Mauricio Tavares
2011-May-27 20:56 UTC
[Samba] Kerberos, Samba, and XP wanting to map local users with authenticated ones
Ok, I understand if I only have kerberos and windows, if I login as a kerberos user, I better have a local user mapped to it or I will not be able to login. But, now I have samba involved. If I tell it about kerberos server, workgroup = LAZYASS realm = MY.REALM security = ads kerberos method = system keytab shouldn't it see there is local (to samba's server) user bob, principal bob at MY.REALM, and then mount bob's homedir if I try to login as bob? Or am I missing an important step? I did join the xp box to LAZYASS and can see there the fileserver's home fileshare (the only thing I am exporting). But that is as far as I get. The exact error message I am getting is "The system cannot log you on due to the following error: Mapping between account names and security IDs was done." It almost sounds like it is completely ignoring the samba side of the show.
Jeremy Allison
2011-May-27 22:28 UTC
[Samba] Kerberos, Samba, and XP wanting to map local users with authenticated ones
On Fri, May 27, 2011 at 04:56:25PM -0400, Mauricio Tavares wrote:> Ok, I understand if I only have kerberos and windows, if I login as a > kerberos user, I better have a local user mapped to it or I will not > be able to login. But, now I have samba involved. If I tell it about > kerberos server, > > workgroup = LAZYASS > realm = MY.REALM > security = ads > kerberos method = system keytab > > shouldn't it see there is local (to samba's server) user bob, > principal bob at MY.REALM, and then mount bob's homedir if I try to login > as bob? Or am I missing an important step? I did join the xp box to > LAZYASS and can see there the fileserver's home fileshare (the only > thing I am exporting). But that is as far as I get. > > The exact error message I am getting is > > "The system cannot log you on due to the following error: > > Mapping between account names and security IDs was done." > > It almost sounds like it is completely ignoring the samba side of the show.Do you have winbindd running ? You need this to generate the local UNIX userid's that Samba will use to represent Windows users.