All, I'm trying to figure out if I missed some steps in configuring Samba 3.0.13 on AIX 5.2 as a Windows 2003 ADS domain member server of the domain DEVELOPMENT. Samba is compiled with Heimdal Kerberos and openLDAP support, and I successfully joined the ADS domain using net ads join after running a kinit. Kerberos appears to be working, wbinfo -u and wbinfo -g work; net ads status works fine, smbtree works. However, when I try to authenticate to a test share using either a domain user ID or a user ID from another domain (CORP) that has a trust relationship with the domain that the Samba server is joined to, I see NT_STATUS_NO_SUCH_USER in the log.smbd. So, my two questions are: do I need to be running winbindd? Does it have to have PAM support, or is that just for using domain logins on the unix side? smb.conf follows: [global] realm = READING.DEVPORTAL.NET workgroup = DEVELOPMENT password server = usrd106.reading.devportal.net security = ADS encrypt passwords = yes #debug level = 7 winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users=yes winbind enum groups=yes client use spnego = yes [public] comment = Public data directory read only = no path = /sambapublic user = @"DEVELOPMENT+domain users" @"CORP+domain users"
Thomas M. Skeren III
2005-Jul-06 18:04 UTC
[Samba] Samba 3.0.13 ADS domain member on AIX 5.2
Scruggs, Ronald wrote:>All, > >I'm trying to figure out if I missed some steps in configuring Samba >3.0.13 on AIX 5.2 as a Windows 2003 ADS domain member server of the >domain DEVELOPMENT. Samba is compiled with Heimdal Kerberos and >openLDAP support, and I successfully joined the ADS domain using net ads >join after running a kinit. Kerberos appears to be working, wbinfo -u >and wbinfo -g work; net ads status works fine, smbtree works. However, >when I try to authenticate to a test share using either a domain user ID >or a user ID from another domain (CORP) that has a trust relationship >with the domain that the Samba server is joined to, I see >NT_STATUS_NO_SUCH_USER in the log.smbd. > >So, my two questions are: do I need to be running winbindd? >Yes> Does it >have to have PAM support, >Yes...pam needs to authenticate using ldap/ads>or is that just for using domain logins on the >unix side? > >smb.conf follows: > >[global] > >realm = READING.DEVPORTAL.NET >workgroup = DEVELOPMENT >password server = usrd106.reading.devportal.net >security = ADS >encrypt passwords = yes >#debug level = 7 >winbind separator = + >idmap uid = 10000-20000 >idmap gid = 10000-20000 >winbind enum users=yes >winbind enum groups=yes >client use spnego = yes > >[public] >comment = Public data directory >read only = no >path = /sambapublic >user = @"DEVELOPMENT+domain users" @"CORP+domain users" > > >