Quoting Scott Heisler <scott.heisler at huntleighusa.com>:
> I have the latest Centos (4.1), all YUM'd up to date. I've been
through
> the How-TO's on Samba's site as well as 4 million other sites and
still
> can't get proper AD (Active Directory) Authentication to work. It
looks
> like it's working, appears in the domain server list and pulls users
and
> groups. If I do a klist -u, I see all the users with domain+username
> correctly. However, I can't apply any of that security to any
> directories on the box or see those users with Webmin (when doing Samba
> Share security). The users who don't have local accounts can't
browse
> the samba server either (as soon as they connect, it pops up the login
> ID & Pass)
>
> I followed everything and have been working on the issue for 4 days. Am
> I missing something? Please help!
Well, hard to say with no details of your configuration ("followed
everything"
might mean something to you, but for the rest of us it's "what
everything?").
I've had some trouble getting LDAP authenticate against AD some time
ago, that I
resolved (no samba, no anything, just LDAP authenticating users). It
sounds you
are going couple of steps further then me.
Anyhow, what version of AD you have? 2000 and 2003 are a bit different, and
there are steps that need to be done with 2000 that are not needed with
2003 to
get the Kerberos stuff working.
For what you are trying to do, you'll probably need to configure both
Kerberos
(to get authentication going) and LDAP (to get user lists) correctly. This
usually means creating principals for Unix services by hand, and coping keytab
files back to the Unix side. Do you have all schemas on your AD that are
needed for Unix accounts? Can you use ldapsearch to bind to AD and
list users?
There's an excellent Microsoft document titled "Windows Security and
Directory
Services for UNIX". You can download it for free as PDF from Microsoft web
site. I'd higly recommend you get it. It has almost all you need to know
about configuring AD and Linux side to play nicely with each other. Skip
"for
IT managers" parts, and go to technical sections.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.