[Samba] security = ADS

Rashaad S. Hyndman IslandBwoy at ToughGuy.net
Fri Jul 23 13:10:13 GMT 2004 

HErE arE my ConF file 

                 ----------------------------------------SMB.conf----------------------
#======================= Global Settings =======================
 
[global]
 
netbios name = smbserver_name
realm = MYREALM.NET

 
   workgroup = mydomain
 

   server string = %h server (Samba %v)
 

password server = addc01.MYREALM.NET 
security = ADS
 
 

   wins support = yes
 

   include = /etc/samba/dhcp.conf

   dns proxy = no
 

    name resolve order = lmhosts host wins bcast
 
#### Debugging/Accounting ####

   log file = /var/log/samba/log.%m
 
# Put a capping on the size of the log files (in Kb).
   max log size = 1000
 
   syslog = 0
    panic action = /usr/share/samba/panic-action %d
 
 
####### Authentication #######

   encrypt passwords = yes

   passdb backend = tdbsam guest
 
   obey pam restrictions = yes
 
   guest account = guest
   invalid users = root

   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
 
 
#======================= Share Definitions =======================
 
[homes]
   comment = Home Directories
   browseable = yes
   writable = yes
   preserver case = yes
   short preserve case = yes
 
[public]
  comment = Software and tool downloads
  browseable = yes
  path = /usr/share/public
  writable = no 
  public = yes
 

   writable = no
 
   create mask = 0700

   directory mask = 0700
  
[printers]
   comment = All Printers
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700
 
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

===============================

------------------------------krb5.conf--------------------------

==========================================



 [logging]
 default = FILE:/var/log/kerberos/krb5libs.log
 kdc = FILE:/var/log/kerberos/krb5kdc.log
 admin_server = FILE:/var/log/kerberos/kadmind.log
 
[libdefaults]
 default_realm = MYREALM.NET
 
[relams]
 MYREALM.NET= {
  kdc = addc01.MYREALM.NET 
}
 
[domain_realms]
 .addc01.myrealm.net  = MYREALM.NET

==========================================



These are the only files that i have editted to get to this point.  I really appreciate your help.





  ----- Original Message ----- 
  From: Tom Skeren 
  To: Rashaad S. Hyndman 
  Sent: Thursday, July 22, 2004 7:25 PM
  Subject: Re: [Samba] security = ADS


  Rashaad S. Hyndman wrote:

That seems to be an interesting concept but does work in this case for some
reason.  Here is what i did:


C:\Documents and Settings\rshyndman>net use * \\10.55.222.82\public\
System error 67 has occurred.

The network name cannot be found.Try right clicking on My Computer and use map-network-drive function.



C:\Documents and Settings\rshyndman>ping 10.55.222.82

Pinging 10.55.222.82 with 32 bytes of data:

Reply from 10.55.222.82: bytes=32 time<10ms TTL=64
Reply from 10.55.222.82: bytes=32 time<10ms TTL=64

Interesting thing here is that is says name not found but i can ping both by
name and ip. You think mapping name to ip in the hosts file will help?  Hmmm
:-(

----- Original Message ----- 
From: "Tom Skeren" <tms3 at fskklaw.com>
To: "Rashaad S. Hyndman" <IslandBwoy at ToughGuy.net>
Cc: <samba at lists.samba.org>
Sent: Thursday, July 22, 2004 4:07 PM
Subject: Re: [Samba] security = ADS


  Yes I've seen this behavior a LOT.  I've replied to it.  For some
reason, the Samba when joined to ads needs to contacted for shares by IP
addy.  The XP shares then authenticate properly.

Try \\ipaddy-samba-server\share-name.  If you connect, do a netstat -an
on the samba server.  You'll see the XP box connected to port 445.  I
suspect that in an ads environment, the XP boxes default to connecting
to shares on 445.  I suspect smbd, or nmbd are mishandling this when
netbios names are used.

Rashaad S. Hyndman wrote:

    Hi all,

I've been fighting with joining my samba server (debian) to my active
      directory domain for 4 days now.  The problem here is that users in my
active directory domain on windows machines are not able to browse my samba
shares without being prompted for authentication.
  I can:
- Join the domain from samba server using net ads
- View list of tickets when brownsing window shares with klist
- list window shares without being prompted with "smbclient -k -L
      <windows_servername>
  I can NOT:
- use "net use * \\<smb_servername>\share" from window based machine.
(this resultes in "The password or user name is invalid for
      \\delshare\public" (delshare being my samba server name)
  I have no clue what to do from here. I've looked over my smb.conf file 20
      times likewise my krb5.conf file
  Any suggestions would be greatly appreciated. I've arn out of tests.

R.

More information about the samba mailing list