[Samba] User and Groups Problem with ADS (Win2003) and Solaris 10

SAMBA letz_samba at realmspace.com
Sun Dec 4 07:38:41 GMT 2005


Do you need to configure PAM to authenticate through Kerberos?

-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com at lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On
Behalf Of Markus.Scheffknecht at t-systems.com
Sent: Tuesday, November 22, 2005 8:12 AM
To: samba at lists.samba.org
Subject: [Samba] User and Groups Problem with ADS (Win2003) and Solaris
10

Hi,

 

I got samba 2.0.30b running on a Sparc machine with Solaris 10.

 

I installed

Kerberos 1.4.2

Openldap stable version 20051018

 

To compile Samba 2.0.30b with ADS

 

Looks like Kerberos works

 

kinit Administrator at MYDOMAIN.COM <mailto:Administrator at MYDOMAIN.COM>
==> works

klist ==> shows ticket

 

I added the server to the domain

 

net join -U Administrator

Joined 'SAMBA' to realm 'MYDOMAIN.COM'

 

But after that it starts getting  weird:

 

wbinfo -u

 

Returns the users but no domain in front like I saw in many other
examples

 

user1

user2

user3

user4

PC1$

PC2$

PC3$

 

wbinfo -g

 

Returns the groups but also no domain in front 

 

group1

group2

group3

 

 

smb.conf:

 

[global]

        workgroup =  MYDOMAIN

        netbios name = SAMBA

        realm = MYDOMAIN.COM

        winbind uid = 10000-15000

        winbind gid = 10000-15000

        winbind separator = +

        winbind use default domain = yes

        security = ADS

        encrypt passwords = Yes

        password server = win2003.mydomain.com

        client use spnego = yes

 

 

[test1]

        comment = test1

        path = /smbshares/test1

        public = Yes

       valid users = user1, user2, user3

        writable = YES

 

[test2]

        comment = test2

        path = /smbshares/test2

        public = Yes

        valid users = @group1

        writable = YES

 

[test3]

        comment = test3

        path = /smbshares/test3

        public = Yes

        valid users = @group2

        writable = YES

 

 

Share test1 works if the user1 exists as a unix user otherwise ==>
NT_STATUS_LOGON_FAILURE

Share test2 works if the user1 exists as a unix user and is in the group
user1 otherwise ==> NT_STATUS_LOGON_FAILURE

 

If I use

net groupmap add unixgroup=group2 ntgroup="Administrators"

or

net groupmap add unixgroup=group2 ntgroup="Administratoren"

(I am working on a german Win2003 System)

 

And try to log on test3 I get the following error:

tree connect failed: NT_STATUS_ACCESS_DENIED

 

net user info user1

Administratoren

 

My guess is that the samba server can't map the windows user to unix
users ==> That is the reason why I can't logon with a user which is not
an unix user

I guess I have the same problem with the groups they just can't be
mapped into new unix groups or on existing unix groups

 

Has anyone any idea, why there seams to be this problem, didn't I
understand the concept, is there configuration problem or do I have to
RTFM another 100 times?

 

Greetings 

 

Max Mustermann

 

 

 

Other configure files

 

krb5.conf:

 

[libdefaults]

        default_realm = MYDOMAIN.COM 

 

[realms]

        MYDOMAIN.COM = {

                kdc = WIN2003.MYDOMAIN.COM 

                default_domain = MYDOMAIN.COM

        }

        

[domain_realm]

        .mydomain.com = MYDOMAIN.COM 

        mydomain.com = MYDOMAIN.COM 

 

[logging]

        default = FILE:/var/krb5/kdc.log

        kdc = FILE:/var/krb5/kdc.log

        kdc_rotate = {

                period = 1d

                versions = 10

        }

 

[appdefaults]

        pam = {

                ticket_lifetime         = 1d

                renew_liftime           = 1d

                forwardable             = true

                proxiable               = false

                retain_after_close      = false

                minimum_uid             = 0

                debug                   = false

        }

        kinit = {

                renewable = true

                forwardable= true

        }

        gkadmin = {

                help_url =
http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195

        }

 

/etc/nsswitch.conf includes the following entries:

 

passwd:     files winbind nis

group:      files winbind nis

hosts:      files dns nis

 

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba




More information about the samba mailing list