[Samba] Samba and W2K AD

[Thomas Munck Steenholdt]

FitzGerald, AJ wrote:

> Hello All,
>      Your typical problem....I am trying to configure Samba-3.0.2-6.3E
> on RedHat Linux.  I have spent days trying to get this working.  What I
> would like to do is provide the ability to connect to Samba shares from
> Windows, more specific, WinXP.  What I want to avoid is having to manage
> user accounts on both the Windows or AD side and the Unix side, thus
> having authentication handled by AD.  As I understand, to do this you
> set the security in the smb.conf to Domain.  Below I have shown my
> smb.conf file.  So far the only way I have been able to get this to work
> is by setting security=server and password server = ADservername.  I
> have been searching high and low and can't find anything, most all for
> earlier versions of Samba.  One problem is the correct usage of "net
> join"  I have seen is used so many different ways I don't know which is
> correct but I have been successful in adding the samba server to the
> domain using "net join -S ADservername -U adminuserID".  Here is my
> smb.conf...
>  
> [global]
> workgroup = domainname
> realm = domainname.com
> server string = Samba Server
> log file = /var/log/samba/%m.log
> max log size = 50
> security = domain
> password server = ADservername (have also tried *)
> encrypt passwords = yes
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> os level = 33
> wins support = no
> wins server = winsservername
> dns proxy = no
>  
> [Test]
> comment = Home Directories
> browseable = no
> writable = yes
> public = yes
> guest ok = yes
>  
>  
>      When I try to run wbinfo -u , after adding the server to the domain
> successfully, I get "Error looking up domain users."  For kicks if I
> actually try to map to the samba share from an XP desktop I have got one
> of two errors
> - no logon server available....
> or
> - no trust established....
>  
> In the winbind log I get "NT_STATUS_ACCESS_DENIED".  I have even bought
> the O'Reilly book Using Samba, followed the sample setup and still the
> same problem.  Disconcerting I can find concrete answers or examples
> from such an awesome tool once it works.  I am starting to think there
> is a problem on the AD side of things.
>  
> Any help would be greatly appreciated.
> 
>  

What you really want to do is to configure your kerberos, then use
security = ads.
do a kinit administrator at KERBDOMAIN.COM, supply the password and then do
net ads join to join the AD domain...

That should work :o)

Good luck

/Thomas