Hi everybody! I'm trying to implement a samba server with kerberos and auth on the AD. I installed all program and configured all. I join my samba on my win2003 domain, and i did all tests to look if it was worked well. But when i try to access my samba shares with a xp station using AD auth, it ask a user and pass, but when i put it, not work. How can i do to configure all config files to that my xp station conecting on samba with AD auth? TNX !!! Ps.:Excuse me for my English! -- Atte, H?lio Cala?a Filho
Hi Helio, I recently installed the same under Debian etch. The same configuration files from Sarge didn't work and I had to do some tweakings. Anyway, you might first try to comment out the line with valid users to see if it works with no restrictions. If so, then you know the problem might be there. Which Linux distro are you using? Samba version? Miguel --- Helio Cala?a Filho <helio.calaca@gmail.com> escribi?:> Hi everybody! > > > I'm trying to implement a samba server with kerberos > and auth on the AD. I > installed all program and configured all. I join my > samba on my win2003 > domain, and i did all tests to look if it was worked > well. But when i try to > access my samba shares with a xp station using AD > auth, it ask a user and > pass, but when i put it, not work. > > How can i do to configure all config files to that > my xp station conecting > on samba with AD auth? > > TNX !!! > > Ps.:Excuse me for my English! > > > > -- > Atte, > H?lio Cala?a Filho > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > https://lists.samba.org/mailman/listinfo/samba >______________________________________________ ?Con Mascota por primera vez? S? un mejor Amigo. Entra en Yahoo! Respuestas http://es.answers.yahoo.com/info/welcome
I Didn't! I not created none local user. But i not tried to change the valid user option to @domain+group yet. 2008/2/29, Patrick G. Victoriano <pgvictoriano@ftcp.ten.fujitsu.com>:> > Did you create a local user with the same domain account? > > > > > -Trik > > > > -----Original Message----- > From: samba-bounces+pgvictoriano=ftcp.ten.fujitsu.com@lists.samba.org > [mailto:samba-bounces+pgvictoriano=ftcp.ten.fujitsu.com@lists.samba.org] > On > Behalf Of Miguel Gonzalez > Sent: Friday, February 29, 2008 6:36 AM > To: Helio Cala?a Filho; samba@lists.samba.org > Subject: Re: [Samba] SAMBA + KERBEROS + AD > > In my case, changing in valid users DOMAIN+group or > DOMAIN+user to @DOMAIN+group solved the issue > > Miguel > > --- Helio Cala?a Filho <helio.calaca@gmail.com> > escribi?: > > > I use samba 3.0.23c-2 and Red Hat Enterprise 5. > > > > When i use my shares with guest configuration, all > > domain users works well. > > Just in ADS configuration not work. > > > > What can i do? > > > > 2008/2/28, Miguel Gonzalez > > <miguel_3_gonzalez@yahoo.es>: > > > > > > Hi Helio, > > > > > > I recently installed the same under Debian etch. > > The > > > same configuration files from Sarge didn't work > > and I > > > had to do some tweakings. > > > > > > Anyway, you might first try to comment out the > > line > > > with valid users to see if it works with no > > > restrictions. If so, then you know the problem > > might > > > be there. > > > > > > Which Linux distro are you using? Samba version? > > > > > > Miguel > > > > > > > > > --- Helio Cala?a Filho <helio.calaca@gmail.com> > > > escribi?: > > > > > > > > > > Hi everybody! > > > > > > > > > > > > I'm trying to implement a samba server with > > kerberos > > > > and auth on the AD. I > > > > installed all program and configured all. I join > > my > > > > samba on my win2003 > > > > domain, and i did all tests to look if it was > > worked > > > > well. But when i try to > > > > access my samba shares with a xp station using > > AD > > > > auth, it ask a user and > > > > pass, but when i put it, not work. > > > > > > > > How can i do to configure all config files to > > that > > > > my xp station conecting > > > > on samba with AD auth? > > > > > > > > TNX !!! > > > > > > > > Ps.:Excuse me for my English! > > > > > > > > > > > > > > > > -- > > > > Atte, > > > > H?lio Cala?a Filho > > > > > > > -- > > > > To unsubscribe from this list go to the > > following > > > > URL and read the > > > > instructions: > > > > https://lists.samba.org/mailman/listinfo/samba > > > > > > > > > > > > > > > > > > > > > ______________________________________________ > > > ?Con Mascota por primera vez? S? un mejor Amigo. > > Entra en Yahoo! > > > Respuestas > > http://es.answers.yahoo.com/info/welcome > > > > > > > > > > > > -- > > Atte, > > H?lio Cala?a Filho > > -- > > To unsubscribe from this list go to the following > > URL and read the > > instructions: > > https://lists.samba.org/mailman/listinfo/samba > > > > > > ______________________________________________ > ?Con Mascota por primera vez? S? un mejor Amigo. Entra en Yahoo! > Respuestas > http://es.answers.yahoo.com/info/welcome > > > -- > > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > >-- Atte, H?lio Cala?a Filho -- Atte, H?lio Cala?a Filho
