Hello All,
Your typical problem....I am trying to configure Samba-3.0.2-6.3E
on RedHat Linux. I have spent days trying to get this working. What I
would like to do is provide the ability to connect to Samba shares from
Windows, more specific, WinXP. What I want to avoid is having to manage
user accounts on both the Windows or AD side and the Unix side, thus
having authentication handled by AD. As I understand, to do this you
set the security in the smb.conf to Domain. Below I have shown my
smb.conf file. So far the only way I have been able to get this to work
is by setting security=server and password server = ADservername. I
have been searching high and low and can't find anything, most all for
earlier versions of Samba. One problem is the correct usage of "net
join" I have seen is used so many different ways I don't know which is
correct but I have been successful in adding the samba server to the
domain using "net join -S ADservername -U adminuserID". Here is my
smb.conf...
[global]
workgroup = domainname
realm = domainname.com
server string = Samba Server
log file = /var/log/samba/%m.log
max log size = 50
security = domain
password server = ADservername (have also tried *)
encrypt passwords = yes
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 33
wins support = no
wins server = winsservername
dns proxy = no
[Test]
comment = Home Directories
browseable = no
writable = yes
public = yes
guest ok = yes
When I try to run wbinfo -u , after adding the server to the domain
successfully, I get "Error looking up domain users." For kicks if I
actually try to map to the samba share from an XP desktop I have got one
of two errors
- no logon server available....
or
- no trust established....
In the winbind log I get "NT_STATUS_ACCESS_DENIED". I have even
bought
the O'Reilly book Using Samba, followed the sample setup and still the
same problem. Disconcerting I can find concrete answers or examples
from such an awesome tool once it works. I am starting to think there
is a problem on the AD side of things.
Any help would be greatly appreciated.
AJ FitzGerald
SA/DBA
Five Mile Capital
Phone: 203-905-0929
*******************************************************************
None of the information contained in this email message constitutes or should be
construed as investment advice or as an offer to sell or as a solicitation of an
offer to buy any security.
The information contained in the e-mail message is intended for the exclusive
use of its intended addressee and may contain confidential or proprietary
information. If you received this transmission in error, please notify the
sender by reply e-mail and delete the message and any attachments. Any use,
disclosure, or distribution of any part of this message by any unintended
recipient is strictly prohibited.
*******************************************************************
FitzGerald, AJ wrote:> Hello All, > Your typical problem....I am trying to configure Samba-3.0.2-6.3E > on RedHat Linux. I have spent days trying to get this working. What I > would like to do is provide the ability to connect to Samba shares from > Windows, more specific, WinXP. What I want to avoid is having to manage > user accounts on both the Windows or AD side and the Unix side, thus > having authentication handled by AD. As I understand, to do this you > set the security in the smb.conf to Domain. Below I have shown my > smb.conf file. So far the only way I have been able to get this to work > is by setting security=server and password server = ADservername. I > have been searching high and low and can't find anything, most all for > earlier versions of Samba. One problem is the correct usage of "net > join" I have seen is used so many different ways I don't know which is > correct but I have been successful in adding the samba server to the > domain using "net join -S ADservername -U adminuserID". Here is my > smb.conf... > > [global] > workgroup = domainname > realm = domainname.com > server string = Samba Server > log file = /var/log/samba/%m.log > max log size = 50 > security = domain > password server = ADservername (have also tried *) > encrypt passwords = yes > unix password sync = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = no > os level = 33 > wins support = no > wins server = winsservername > dns proxy = no > > [Test] > comment = Home Directories > browseable = no > writable = yes > public = yes > guest ok = yes > > > When I try to run wbinfo -u , after adding the server to the domain > successfully, I get "Error looking up domain users." For kicks if I > actually try to map to the samba share from an XP desktop I have got one > of two errors > - no logon server available.... > or > - no trust established.... > > In the winbind log I get "NT_STATUS_ACCESS_DENIED". I have even bought > the O'Reilly book Using Samba, followed the sample setup and still the > same problem. Disconcerting I can find concrete answers or examples > from such an awesome tool once it works. I am starting to think there > is a problem on the AD side of things. > > Any help would be greatly appreciated. > >What you really want to do is to configure your kerberos, then use security = ads. do a kinit administrator@KERBDOMAIN.COM, supply the password and then do net ads join to join the AD domain... That should work :o) Good luck /Thomas
Hello all,
:: Strategy ::
I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up
to a W2k3 server and domain. The join worked as mentioned in the
documentation. For auth of users I use nssldap to query the LDAP
database of W2k3, so my windows users are visible either under linux and
windows.
:: Problem ::
If I try to share the homes or other points I'm asked to type in a
username and a password. When I type in a username, which is as
described visible on both sides, windows says that this user is not
valid to enter the share. As a workaround I used an "admin" entry in
the
smbpasswd, which has access to the shares. I think this is a very ugly
hack. I also tried it with winbind, but it didn't work also. When I open
the security tab under windows of a share or the subdirectories within,
it shows entries like "FILER\user" which is not my domain just the
samba
server itself. Maybe this is correct, but I can't make any change of
adding a user to the security context of windows.
I am not using the winbind name switch in nsswitch.conf and not any
winbind pam auth, because of using nssldap for making users visible on
linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in
advanced mode (not native or mixed mode), which might be a problem, but
I don't believe this. If I type "wbinfo -u" the users on windows
side
are listed, but not with the domain separator, just the user itself.
:: Question ::
How can I map samba shares with "security = ADS" on a windows machine,
without using "smbpasswd"?
:: smb.conf ::
# Global parameters
[global]
workgroup = DOMAIN
realm = DOMAIN.DE
security = ads
password server = w2k3.domain.de
encrypt passwords = yes
#smb passwd file = /etc/samba/smbpasswd
;; I don't want to use this line, because the documentation
;; said I don't need this
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 10
preferred master = no
idmap uid = 500-6000
idmap gid = 500-6000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = yes
;; Catched the above line from a hint, which was mentioned
;; to fix the problem
[homes]
comment = %u's Home Directory
;; This one's always showing, if smbpasswd entry above
;; is enabled: "admin's Home Directory", where admin is
;; is the smbpasswd entry to get shares mapped
create mask = 0755
read only = No
browseable = No
[shared]
comment = Share Point
path = /shared
read only = no
browseable = yes
[backup]
comment = Backup Repo
path = /backup
read only = yes
browseable = no
Many thanks for every hint or assistance
Best regards
-markus
Seemingly Similar Threads
- User problem (samba, w2k3)
- change Active Directory Password with client tools (smbpasswd, net arp) ?
- Samba4 DC with 2003 domain in w2k foresta level
- Samba domain member server using only nss ldap
- Samba 3.0.14 and w2k3 terminal server / strange logon problem / is this in general possible