[Samba] ADS Kerberos Authentication without winbind problem
pubsyssamba at bbc.co.uk
Mon Mar 15 15:37:55 GMT 2004
Due to problems with winbind on Solaris I cannot use winbind. Instead I need to get Kerberos authentication from ADS working with a Samba
member server with local UNIX user accounts.
So to briefly describe my configuration, I have an account in AD and a duplicate account locally on my Samba server which has been initialised with
"smbpasswd -a user password". My Samba server has successfully joined my AD domain and can successfully obtain Kerberos tickets.
This does work in principal but I have the following problem, in order to get Kerberos authentication I have to use syntax like this on the Windows client
net use \\bbcwwp-sun24\share /user:bbcwwp-sun24\user
This works perfectly, but because my AD domain is called TESTLAN if you try and access the samba share by either of the following methods:
from windows explorer directly accessing the URL "\\bbcwwp-sun24\share"
or from command line "net use \\bbcwwp-sun24\share"
They both fail, presumably because its assuming that the user account is "TESTLAN\user" which will not work (I tried this syntax manually
and it didn't work). Although they fail I have verified that the client is still obtaining a ticket for the Samba server "HOST/bbcwwp-sun24".
Given that I don't expect my users to be using "net use" in order to access data on a Samba share I basically don't have a working solution at
present. Is there anything I can tweak in the Samba config to get round this? Any help much appreciated,
thanks in advance, Andy.
More information about the samba