Markus.Scheffknecht@t-systems.com
2005-Nov-22 16:12 UTC
[Samba] User and Groups Problem with ADS (Win2003) and Solaris 10
Hi,
I got samba 2.0.30b running on a Sparc machine with Solaris 10.
I installed
Kerberos 1.4.2
Openldap stable version 20051018
To compile Samba 2.0.30b with ADS
Looks like Kerberos works
kinit Administrator@MYDOMAIN.COM <mailto:Administrator@MYDOMAIN.COM>
==> works
klist ==> shows ticket
I added the server to the domain
net join -U Administrator
Joined 'SAMBA' to realm 'MYDOMAIN.COM'
But after that it starts getting weird:
wbinfo -u
Returns the users but no domain in front like I saw in many other examples
user1
user2
user3
user4
PC1$
PC2$
PC3$
wbinfo -g
Returns the groups but also no domain in front
group1
group2
group3
smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = SAMBA
realm = MYDOMAIN.COM
winbind uid = 10000-15000
winbind gid = 10000-15000
winbind separator = +
winbind use default domain = yes
security = ADS
encrypt passwords = Yes
password server = win2003.mydomain.com
client use spnego = yes
[test1]
comment = test1
path = /smbshares/test1
public = Yes
valid users = user1, user2, user3
writable = YES
[test2]
comment = test2
path = /smbshares/test2
public = Yes
valid users = @group1
writable = YES
[test3]
comment = test3
path = /smbshares/test3
public = Yes
valid users = @group2
writable = YES
Share test1 works if the user1 exists as a unix user otherwise ==>
NT_STATUS_LOGON_FAILURE
Share test2 works if the user1 exists as a unix user and is in the group user1
otherwise ==> NT_STATUS_LOGON_FAILURE
If I use
net groupmap add unixgroup=group2 ntgroup="Administrators"
or
net groupmap add unixgroup=group2 ntgroup="Administratoren"
(I am working on a german Win2003 System)
And try to log on test3 I get the following error:
tree connect failed: NT_STATUS_ACCESS_DENIED
net user info user1
Administratoren
My guess is that the samba server can't map the windows user to unix users
==> That is the reason why I can't logon with a user which is not an unix
user
I guess I have the same problem with the groups they just can't be mapped
into new unix groups or on existing unix groups
Has anyone any idea, why there seams to be this problem, didn't I understand
the concept, is there configuration problem or do I have to RTFM another 100
times?
Greetings
Max Mustermann
Other configure files
krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = WIN2003.MYDOMAIN.COM
default_domain = MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_liftime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
/etc/nsswitch.conf includes the following entries:
passwd: files winbind nis
group: files winbind nis
hosts: files dns nis
SAMBA
2005-Dec-04 07:38 UTC
[Samba] User and Groups Problem with ADS (Win2003) and Solaris 10
Do you need to configure PAM to authenticate through Kerberos?
-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com@lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com@lists.samba.org] On
Behalf Of Markus.Scheffknecht@t-systems.com
Sent: Tuesday, November 22, 2005 8:12 AM
To: samba@lists.samba.org
Subject: [Samba] User and Groups Problem with ADS (Win2003) and Solaris
10
Hi,
I got samba 2.0.30b running on a Sparc machine with Solaris 10.
I installed
Kerberos 1.4.2
Openldap stable version 20051018
To compile Samba 2.0.30b with ADS
Looks like Kerberos works
kinit Administrator@MYDOMAIN.COM <mailto:Administrator@MYDOMAIN.COM>
==> works
klist ==> shows ticket
I added the server to the domain
net join -U Administrator
Joined 'SAMBA' to realm 'MYDOMAIN.COM'
But after that it starts getting weird:
wbinfo -u
Returns the users but no domain in front like I saw in many other
examples
user1
user2
user3
user4
PC1$
PC2$
PC3$
wbinfo -g
Returns the groups but also no domain in front
group1
group2
group3
smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = SAMBA
realm = MYDOMAIN.COM
winbind uid = 10000-15000
winbind gid = 10000-15000
winbind separator = +
winbind use default domain = yes
security = ADS
encrypt passwords = Yes
password server = win2003.mydomain.com
client use spnego = yes
[test1]
comment = test1
path = /smbshares/test1
public = Yes
valid users = user1, user2, user3
writable = YES
[test2]
comment = test2
path = /smbshares/test2
public = Yes
valid users = @group1
writable = YES
[test3]
comment = test3
path = /smbshares/test3
public = Yes
valid users = @group2
writable = YES
Share test1 works if the user1 exists as a unix user otherwise ==>
NT_STATUS_LOGON_FAILURE
Share test2 works if the user1 exists as a unix user and is in the group
user1 otherwise ==> NT_STATUS_LOGON_FAILURE
If I use
net groupmap add unixgroup=group2 ntgroup="Administrators"
or
net groupmap add unixgroup=group2 ntgroup="Administratoren"
(I am working on a german Win2003 System)
And try to log on test3 I get the following error:
tree connect failed: NT_STATUS_ACCESS_DENIED
net user info user1
Administratoren
My guess is that the samba server can't map the windows user to unix
users ==> That is the reason why I can't logon with a user which is not
an unix user
I guess I have the same problem with the groups they just can't be
mapped into new unix groups or on existing unix groups
Has anyone any idea, why there seams to be this problem, didn't I
understand the concept, is there configuration problem or do I have to
RTFM another 100 times?
Greetings
Max Mustermann
Other configure files
krb5.conf:
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = WIN2003.MYDOMAIN.COM
default_domain = MYDOMAIN.COM
}
[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_liftime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}
/etc/nsswitch.conf includes the following entries:
passwd: files winbind nis
group: files winbind nis
hosts: files dns nis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba