2015/01/14 16:26:02.991491, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > Username SL1\choatej is invalid on this system > [2015/01/14 16:26:02.991554, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > [2015/01/14 16:26:02.996300, 3] ../source3/smbd/server_exit.c:221(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > > Kerberos ticket was generated using 'net ads kerberos kinit -P' > > [root at sltltfsee samba]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: hubijarm_u at SL1.STLUKES-INT.ORG > > Valid starting Expires Service principal > 01/14/15 15:52:23 01/14/15 16:02:23 krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG > renew until 01/21/15 15:52:23 > > > I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed? Where is the 'Username X is invalid on this system" message coming from? > > > Regards, > > Shaun Anderson > "Aut viam inveniam aut faciam" > > > > > DISCLAIMER: The information in this message (and any attachments hereto) may be > confidential and protected from disclosure. If the reader of this message is > neither the intended recipient nor an agent responsible for delivering the > message to the intended recipient, you are hereby notified that any unauthorized > disclosure of this information is strictly prohibited. Any unauthorized > disclosure may cause the breaching party to be liable to ConvergeOne Holdings > Corp. and/or its subsidiaries and affiliates for damages. If you have received > this message in error, please notify the sender by replying to the e-mail > message, and delete it from your computer without reading it or saving it in any > manner.Don't think this is going to work, you have 'default_realm = MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in smb.conf. You don't have *anything* in smb.conf to pull from the domain, you pull from outside the domain. Do you realise that 'passwd: compat winbindd files' means 'passwd: files winbindd files' ? Change /etc/nsswitch.conf to this: passwd: compat winbindd shadow: compat files group: compat winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis bootparams: nisplus [NOTFOUND=return] files netmasks: files publickey: nisplus automount: files aliases: files nisplus Change /etc/krb5.conf to: [libdefaults] default_realm = SL1.MYDOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = true Change /etc/samba/smb.conf to: [global] workgroup = SL1 security = ADS realm = SL1.MYDOMAIN.ORG dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = LTFSEE Server #WINBIND winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 4 winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind normalize names = Yes #IDMAP idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config SL1 : backend = ad idmap config SL1 : range = 16777216-33554431 idmap config SL1 : schema_mode = rfc2307 template shell = /bash/bin interfaces = eth1 lo username map = /etc/samba/smbusers guest ok = yes printcap name = cups cups options = raw domain master = no local master = no preferred master = no os level = 20 map to guest = bad user #LOGGING log level = 3 log file = /var/log/samba/smb.ltfsee.log max log size = 50 #General FS items vfs objects = acl_xattr map acl inherit = Yes store dos attributes = yes #SHARES [general] path = /gpfs/ltfsee/general read only = no valid users = @"Domain Users" The above are based on my *working* laptop. It might be better if you leave the domain before changing the files, delete /etc/krb5.keytab if it exists, then rejoin the domain. Rowland
Rowland Penny
2015-Jan-15 09:32 UTC
[Samba] Kerberos Authentication problem "Username X is invalid on this system"
