Jan Johansson
2003-Jul-23 08:27 UTC
[Samba] Samba 3.0 + Active Directory + Debian + Profiles?
How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a member server in a AD-Domain running in Native Mode, and be able to store user profiles on the Samba server? I just can make no heads nor tails from any documentation, have I missed something fundamental? Adding the server to the domain was easy enough. But then user authentication does not seem to work?
Jan Johansson
2003-Jul-23 08:48 UTC
[Samba] Samba 3.0 + Active Directory + Debian + Profiles?
>How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a >member server in a AD-Domain running in Native Mode, and be able to >store user profiles on the Samba server? I just can make no heads nor >tails from any documentation, have I missed something fundamental? >Adding the server to the domain was easy enough. But then user >authentication does not seem to work?Maybe I am closer then I thought. I removed samba completely, reinstalled it, joined it to the domain, and "net ads" sort of started to work, I got a "no credential in cache" from Kerberos. And when doing a net view from a windows box, I get "access denied" and the following in my logs. ==> log.nwl105 <=[2003/07/23 10:49:02, 1] libads/kerberos_verify.c:ads_verify_ticket(91) krb5_parse_name(HOST/ndc5-router-1@) failed (Malformed representation of principal) [2003/07/23 10:49:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(175) Failed to verify incoming ticket! ==> log.smbd <=[2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(487) idmap uid range missing or invalid idmap will be unable to map foreign SIDs [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499) idmap gid range missing or invalid idmap will be unable to map foreign SIDs where should I be looking?
Jan Johansson
2003-Jul-23 08:59 UTC
[Samba] Samba 3.0 + Active Directory + Debian + Profiles?
>How on earth do i make Debian/Unstable play nice and use Samba 3.0 as a >member server in a AD-Domain running in Native Mode, and be able to >store user profiles on the Samba server? I just can make no heads nor >tails from any documentation, have I missed something fundamental? >Adding the server to the domain was easy enough. But then user >authentication does not seem to work?Ok, now I added "realm = NWL.SE" to my smb.conf, and now I get ==> log.ndc2-w2k-1 <=[2003/07/23 11:00:01, 1] smbd/sesssetup.c:reply_spnego_kerberos(221) Username Administrator is invalid on this system [2003/07/23 11:00:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(221) Username Administrator is invalid on this system Seem to be a step forward, but not there yet....
Paul Eggleton
2003-Jul-24 04:41 UTC
[Samba] Samba 3.0 + Active Directory + Debian + Profiles?
Hi Jan, Jan Johansson wrote on Wednesday, 23 July 2003 8:49 p.m.:> ==> log.smbd <=> [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(487) > idmap uid range missing or invalid > idmap will be unable to map foreign SIDs > [2003/07/23 10:49:02, 1] sam/idmap_tdb.c:db_idmap_init(499) > idmap gid range missing or invalid > idmap will be unable to map foreign SIDsAdd the following settings in smb.conf and restart winbind: idmap uid = 10000-65000 idmap gid = 10000-65000 One good way to test if you have things set right is to use the wbinfo command (eg. wbinfo -u). If this correctly lists domain users, great. If not, check the winbind log file for details. Cheers, Paul