[Samba] Samba 3.0.10 joining Windows 20003 ADS

Thomas M. Skeren III tms3 at fskklaw.com
Wed Dec 29 01:38:26 GMT 2004

Andrew Zbikowski wrote:
Since smb.conf is a link..let me try.

I've experienced some strange things as well, the question is, can ADS 
users get a share properly?  I had similar probs, but the share works.  
What does net ads testjoin show?

Also in smb.conf you have a passdb backend.  DON'T.

Here's what I use, albeit it is a W2K AD:  (I know some settings are 
default that way, but I have been adjusting them)

        realm = YOURDOMAIN.COM
        server string = (Info about server)
        netbios name = (NAME YOU WANT TO GIVE YOUR SERVER)  
        security = ADS
        client schannel = Auto
        server schannel = Auto
        client signing = Auto
        server signing = Auto
        client use spnego = No
        socket options = TCP_NODELAY
        dns proxy = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = _
        winbind enum users = No
        winbind enum groups = No
        winbind use default domain = No
        admin users = (AD Administrator that samba will tell Unix to 
treat as root...be carefull here...but it's needed. Multiple users are 
comma separated.                                      The user is added 
like this {assuming you used the winbindd seprarator I suggested}  
DOMAIN_user1, DOMAIN_user2)
        algorithmic rid base = 10000
        dos filetimes = Yes
        dos filemode = Yes
        acl compatibility = win2k
        inherit acls = yes
        inherit permissions = ye

>abrams:~# kinit admin at CORP.TCC.INET
>This seems to work just fine.
>abrams:~# net ads join "TwinCities\TTAGS\SERVERS"
>[2004/12/28 18:52:20, 0] libads/ldap.c:ads_add_machine_acct(1475)
>  Warning: ads_set_machine_sd: Unexpected information received
>Using short domain name -- CORP
>[2004/12/28 18:52:23, 0] libads/kerberos.c:get_service_ticket(335)
>  get_service_ticket: kerberos_kinit_password
>TTLNX01$@CORP.TCC.INET at CORP.TCC.INET failed: Client not found in
>Kerberos database
>Segmentation fault
>That doesn't work. I look in Active Directory Users & Comptuers and
>there is a new computer account in the correct location however.
>Looking at that output, it seems to be trying to create a client named
>TTLNX01$@CORP.TCC.INET at CORP.TCC.INET. That doesn't seem right, it
>should be just TTLNX01$@CORP.TCC.INET right? What would be causing
>that extra @CORP.TCC.INET to be added?  Or is it supposed to be that
>I have no /etc/krb5.conf, as according to the Official Samba HOWTO it
>is not required.
>"With both MIT and Heimdal Kerberos, it is unnecessary to configure
>the /etc/krb5.conf, and it may be detrimental."
>As kinit works, it definitly doesn't seem like I need an /etc/krb5.conf. 
>Not sure if this list allows attachments, so my smb.conf is at
>The host system is Debian Testing (Sarge) running 2.4.27 on an Alpha
>processor, using the packages for sarge.
>If anyone knows how to resolve this, please please please let me know.
>If you need/want more details, just ask.

More information about the samba mailing list