On 15/01/15 09:23, Rowland Penny wrote:> On 14/01/15 23:33, Shaun Anderson wrote: >> This is a new Samba config that has not yet worked. I have installed >> sernet-samba 4.1.14. >> >> [root at sltltfsee samba]# rpm -qa | grep sernet >> sernet-samba-libsmbclient0-4.1.14-10.el6.x86_64 >> sernet-samba-common-4.1.14-10.el6.x86_64 >> sernet-samba-4.1.14-10.el6.x86_64 >> sernet-samba-libs-4.1.14-10.el6.x86_64 >> sernet-samba-winbind-4.1.14-10.el6.x86_64 >> sernet-samba-client-4.1.14-10.el6.x86_64 >> >> I have been added to the domain and all of that appears to work >> fine. I have created shares, however am unable to access them. >> >> Here are the contents of nsswitch.conf: >> [root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#" >> >> >> passwd: compat winbindd files >> shadow: compat files >> group: compat winbind files >> hosts: files dns wins >> >> bootparams: nisplus [NOTFOUND=return] files >> >> ethers: db files >> netmasks: files >> networks: files dns >> protocols: db files >> rpc: files >> services: files >> netgroup: files >> publickey: nisplus >> automount: files >> aliases: files nisplus >> >> krb.conf file: >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = MYDOMAIN.ORG >> dns_lookup_realm = true >> ;dns_lookup_realm = false >> dns_lookup_kdc = true >> ;dns_lookup_kdc = false >> ticket_lifetime = 600 >> renew_lifetime = 7d >> forwardable = true >> >> [realms] >> MYDOMAIN.ORG = { >> kdc = SL1TDC3.MYDOMAIN.ORG >> kdc = SL1DC5.MYDOMAIN.ORG >> admin_server = SL1TDC3.MYDOMAIN.ORG >> default_domain = MYDOMAIN.ORG >> } >> >> [domain_realm] >> .mydomain.org = MYDOMAIN.ORG >> mydomain.org = MYDOMAIN.ORG >> MYDOMAIN.org = MYDOMAIN.ORG >> .MYDOMAIN.org = MYDOMAIN.ORG >> >> Smb.conf file: >> [root at sltltfsee samba]# cat /etc/samba/smb.conf >> [global] >> >> workgroup = SL1 >> netbios name = SLTLTFSEE >> server string = LTFSEE Server >> realm = SL1.MYDOMAIN.ORG >> security = ads >> encrypt passwords = yes >> idmap config * : range = 16777216-33554431 >> idmap config * : backend = tdb >> template shell = /bash/bin >> allow trusted domains = Yes >> client ntlmv2 auth = yes >> force unknown acl user = yes >> auth methods = guest sam winbind >> passdb backend = tdbsam >> groupdb:backend = tdb >> interfaces = eth1 lo >> username map = /etc/samba/smbusers >> guest ok = yes >> >> #LOGGING >> log level =3 >> log file = /var/log/samba/smb.ltfsee.log >> max log size = 50 >> >> #WINBIND >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind nested groups = Yes >> winbind use default domain =true >> winbind offline logon = true >> winbind refresh tickets = Yes >> >> >> #GPFS items >> gpfs:sharemodes = yes >> gpfs:prealloc = yes >> gpfs:dfreequota = yes >> gpfs:hsm = yes >> gpfs:winattr = yes >> gpfs:leases = yes >> >> #General FS items >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = yes >> >> #SHARES >> >> [general] >> path = /gpfs/ltfsee/general >> read only = no >> valid users = @"Domain Users" >> >> Things such as winbind lookups work just fine: >> [root at sltltfsee samba]# wbinfo -a choatej%password >> plaintext password authentication succeeded >> challenge/response password authentication succeeded >> >> [root at sltltfsee samba]# wbinfo -i SL1\\choatej >> choatej:*:16777216:16777220::/home/SL1/choatej:/bash/bin >> >> [root at sltltfsee samba]# wbinfo -U 16777216 >> S-1-5-21-1823944398-2898753305-4095703837-125569 >> >> [root at sltltfsee samba]# wbinfo -s >> S-1-5-21-1823944398-2898753305-4095703837-125569 >> SL1\choatej 1 >> >> User can authenticate using ntlm_auth: >> [root at sltltfsee samba]# ntlm_auth --username=choatej >> Password: >> NT_STATUS_OK: Success (0x0) >> >> Attempting to access share from a windows client gives "Access is >> denied" message. >> >> From the smb log "smb.ltfsee.log" >> [2015/01/14 16:26:02.882034, 3] >> ../source3/smbd/negprot.c:672(reply_negprot) >> Selected protocol SMB 2.??? >> [2015/01/14 16:26:02.887418, 3] >> ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) >> Selected protocol SMB2_10 >> [2015/01/14 16:26:02.990573, 3] >> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) >> Found account name from PAC: choatej [Choate, James] >> [2015/01/14 16:26:02.990632, 3] >> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) >> Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG] >> [2015/01/14 