[Samba] ADS Kerberos Authentication without winbind problem

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Mon Mar 15 15:37:55 GMT 2004

Hello list,

Due to problems with winbind on Solaris I cannot use winbind. Instead I need to get Kerberos authentication from ADS working with a Samba 
member server with local UNIX user accounts.
So to briefly describe my configuration, I have an account in AD and a duplicate account locally on my Samba server which has been initialised with
"smbpasswd -a user password". My Samba server has successfully joined my AD domain and can successfully obtain Kerberos tickets.

This does work in principal but I have the following problem, in order to get Kerberos authentication I have to use syntax like this on the Windows client

net use \\bbcwwp-sun24\share /user:bbcwwp-sun24\user

This works perfectly, but because my AD domain is called TESTLAN if you try and access the samba share by either of the following methods:

from windows explorer directly accessing the URL "\\bbcwwp-sun24\share"

or from command line "net use \\bbcwwp-sun24\share"

They both fail, presumably because its assuming that the user account is "TESTLAN\user" which will not work (I tried this syntax manually
and it didn't work). Although they fail I have verified that the client is still obtaining a ticket for the Samba server "HOST/bbcwwp-sun24".

Given that I don't expect my users to be using "net use" in order to access data on a Samba share I basically don't have a working solution at
present. Is there anything I can tweak in the Samba config to get round this? Any help much appreciated,

	thanks in advance,  Andy.

More information about the samba mailing list