samba - Feb 2005 - Can't map group domain share from ADS

I've set up the following and can open a home share
for me (sylveg). I've created a group on W2KADS and on
OURSAMBALINUX called oadmin and added me as a member
in both. I created a samba share called o_drive (see
smb.conf below) w/ the linux dir /home/o_drive and
valid users = %D+oadmnin. The /home dir is:
drwxr-xr-x  2 root   root    4096 2004-09-03 15:16
ftp/
drwx------  2 root   root   16384 2005-02-03 07:55
lost+found/
drwxrwxrwx  2 root   oadmin  4096 2005-02-10 11:15
o_drive/
drwx--x--x  2 sylveg users   4096 2005-02-10 12:00
sylveg/

In the security tab of W2KADS OURSAMBALINUX account I
gave sylveg and oadmin full rights.

I haven't run "net groupmap" (do I need to?)

When I try to map to \\OURSAMBALINUX IP\o_drive from
my W2K workstation (joined to the domain as sylveg), I
get prompted for username and password. Log (level 3)
file shows:
user 'sylveg' (from session setup) not permitted to
access this share (o_drive)

I also would like to know how to set up automatic user
and group creation from the W2KADS to OURSAMBALINUX. I
tried what I found so far (add machine script /usr/sbin/useradd -d /dev/null -g
100 -s /bin/false -M
%u) in smb.conf, but it doesnt work.


SYSTEM INFO FOLLOWS:
________________________________________________________________________
W2K ADServer  = W2KADS.OURORG.OURDOMAIN.ORG
__________________________________________________________________________

Slackware/Samba server = OURSAMBASERVER
HP570ML G3 w/Compaq Smart array 640
Slackware 10.1
2.4.29 kernel
Scsi.s boot kernel
___________________________________________________________________________________
Add entrys to /hosts
Samba machine
/etc/hosts

127.0.0.1               localhost        
localhost.localdomain
(our W2KADS IP)         W2KADS           
W2KADS.OURORG.OURDOMAIN.ORG
(OURSAMBALINUX  IP)     OURSAMBALINUX    
URSAMBALINUX.OURORG.OURDOMAIN.ORG
 
Windows Active Directory server
(%Systemroot%\System32\drivers\etc\hosts)

127.0.0.1               localhost        
localhost.localdomain
(our W2KADS IP)         W2KADS           
W2KADS.OURORG.OURDOMAIN.ORG
(OURSAMBALINUX  IP)     OURSAMBALINUX    
OURSAMBALINUX.OURORG.OURDOMAIN.ORG
__________________________________________________________________________
# etc/resolv.conf
search          OURORG.OURDOMAIN.ORG
domain          OURORG.OURDOMAIN.ORG
nameserver      OURNAMESERVER1
nameserver      OURNAMESERVER2
nameserver      OURNAMESERVER3
nameserver      OURNAMESERVER4
nameserver      (our W2KADS IP)
_____________________________________________________
# date (MMDDHHMM) same time as W2KADS
(syncs OURSAMBALINUX time to W2KADS server)
_____________________________________________________
Kerboros krb5-1.4
      #./configure
      #make
# more /etc/krb5.conf
[libdefaults]
        default_realm = OURORG.OURDOMAIN.ORG
[realms]
        OURORG.OURDOMAIN.ORG = {
                kdc  = W2KADS.OURORG.OURDOMAIN.ORG:88
                admin_server W2KADS.OURORG.OURDOMAIN.ORG:749
                default_domain = OURORG.OURDOMAIN.ORG
                }
[domain_realm]
        .ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG
        ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG
[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

# /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
hosts:          files dns wins
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files
automount:      files
aliases:        files
____________________________________________________________________________
 
OpenLDAP openldap-2.2.23
(Loaded for libraries)
      #./configure
      #make depend
      #make
      #make test
      #make install
____________________________________________________________________________
 
# kinit administrator@OURORG.OURDOMAIN.ORG
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ OURORG.OURDOMAIN.ORG
Valid starting     Expires            Service
principal
01/10/05 10:36:06  01/10/05 20:37:39  krbtgt/
OURORG.OURDOMAIN.ORG @ OURORG.OURDOMAIN.ORG
        renew until 01/10/05 10:36:06
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
____________________________________________________________________________
 
Samba 3.0.11
(patch for clitar error – #patch –p0 < clitar.patch)
 
Build from source so it picks up krb5 and ldap
# ./configure --with-acl-support
      #make
      #make install
      #make installbin
      #make installman
 
# cp
/usr/local/samba-3.0.10/source/nsswitch/libnss_winbind.so
/lib
# cp /usr/local/samba/sbin/* /usr/sbin
# cp /usr/local/samba/bin/* /usr/bin
 
Check w/  #smbd –b|grep KRB
And       #smbd –b|grep LDAP
 
Set up as a member server in smb.conf
 
# /usr/local/samba/lib/smb.conf
# Global parameters
[global]
        unix charset = LOCALE
        workgroup = OURORG
        netbios name = OURSAMBALINUX
        realm = OURORG.OURDOMAIN.ORG
        server string = OURORG Samba linux
        security = ADS
        password server = W2KADS.OURORG.OURDOMAIN.ORG
        username map = /etc/samba/smbusers
        log level = 3
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        add machine script = /usr/sbin/useradd -d
/dev/null -g 100 -s /bin/false -M %u
        ldap ssl = no
        idmap uid = 10000-90000
        idmap gid = 10000-90000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind separator = +
[public]
        comment = Data
        path = /home/public
        read only = No
[homes]
        comment = Home Directories
        path = /home/%U
        valid users = %S
        read only = No
        browseable = No
[o_drive]
        comment = o_drive
        path = /home/o_drive
        valid users = @%D+oadmin
        inherit permissions = Yes
        read only = no
#       force user = smbuser
#       force group = nobody
 
#testparm
No errors
_____________________________________________________________________________________
# net ads testjoin
 
# net ads join –Uadministrator%password
(echos back)
Using short domain name -- OURORG
Joined 'OURSAMBALINUX' to realm 'OURORG.OURDOMAIN.ORG'
 
Check the box on ADS for this server trust
______________________________________________________________________________________
 
Start the Samba SMB file/print server:
# /etc/rc.d/rc.samba start
# winbindd
______________________________________________________________________________
# more /usr/local/samba/smbusers
root = administrator admin
nobody = guest pcguest smbguest
 
# smbpasswd –a root
______________________________________________________________________________
# getent passwd
(list of linux users)
# getent group
(list of linux groups)
 
# wbinfo –u
(long list of ADS OURORG+users)
 
# wbinfo –u
(long list of ADS OURORG+groups)
 
# tdbdump /etc/samba/private/secrets.tdb
# net ads info
# net ads status
(Cool outputs)
 
On Windoze workstation PC that is joined to W2KADS
domain:
>From dos prompt:
C:net use * \\ (OURSAMBALINUX-ip address)\share
This maps the next available drive letter to the share
without a password.
 
# smbclient //W2KADS/c\$ -k
comes back with:
smb: \>
dir - gives you W2KADS dir listing
q – to quit
 
#wbinfo –t
(echos back)
checking the trust secret via RPC calls succeeded
___________________________________________________


	
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 
http://promotions.yahoo.com/new_mail