kel.way@magotteaux.com
2003-Nov-07 16:20 UTC
[Samba] Samba <- Winbind -> Windows 2003 ADS Questions
Hi everyone, I'm relatively new to Samba - at least for more in-depth installations. Big Thank-You from my company to the brilliant developers responsible for this software. We have our Samba server integrated with our Windows 2003 AD domain users via Winbind - a working installation with some issues described below. getent passwd works as the many docs show (one entry below): MYCOMPANY+jsmith:x:10890:10000:John Smith:/home/MYCOMPANY/jsmith:/bin/bash When logged on to a Windows XP machine as MYCOMPANY\jsmith and attempting to connect to the smith share, access is denied. A check of the logs with level=10 shows that XP is passing MYCOMPANY.ORG+jsmith, and I'm therefore required to use the format MYCOMPANY.ORG+jsmith as a valid user. This is inconsistent with the various documents I've seen on the procedure which show the format for valid users as MYCOMPANY+jsmith Additionally, I'm trying to set up home directories on this Samba box, and so I had to create a directory: /home/MYCOMPANY.ORG/jsmith (note my smb.conf entry: template homedir = /home/%D/%U)You'll note from the 'getent passwd' output above that the home is actually listed as /home/MYCOMPANY/jsmith. So, the result is that if I log into the console as MYCOMPANY+jsmith , it looks for /home/MYCOMPANY/jsmith, and if I connect to the homes share via Samba, it looks for /home/MYCOMPANY.ORG/jsmith . Not the way I'd like it to be. I've been through various documentation sources (my desk is quite out of control with Samba docs), so I apologize if a reason and solution is clearly documented somewhere. I spent the last hour searching and I cannot find a solution. Perhaps someone here can assist me. Many Thanks, Kel Way Samba 3 from source (latest as of yesterday) krb5-1.3.1-6 openldap-2.1.22-6 Fedora Core .95 Severn krb.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = MYCOMPANY.ORG default_tgs_enctypes = des-cbc-md5 default_tkt_enctypes = des-cbc-md5 forwardable = true proxiable = true dns_lookup_realm = true dns_lookup_kdc = true [realms] MYCOMPANY.ORG = { kdc = nash-dc-01.mycompany.org:88 admin_server = nash-dc-01.mycompany.org:749 default_domain = mycompany.org } [domain_realm] .mycompany.org = MYCOMPANY.ORG mycompany.org = MYCOMPANY.ORG [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Snip from smb.conf: [global] log level = 10 realm = MYCOMPANY.ORG security = ADS encrypt passwords = yes workgroup = MYCOMPANY password server = nash-dc-01.mycompany.org # winbind config winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash #client use spnego = yes #winbind use default domain = yes server string = Nashville File and Print Server log file = /var/log/samba/%m.log # Put a capping on the size of the log files (in Kb). max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no wins server = 209.93.144.12 dns proxy = no [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 [myshare] comment = Mary's and Fred's stuff path = /maryfred valid users = MYCOMPANY.ORG+jsmith public = no writable = yes printable = no create mask = 0765