[Samba] ADS users on RedHat 9 Samba 3

Mon Oct 13 19:41:27 GMT 2003

I'm having the toughest time getting this to work... I have a windows 2000
domain and i'm in the process of adding a Samba fileserver... All of the
setup guides i have seen point me in the right direction, but fail to
provide assistance for my single problem...

basically i've figured out that if i have security = share. I can run the
gentent passwd command and see the domain accounts in the list! thats
great!!! but if i have security = ads, then the users disappear when i run
the command. and i have to have a matching user account in linux to access
the shares at all, and thats just plain silly!!!

I do see one error in the log.winbindd but i am unable to get past it.

[2003/10/13 14:52:28, 1] nsswitch/winbindd.c:main(832)
  winbindd version 3.0.0 started.
  Copyright The Samba Team 2000-2003
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain DATANAT DATANAT.COM
[2003/10/13 14:52:29, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)
[2003/10/13 14:52:29, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list

I did kinit, net ads join, and can test via wbinfo & smbclient... all is
well!!! just no getent passwd or groups

I also dont see the kerberos error when winbindd starts in share mode...

Where can I look? HELP!!!

I've given my smb.conf, krb5.conf, and ldap.conf... The nsswitch.conf is
set and so are the PAM's

SMB.CONF

[global]
        workgroup = DATANAT
        realm = DATANAT.COM
        server string = Linux File Server
        security = ads
        encrypt passwords = yes
        password server = 140.100.10.150
        domain logons = yes
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        netbios name = DCLINUX
        guest account = nobody
        winbind enum users = yes
        winbind enum groups = yes
        wins server = 140.100.10.150
        winbind separator = +
        winbind cache time = 15
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        idmap uid = 500-65535
        idmap gid = 100-65535

KRB5.CONF

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DATANAT.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 default_etypes = des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5

[realms]
 DATANAT.COM = {
 kdc = dcpdc.datanat.com:88
 admin_server = 140.100.10.150:749
 default_domain = datanat.com
}

[domain_realm]
 .datanat.com = DATANAT.COM
 datanat.com = DATANAT.COM
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

LDAP.CONF

host 140.100.10.150
base dc=datanat,dc=com
nss_map_objectclass posixAccount User
nss_map_attribute uid sAMAccountName
nss_map_attribute uniqueMember Member
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
pam_login_attribute sAMAccountName
pam_filter objectclass=User
ssl no
pam_password ad
ldap_version 3
binddn cn=Administrator,cn=Users,dc=datanat,dc=com
bindpw dc030103
port 389

Thanks for the support!!!