samba - Dec 2006 - Trouble getting samba AD integration to work

Greetings,

I have followed the steps to get Samba setup as a member of AD.  Following
the instructions I was able to get the samba server added to the AD.  When I
run wbinfo -g for example, I see all of the groups on the AD.  If I do
something like kinit with my AD login, I enter my password and it works.  I
enter a bad AD password and it fails.

So I think alot of this is setup.  My problem is I cannot get Samba to
authenticate to AD.  When I am logged into a windoze box and try and get to
a share, the password dialogue comes up.  I enter my AD username/password
and it never works.  For the share I made the AD group that I belong to in
the write list.  Do I need to do anything else?

Here is my config, I appreciate any help, I think I am close. Like I said,
wbinfo -g shows the groups from AD fine, so I know communication is
happening.  I also see packets going back and forth between this box and the
AD box.

# Global parameters
[global]
workgroup = MYDOMAIN.COM
realm = MYDOMAIN.COM
server string = Samba Server sgflnbmedia11
security = ADS
password server = wpdc1.mydomain.com
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[sqlback]
comment = Windows SQL Backups
path = /sqlback01/windoze
write list = user_name, @svc_sql2000serviceaccounts
read only = No
guest ok = Yes

[test]
path = /tmp/test
read only = No
guest ok = Yes

soleblazer wrote:
>
> So I think alot of this is setup.  My problem is I cannot get Samba to
> authenticate to AD.  When I am logged into a windoze box and try and
> get to
> a share, the password dialogue comes up.  I enter my AD username/password
> and it never works.  For the share I made the AD group that I belong
> to in
> the write list.  Do I need to do anything else?
>
I have just been through this myself. Hopefully my experience can help

First off - shouldn't it be "workgroup = MYDOMAIN", and I see no
mention
of winbind - if you expect to control  access via AD groups, you'll need
winbind.

Secondly, get rid of the "guest ok" thing. It confuses things during
such debugging. You can always re-enable it after getting the core stuff
working.

Thirdly, stop the winbind and smb services, rejoin the domain and TEST
THE JOIN. I have  had several occurrences of joins that appears to
succeed - but didn't. This produced the symptoms you've been seeing.

i.e.

#stop winbind and smb services
kinit administrator@MYDOMAIN.COM
net join
sleep 10
net ads testjoin
#start winbind and smb services

Any errors in the above commands must be fixed before anything works
reliably.

Finally, if you have trusted domains you also want to support (e.g.
allow OTHER\user to connect to your MYDOMAIN Samba shares), make sure
they are all explicitly mentioned within the [realms] section in 
/etc/krb5.conf. My thanks to Rashid for that trick.

Good luck. Hope that helps. I just love being able to "chown
domain\\username filename" - freaks the hell out of the Windows Admins ;-)

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

On Friday 08 December 2006 04:33, soleblazer wrote:
> I have followed the steps to get Samba setup as a member of AD.  Following
> the instructions I was able to get the samba server added to the AD.  When
I
> run wbinfo -g for example, I see all of the groups on the AD.  If I do
> something like kinit with my AD login, I enter my password and it works.  I
> enter a bad AD password and it fails.
Have you test your join with net ads join? Is it OK?
Are you really sure, that your "workgroup=" should be
"MYDOMAIN.COM",
not "MYDOMAIN"?
Can you connect to your Samba box with MMC from Windows Machine 
(Manage->Connect to another computer)?
-- 
   With Best Regards.
   Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton
   OOO "ACK" telecommunications administrator, e-mail: achilov-rn [at]
askd.ru
   PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A

Thank you!  Yes taking the .COM off fixed my issues!!

Man I wish there was more intuitive errors on here  ;-)

Thanks again!

On 12/7/06, Rashid N. Achilov <achilov-rn@askd.ru>
wrote:
>
> On Friday 08 December 2006 04:33, soleblazer wrote:
>
> > I have followed the steps to get Samba setup as a member of
> AD.  Following
> > the instructions I was able to get the samba server added to the
> AD.  When I
> > run wbinfo -g for example, I see all of the groups on the AD.  If I do
> > something like kinit with my AD login, I enter my password and it
> works.  I
> > enter a bad AD password and it fails.
>
> Have you test your join with net ads join? Is it OK?
> Are you really sure, that your "workgroup=" should be
"MYDOMAIN.COM",
> not "MYDOMAIN"?
> Can you connect to your Samba box with MMC from Windows Machine
> (Manage->Connect to another computer)?
> --
>    With Best Regards.
>    Rashid N. Achilov (RNA1-RIPE), Web: http://www.askd.ru/~shelton
>    OOO "ACK" telecommunications administrator, e-mail: achilov-rn
[at]
> askd.ru
>    PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>