[Samba] Samba 3 & ADC problem.

Ron Smith rls at cableone.net
Wed Nov 5 09:10:01 GMT 2003 

Greetings all.

I am banging my head about this one, I will try to be as specific as
possible, bear with me please.

I have a W2KDC ADC, and trying to join a Samba 3 linux workstation to it.

What works:

net join:  succeeded

wbinfo -t:  checking the trust secret via RPC calls succeeded

wbinfo -m: return to prompt, no output

wbinfo -u: correct list of local + AD members

wbinfo -g: correct list of local + AD groups

kinit: succeeded

klist output for root from the samba machine:
Default principal: sambasol at THIS.DOMAIN

Valid starting     Expires            Service principal
11/04/03 23:35:33  11/05/03 09:35:33  krbtgt/THIS.DOMAIN at THIS.DOMAIN
11/04/03 23:37:26  11/05/03 09:35:33  adc1$@THIS.DOMAIN
11/05/03 00:28:14  11/05/03 09:35:33  samba1$@THIS.DOMAIN


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

pam.d/login modified and working
    AD users can log into local terminal of samba
    machine, and if home dir is missing, created
    via use of pam_mkhomedir

telnet/ssh/ftp/etc. all working with local & AD accounts

No accounts in AD overlap linux system accounts

Any windows (all WinXP Pro or Win2K) client's shares can
    be accessed from the samba/linux system, including any
   dfs from the AD system.  Example:
       smbclient -k //adc1/dfs1
    Succeeds.

Any windows client's shares can be accessed from any other
   windows client, or the AD server.

What DOESN'T work:

Cannot access any samba shares on the linux machine, from
  the samba system itself, or any windows client.

smbclient -k //samba1/tmp
session setup failed: NT_STATUS_LOGON_FAILURE

However, I can do this:
smbclient //samba1/tmp
Enter password when prompted, and access success.

Of course, any windows client cannot access the samba shares at all, cannot
even browse the machine's share list, and it does not show up in Network
Places although all other systems do.

/etc/samba/smb.conf: (edited for brevity)

[global]
        workgroup = THIS
        realm = THIS.DOMAIN
        security = ADS
        netbios name = SAMBA1
        map to guest = Bad User
        obey pam restrictions = Yes
        password server = *
        wins server = 50.50.50.50  #(IP of ADS)
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes

[homes]
        comment = Home Directories
        path = %H
        valid users = %S
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

[tmp]
        comment = Temporary file space
        path = /tmp
        read only = No
        guest ok = Yes

Ron L. Smith

More information about the samba mailing list