Samba and Active Directory
Hi,
I have a problem with getting Samba talking to my Active Directory
running on Win2K3. Running Debian testing at the moment, I am
getting the following entries in my log:
uklinux01:/var/log/samba# tail 10.10.10.250
[2005/04/20 13:45:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username Domain\timc is invalid on this system
[2005/04/20 13:45:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username Domain\timc is invalid on this system
And I have set it up like the following:
I setup an entry in my Active Directory for the DNS of the machine.
NTP so that times are the same.
I installed Samba from aptitude (I am on testing - it installed Version
3.0.10-Debian) then tested that I had the right features installed:
smbd -b | grep KRB (Should show the links to Kerberos)
smbd -b | grep LDAP (Should show the features linked to LDAP)
I did the following to my smb.conf:
# Global parameters
[global]
unix charset = LOCALE
workgroup = Domain
realm = Domain.local
server string = Samba 3.0.10-Debian
security = ads
encrypt passwords = yes
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template primary group = "Domain Users"
template shell = /bin/bash
#[homes]
#comment = Home Directories
#valid users = %S
#read only = No
#browseable = No
#[printers]
#comment = SMB Print Spool
#path = /var/spool/samba
#guest ok = Yes
#printable = Yes
#browseable = No
#[print$]
#comment = Printer Drivers
#path = /var/lib/samba/drivers
#admin users = root, Administrator
#write list = root
[fileshare]
comment = IT fileshare
path = /srv/fileshare
valid users = %S
public = yes
writable = yes
browseable = yes
printable = no
create mode = 0644
directory mode = 0755
create mask = 0755
Then I edited /etc/nsswitch.conf :
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files dns
protocols: files
services: files
ethers: files
rpc: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
ran testparm and it came back ok.
Then I downloaded Kerberos 5.1.4 from MIT
made and installed it. (make install DESTDIR=/usr)
cp krb5.conf /etc/krb5.conf
Editted the realm so it was correct for my Domain
Then joined by doing:
net ads join -U Administrator
and this worked, it joined ok and I could then issue wbinfo -u | less ,
getent groups | less , getent users | less and that is all working fine.
At this point I tried to connect using a windows box and a Active
Directory login but I don't get anywhere. So I have also tried editing
/etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so use_first_pass
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_winbind.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
But that doesn't help either, and now I am slightly stuff on that error.
I think that I might have an issue with secrets.tdb as it isn't in its
default location of /etc/samba - but then again the debian build might
default it to /var/lib/samba
Thanks for any help in advance.
Tim
Reply to: