[Samba] ADS Kerberos Authentication without winbind problem-*SOLVED*

ww m-pubsyssamba pubsyssamba at bbc.co.uk
Tue Mar 16 16:29:01 GMT 2004

Turned out the whole install was broken when not using winbind, don't know why!?!
Uninstalled Samba 3.0.1, re-compiled from scratch Samba 3.0.2a and everything works
as expected :-)

>> Further to this problem I have found it impossible to get any syntax to succesfully mount a Samba 3.0.2 share 
with Kerberos authentication using the BSD "mount_smbfs" (on Mac OS X), where this does work without problems 
when the local UNIX account is a Winbind account. Again I see the behaviour where a ticket is obtained by the 
client but somewhere this is not being associated with the local account on the Samba server.
So again I ask, does anyone know how to get the Samba server and client system to treat a Kerberos ticket
such as "user at TESTLAN.BBC.CO.UK" as being associated with local UNIX account "user"?
Is anyone else running Samba as a AD member server without winbind?

	thanks Andy.

Hello list,

Due to problems with winbind on Solaris I cannot use winbind. Instead I need to get Kerberos authentication from 
ADS working with a Samba member server with local UNIX user accounts.
So to briefly describe my configuration, I have an account in AD and a duplicate account locally on my Samba server 
which has been initialised with "smbpasswd -a user password". My Samba server has successfully joined my AD domain
and can successfully obtain Kerberos tickets.

This does work in principal but I have the following problem, in order to get Kerberos authentication I have to use 
syntax like this on the Windows client

net use \\bbcwwp-sun24\share /user:bbcwwp-sun24\user

This works perfectly, but because my AD domain is called TESTLAN if you try and access the samba share by either 
of the following methods:

from windows explorer directly accessing the URL "\\bbcwwp-sun24\share"

or from command line "net use \\bbcwwp-sun24\share"

They both fail, presumably because its assuming that the user account is "TESTLAN\user" which will not work 
(I tried this syntax manually and it didn't work). Although they fail I have verified that the client is still 
obtaining a ticket for the Samba server "HOST/bbcwwp-sun24".

Given that I don't expect my users to be using "net use" in order to access data on a Samba share I basically 
don't have a working solution at present. Is there anything I can tweak in the Samba config to get round this? 
Any help much appreciated,

	thanks in advance,  Andy.

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list