[Samba] Samba and active Directory

Dimitri Yioulos dyioulos at firstbhph.com
Fri May 14 09:47:52 MDT 2010


On Friday 14 May 2010 11:28:05 am Dimitri Yioulos 
wrote:
> On Friday 14 May 2010 5:11:20 am Andreas Hubert
>
> wrote:
> > hi all,
> >
> > yes the good old topic where most people have
> > a problem with :)
> >
> > I have a Windows 2003 Active Directory Server
> > und want that users on this directory are
> > able to login on a Samba Share. The
> > authentication with wbinfo -a user%password
> > works and I already joined the domain with
> > net ads join
> > I am also able to authenticate as directory
> > user with his directory password, BUT only if
> > this username also exists in the /etc/passwd
> > file. Users which username is not in the
> > lokal passwd file cannot login. I use samba
> > Version 3.0.37 on Solaris 10, here is my
> > smb.conf:
> >
> > [global]
> >         workgroup = ABC
> >         realm = ABC.DE
> >         server string = Samba Server
> >         security = ADS
> >         map to guest = Bad User
> >         password server = ABCDC01.abc.de
> > ABCDC02.abc.de use kerberos keytab = Yes
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >         time server = Yes
> >         os level = 65
> >         local master = No
> >         domain master = No
> >         wins support = Yes
> >         idmap uid = 10000-20000
> >         idmap gid = 10000-20000
> >         winbind separator = +
> >         
> >
> > [test]
> >         comment = test
> >         path = /test
> >
> >         read only = No
> > [/code]
> >
> > The user ABC+corpus also exists locally and I
> > am able to logon with his Directory password
> > on the share, but not with the user ABC+ahu
> > If I just do
> > useradd ahu
> > I am able to logon with this user!
> > What am I doing wrong? I also want that users
> > from the directory will be mapped to the
> > local user corpus from the access rights and
> > would do this with "force user = corpus" on
> > the share, would this be right?
> >
> > Thanks for any help
>
> Firstly, did you configure Kerberos properly.
> Nextly, and I could be wrong on this, but I
> think you need to change:
>
> valid users = ABC+corpus, ABC+ahu
>
> to:
>
> valid users = "@ABC+corpus" "@ABC+ahu"
>
> Dimitri
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.


Oops, sorry on the valid users piece.  What I told 
you applies to groups.  But, since you have:

winbind use default domain = Yes

perhaps you only need to specify the user names 
in "valid users".

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba mailing list