Hey List,
I need just a bit of help. I'm stuck on my integration of a samba server
into an ADS domain. I've read(and re-read) the entire Samba How-To as
well as several other articles on the net.
Here is what I need to do: Have a share set up so that windows users can
browse to it via Win Explorer/Network Neighborhood and not have to
provide credentials as 2nd time (SSO type stuff)
Here are the nitty gritties
OS: RH ENT 3
SMB 3.0.9-1.3E.10 (latest from up2date)
KRB5 3.1 (latest from up2date)
proper entry in /etc/hosts
winbind set up in smb.conf and nsswitch.conf files
krb5.conf setup
I can successfully authenticate against the ADS server using kinit. I've
done this using a default domain with the krb5.conf file and explicitly
giving the realm and not having a krb5.conf file.
I can successfully add my linux box to the domain using net ads. Once
done, I can see it okay in my ADS in MMC on Windows.
I can see the machine in my network neighborhood no problem. However,
when I click on it, it prompts me for a password. No matter what I
supply, I can't get authenticated.
If I add the username that my windows account has to the linux box, I
get right in, no prompting or anything.
I'm thinking this has to be something I'm missing in the smb.conf file,
but can't for the life of me figure it out.
Can anybody see if I'm missing something important?
Here is an excerpt of my smb.conf file
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = LINUXSHARE
password server = PDC.MYDOMAIN.COM
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
server string = A RHEL3 Samba Server
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = host wins bcast
winbind separator = /
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
winbind enum users = yes
winbind enum groups = yes
winbind user default domain = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
wins server = 192.168.1.99
guest ok = Yes
cups options = raw
here is my share config
[SHARE1]
path = /data/share1
read only = No
Here is a snapshot of my smbd.log, which shows some wierdness
[2006/07/25 21:40:58, 3] libads/ldap.c:ads_server_info(2432)
got ldap server name pdc@MYDOMAIN.COM, using bind path: dc=MYDOMAIN,dc=COM
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
ads_sasl_spnego_bind: got server principal name =pdc$@MYDOMAIN.COM
[2006/07/25 21:40:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/07/25 21:40:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
Any help is greatly appreciated.
