[Samba] Samba 3.5 w/ Active Directory Share Authentication

Baird, Josh jbaird at follett.com
Tue Oct 16 14:13:48 MDT 2012 

Hi,

I'm attempting to configure Samba 3.5 to authenticate share access via Active Directory.  I do not wish to authenticate system users against AD, only Samba shares.  I have successfully joined the server to the AD domain, with a few errors:

$ net join -W buildel664 -U jbadmin
Enter jbadmin's password:
Using short domain name -- NA
Joined 'BUILDEL664' to realm 'na.blah.lan'
[2012/10/16 14:50:36.636201,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password BUILDEL664$@NA.FOLLETT.LAN failed: Client not found in Kerberos database
DNS Update for buildel664.corp.xxx.com failed: ERROR_DNS_GSS_ERROR
DNS update failed!

I can't seem to figure out what is causing these errors, but the domain join is successful.  I am able to successfully enumerate groups and users using "wbinfo -g" and "wbinfo -u," although "getent passwd" only returns local users.  I am not sure if this is a problem or not.  While "wbinfo -g" does work, it does not return a listing that includes smb.conf's "winbind separator."  According to docs that I have found, wbinfo should output this separator.  

When I try to assign domain users/groups to a samba share  I get an error in Samba's logs that the user is not valid.

My smb.conf:

workgroup = NA
   realm = NA.XXX.LAN
   security = ads
   template shell = /bin/false
   winbind use default domain = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   idmap uid = 10000000-50000000 # increased for larger AD environments
   idmap gid = 10000000-50000000 # increased for larger AD environments
   encrypt passwords = yes

        server string = Samba Server Version %v

        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
        max log size = 500

        os level = 20
        preferred master = no
        dns proxy = no

        load printers = no
        cups options = raw

[adauth]
        comment = Testing
        path=/adauth
        create mask = 0660
        directory mask = 770
        writeable = yes
        browseable = yes
        valid users = +"NA+jbadmin"
        guest ok = no

Any ideas how to further troubleshoot?

Thanks,

Josh

More information about the samba mailing list