16:26:02.991491, 1] >> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> Username SL1\choatej is invalid on this system >> [2015/01/14 16:26:02.991554, 1] >> ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) >> Failed to map kerberos principal to system user >> (NT_STATUS_LOGON_FAILURE) >> [2015/01/14 16:26:02.996300, 3] >> ../source3/smbd/server_exit.c:221(exit_server_common) >> Server exit (NT_STATUS_CONNECTION_RESET) >> >> >> Kerberos ticket was generated using 'net ads kerberos kinit -P' >> >> [root at sltltfsee samba]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: hubijarm_u at SL1.STLUKES-INT.ORG >> >> Valid starting Expires Service principal >> 01/14/15 15:52:23 01/14/15 16:02:23 >> krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG >> renew until 01/21/15 15:52:23 >> >> >> I'm by no means a kerberos expert, but if I have a generated ticket >> then what is being missed? Where is the 'Username X is invalid on >> this system" message coming from? >> >> >> Regards, >> >> Shaun Anderson >> "Aut viam inveniam aut faciam" >> >> >> >> >> DISCLAIMER: The information in this message (and any attachments >> hereto) may be >> confidential and protected from disclosure. If the reader of this >> message is >> neither the intended recipient nor an agent responsible for >> delivering the >> message to the intended recipient, you are hereby notified that any >> unauthorized >> disclosure of this information is strictly prohibited. Any unauthorized >> disclosure may cause the breaching party to be liable to ConvergeOne >> Holdings >> Corp. and/or its subsidiaries and affiliates for damages. If you >> have received >> this message in error, please notify the sender by replying to the >> e-mail >> message, and delete it from your computer without reading it or >> saving it in any >> manner. > > Don't think this is going to work, you have 'default_realm = > MYDOMAIN.ORG' in /etc/krb5.conf and 'realm = SL1.MYDOMAIN.ORG' in > smb.conf. > You don't have *anything* in smb.conf to pull from the domain, you > pull from outside the domain. > Do you realise that 'passwd: compat winbindd files' means > 'passwd: files winbindd files' ? > > Change /etc/nsswitch.conf to this: > > passwd: compat winbindd > shadow: compat files > group: compat winbind > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > bootparams: nisplus [NOTFOUND=return] files > netmasks: files > publickey: nisplus > automount: files > aliases: files nisplus > > Change /etc/krb5.conf to: > > [libdefaults] > default_realm = SL1.MYDOMAIN.ORG > dns_lookup_realm = false > dns_lookup_kdc = true > > Change /etc/samba/smb.conf to: > > [global] > workgroup = SL1 > security = ADS > realm = SL1.MYDOMAIN.ORG > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = LTFSEE Server > #WINBIND > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind normalize names = Yes > #IDMAP > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > idmap config SL1 : backend = ad > idmap config SL1 : range = 16777216-33554431 > idmap config SL1 : schema_mode = rfc2307 > template shell = /bash/bin > interfaces = eth1 lo > username map = /etc/samba/smbusers > guest ok = yes > printcap name = cups > cups options = raw > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > > #LOGGING > log level = 3 > log file = /var/log/samba/smb.ltfsee.log > max log size = 50 > > #General FS items > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = yes > > #SHARES > > [general] > path = /gpfs/ltfsee/general > read only = no > valid users = @"Domain Users" > > The above are based on my *working* laptop. > > It might be better if you leave the domain before changing the files, > delete /etc/krb5.keytab if it exists, then rejoin the domain. > > Rowland >OOPS, I missed something else: You have this in /etc/nsswitch.conf: 'passwd: compat winbindd files', it should be 'passwd: compat winbind' #NOTE only one 'd' at the end. Rowland