[Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed

Andrew Bartlett abartlet at samba.org
Tue Feb 24 21:44:26 GMT 2004 

On Wed, 2004-02-25 at 00:59, JonR wrote:
> Slowly making progress with Active Directory integration. I have Samba 3.0.2
> as an ADS member, and I can see shares, including user home directories. My
> linux boxes run Debian unstable, and use the PAM and NSS LDAP backends,
> against an Active Directory on Windows 2000 SP4, using the MS Services For
> Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine,
> although I did have to enable anonymous searches of the Active Directory on
> the DC.
> 
> To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian
> only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash
> that stopped anything from working. I use a completely minimal krb5.conf:
> 
> [libdefaults]
>         default_realm           = XXX.XXX.XXX.XXX
> 
> [realms]
>         XXX.XXX.XXX.XXX = {
>                 kdc = 192.168.0.2
>         }
> 
> However, my final problem is that users cannot write to files in their home
> directories. I gather the way to fix this is to use Luke's idmap_ad plugin
> from PADL, so I built that (for Debian you also need to at least configure a
> Samba source tree somewhere - I apt-get the source, and killed the build
> after the configuration). Now, I have winbindd using the idmap-ad plugin,
> and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and
> wbinfo -S <sid> gets the uid).
> 
> BUT: I still get permission denied trying to create new files or delete
> existing ones in user home directories from a Windows XP SP1 client:
> 
> [2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203)
>   change_to_user uid=(1001,1001) gid=(0,500)


Is that the right user?  If so, then this is just a matter of unix file 
permissions, or possibly smb.conf settings.  (ie, it looks like you have IDMAP working)

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040225/c552cf8a/attachment.bin

More information about the samba mailing list