SMB.CONF
# Samba config file created using SWAT
# from 10.10.15.33 (10.10.15.33)
# Date: 2008/03/04 13:39:37
[global]
workgroup = SAMBA
realm = SAMBA.COM
server string = Test Server
security = ADS
log level = 4
log file = /local/samba/var/%m.log
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
veto files = /.exe/*mp3*/
#[homes]
# comment = Personal Directory
# read only = No
# browseable = No
[teste]
comment = Test Directory
path = /teste
valid users = SAMBA #Ps.: SAMBA string here it's the domain, to can
accept all domain users
read only = No
veto files = /*.exe/*mp3*/
[commom_ad]
comment = Common Directory
path = /comum_ad
force user = smbtest
read only = No
guest ok = Yes
--------------------------------------------------------------------------------------------------------------
NSSWITCH.CONF
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns winbind
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
-------------------------------------------------------------------------------------------------------------------------------------
[root@redh lib]# ll libnss_winb*
-rwxr-xr-x 1 root root 18588 Fev 26 12:51 libnss_winbind.so
lrwxrwxrwx 1 root root 22 Fev 27 17:25 libnss_winbind.so.2 ->
/lib/libnss_winbind.so
-rwxr-xr-x 1 root root 892632 Set 1 2006 libnss_wins.so.2
--------------------------------------------------------------------------------------------------------------------
[root@redh lib]# ps -A
PID TTY TIME CMD
28736 ? 00:00:10 nmbd
28737 ? 00:00:00 winbindd
28738 ? 00:00:00 winbindd
28739 ? 00:00:00 smbd
28742 ? 00:00:00 smbd
28758 ? 00:00:00 winbindd
29019 ? 00:00:00 winbindd
31715 ? 00:00:00 smbd
----------------------------------------------------------------------------------------------------------------------
[root@redh lib]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[teste]"
Processing section "[comum_ad]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
-------------------------------------------------------------------------------------------------------------
[root@redh lib]# net ads join -U Administrator
suporte's password:
Using short domain name -- SAMBA
Joined 'REDH' to realm 'SAMBA.COM'
--------------------------------------------------------------------------------------------------------------------------
All correct apparently. But, when i try to access my samba shares using my
winxp station (logged in ads domain), the samba server ask a user n' pass. I
put any ads user and i can't.
Where i wrong?
See Ya!
Atte,
H?lio Cala?a Filho
But i have to try with the "+"symbol, just like this exemple? SAMBA+Administrator or i have to try like this way SAMBAAdminitrator ??? -- Atte, H?lio Cala?a Filho
Helio Cala?a Filho wrote:> But i have to try with the "+"symbol, just like this exemple? > > SAMBA+Administrator >As per your smb.conf from the earlier post you should try with SAMBA\Administrator. If you want to use SAMBA+Administrator, your should specify "winbind separator = +" in your smb.conf. --Sadique> or > i have to try like this way > > SAMBAAdminitrator > > ??? > > > > > >
Helio, have you tested nsswitch with `getent passwd` should return root:x:0:0::/root:/bin/bash bin:x:1:1:bin:/bin:/bin/false daemon:x:2:2:daemon:/sbin:/bin/false adm:x:3:4:adm:/var/log:/bin/false lp:x:4:7:lp:/var/spool/lpd:/bin/false sync:x:5:0:sync:/sbin:/bin/sync ... etc gdm:x:42:42:GDM:/var/state/gdm:/bin/bash apache:x:80:80:User for Apache:/srv/httpd:/bin/false messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false pop:x:90:90:POP:/:/bin/false nobody:x:99:99:nobody:/:/bin/false EDITORA\administrator:*:10000:10000:Administrator:/home/EDITORA/administrator:/bin/false EDITORA\guest:*:10001:10001:Guest:/home/EDITORA/guest:/bin/false etc..; your domain users must be mapped to linux users, with "winbind uid", which you have in your smb.conf if getent does not return domain users at all but wbinfo -u does, the problems is with libnss_winbind.so i download source code into /lib/usr/apps/whatsappname so my samba is in /usr/local/apps/samba-3.0.28/ and the correct libnss_winbind.so is /usr/local/apps/samba-3.0.28/source/nsswitch/libnss_winbind.so. copy this file over /lib/libnss_winbind.so and $ cd /lib $ ln -s libnss_winbind.so libnss_winbind.so.2 and then getent passwd again, this sould do the trick tks Ciro On Wed, Mar 5, 2008 at 4:05 PM, Helio Cala?a Filho <helio.calaca@gmail.com> wrote:> But i have to try with the "+"symbol, just like this exemple? > > SAMBA+Administrator > or > i have to try like this way > > SAMBAAdminitrator > > ??? > > > > > > -- > Atte, > H?lio Cala?a Filho > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >