[Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed

Andrew Bartlett abartlet at samba.org
Tue Feb 24 21:44:26 GMT 2004

On Wed, 2004-02-25 at 00:59, JonR wrote:
> Slowly making progress with Active Directory integration. I have Samba 3.0.2
> as an ADS member, and I can see shares, including user home directories. My
> linux boxes run Debian unstable, and use the PAM and NSS LDAP backends,
> against an Active Directory on Windows 2000 SP4, using the MS Services For
> Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine,
> although I did have to enable anonymous searches of the Active Directory on
> the DC.
> To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian
> only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash
> that stopped anything from working. I use a completely minimal krb5.conf:
> [libdefaults]
>         default_realm           = XXX.XXX.XXX.XXX
> [realms]
>         XXX.XXX.XXX.XXX = {
>                 kdc =
>         }
> However, my final problem is that users cannot write to files in their home
> directories. I gather the way to fix this is to use Luke's idmap_ad plugin
> from PADL, so I built that (for Debian you also need to at least configure a
> Samba source tree somewhere - I apt-get the source, and killed the build
> after the configuration). Now, I have winbindd using the idmap-ad plugin,
> and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and
> wbinfo -S <sid> gets the uid).
> BUT: I still get permission denied trying to create new files or delete
> existing ones in user home directories from a Windows XP SP1 client:
> [2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203)
>   change_to_user uid=(1001,1001) gid=(0,500)

Is that the right user?  If so, then this is just a matter of unix file 
permissions, or possibly smb.conf settings.  (ie, it looks like you have IDMAP working)

Andrew Bartlett
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040225/c552cf8a/attachment.bin

More information about the samba mailing list