Bleh, sorry folks. Two days troubleshooting this and I find the problem
ten minutes after posting. Fixed it by synchronising the time with the
PDC and rebooting the Solaris box. All my users are listed fine now in
"getent passwd", and I can browse to the shares.
... now I just need to work out how on earth I grant file permissions to
my windows users.
_____
From: Ross Smith
Sent: 22 February 2008 09:51
To: 'samba@lists.samba.org'
Subject: Samba and ADS authentication problems
Hey folks,
I'm having trouble with AD integration with the version of Samba
included in Solaris build 78 (Samba version 3.0.25a). I think it's
almost working, but I get an authentication prompt every time I try to
connect to samba from a windows client, and no matter what I enter I
can't authenticate to see the shares.
The main documentation I've been using is Sun's guide to setting up
Samba: http://dlc.sun.com/pdf/819-3063/819-3063.pdf, but I've also been
referring to the official How-To.
I'm trying to join Samba to my windows domain as a member server using
ADS. I've read and re-read all the documentation I can find over the
last couple of days but I've no idea now where I've gone wrong. What
*is* working is the following:
- Kerberos seems fine. "klist" shows a valid ticket, and "kinit
<mailto:user@REALM> user@REALM <mailto:user@REALM.COM> .COM"
authenticates ok.
- The samba machine account in Active Directory created fine when I used
the "net ... ADS JOIN ..." command.
- From Solaris I can list Active Directory users and groups with "wbinfo
-u" and "wbinfo -g".
- From Solaris, smbclient works anonymously and can list the shares on
both Samba and our windows servers with "smbclient -N -L computer".
However, any attempt by a windows client to view shares on the Solaris
server returns Access denied, followed by a password prompt, and on
Solaris, smbclient returns NT_STATUS_LOGON_FAILURE if I try to
authenticate with any username. I suspect the problem is linked to the
fact that "getent passwd" and "getent group" just return the
Solaris
users and groups, whereas the documentation states that they should
include the Active Directory accounts too.
One other thing that might be wrong is that in all the examples I've
seen online, "wbinfo -u" returns users in the form DOMAIN\user.
However,
in our case it simply lists the usernames, no domain is included.
Searching on google, I've found a few people reporting identical
problems, so I'm guessing whatever I've done it's a fairly basic
mistake, but I haven't found any solution to this. Can anybody help out?
This is my first time posting, I've attached the smb.conf and krb5.conf
files but I'm not sure if they will be visible, please let me know if I
need to copy/paste them into a message instead.
thanks,
Ross
-----------------
Ross Smith
Network Manager
Robinson Construction
http://www.robinsons.com <http://www.robinsons.com/>
*********************************************************************
The information transmitted is intended only for the person(s) or entity to
which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Robinson
Construction. If you have received this transmission in error please advise the
originator, or contact IT@robinsons.com.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses. No responsibility is accepted
for any virus or defect that might arise from opening this e-mail or attachment,
whether or not it has been checked by anti-virus software. For further
information visit www.clearswift.com.
Thank you for your co-operation.
Robinson Construction
www.robinsons.com
S. Robinson & Sons (Engineers) Limited is a limited company registered in
England. Registration no: 823781
Registered office: S. Robinson & Sons (Engineers) Limited, Wincanton Close,
Ascot Drive, Derby, DE24 8NJ
*********************************************************************