Find the answer to your Linux question:
Results 1 to 2 of 2
I managed to set this up on a test box, and it is working fine. However i now have to set it up on a replica of a live system, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47

    Samba with ADS authentication


    I managed to set this up on a test box, and it is working fine. However i now have to set it up on a replica of a live system, in a test network and I hhave no idea how to troubleshoot it.
    Running samba3-3.4.11-42.el5 on RHEL5.5

    smb.conf has:
    [global]
    workgroup = XXX
    realm = XXX.COM
    security = ads
    # use kerberos keytab = yes

    krb5.conf has:
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

    [libdefaults]
    default_realm = XXX.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = yes

    [realms]
    XXX.COM = {
    kdc = ANIMAL.XXX.COM:88
    # admin_server = animal.example.com:749
    # default_domain = xxx.com
    }

    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    And nssswitch has:
    passwd: files winbind
    shadow: files winbind
    group: files winbind

    Here is what i did:
    1. Upgrade samba client from the base version (3.0.X) to 3.4
    2. Install the corresponding server and winbind
    3. Copy nsswitch, smb.conf and krb5.conf to the server.
    4. run kinit amdin. This worked.
    5. ran klist. this showed the correct domain token
    6. Ran kdestroy
    7. Ran "join ads -U admin" This worked.
    8. when i run "net ads testjojn" ot says join is ok.

    HOWEVER when i try to browse to the server, it pops up an login box. When i check the logs it is giving:
    check_ntlm_password: Checking password for unmapped user [XXX]\[brian]@[soundwave] with the new password interface

    So its not mapping the users to ADS.

    I have no idea how i managed to get it working on the other system.

    I have obviously forgotten something.

  2. #2
    Just Joined!
    Join Date
    Mar 2008
    Posts
    47
    I can see the users and groups with wbinfo -g and -u.

    Why is samba not using winbind to look up the user?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •