[Samba] User and Groups Problem with ADS (Win2003) and Solaris 10

SAMBA letz_samba at realmspace.com
Sun Dec 4 07:38:41 GMT 2005

Do you need to configure PAM to authenticate through Kerberos?

-----Original Message-----
From: samba-bounces+letz_samba=realmspace.com at lists.samba.org
[mailto:samba-bounces+letz_samba=realmspace.com at lists.samba.org] On
Behalf Of Markus.Scheffknecht at t-systems.com
Sent: Tuesday, November 22, 2005 8:12 AM
To: samba at lists.samba.org
Subject: [Samba] User and Groups Problem with ADS (Win2003) and Solaris



I got samba 2.0.30b running on a Sparc machine with Solaris 10.


I installed

Kerberos 1.4.2

Openldap stable version 20051018


To compile Samba 2.0.30b with ADS


Looks like Kerberos works


kinit Administrator at MYDOMAIN.COM <mailto:Administrator at MYDOMAIN.COM>
==> works

klist ==> shows ticket


I added the server to the domain


net join -U Administrator

Joined 'SAMBA' to realm 'MYDOMAIN.COM'


But after that it starts getting  weird:


wbinfo -u


Returns the users but no domain in front like I saw in many other










wbinfo -g


Returns the groups but also no domain in front 










        workgroup =  MYDOMAIN

        netbios name = SAMBA

        realm = MYDOMAIN.COM

        winbind uid = 10000-15000

        winbind gid = 10000-15000

        winbind separator = +

        winbind use default domain = yes

        security = ADS

        encrypt passwords = Yes

        password server = win2003.mydomain.com

        client use spnego = yes




        comment = test1

        path = /smbshares/test1

        public = Yes

       valid users = user1, user2, user3

        writable = YES



        comment = test2

        path = /smbshares/test2

        public = Yes

        valid users = @group1

        writable = YES



        comment = test3

        path = /smbshares/test3

        public = Yes

        valid users = @group2

        writable = YES



Share test1 works if the user1 exists as a unix user otherwise ==>

Share test2 works if the user1 exists as a unix user and is in the group
user1 otherwise ==> NT_STATUS_LOGON_FAILURE


If I use

net groupmap add unixgroup=group2 ntgroup="Administrators"


net groupmap add unixgroup=group2 ntgroup="Administratoren"

(I am working on a german Win2003 System)


And try to log on test3 I get the following error:

tree connect failed: NT_STATUS_ACCESS_DENIED


net user info user1



My guess is that the samba server can't map the windows user to unix
users ==> That is the reason why I can't logon with a user which is not
an unix user

I guess I have the same problem with the groups they just can't be
mapped into new unix groups or on existing unix groups


Has anyone any idea, why there seams to be this problem, didn't I
understand the concept, is there configuration problem or do I have to
RTFM another 100 times?




Max Mustermann




Other configure files





        default_realm = MYDOMAIN.COM 



        MYDOMAIN.COM = {

                kdc = WIN2003.MYDOMAIN.COM 

                default_domain = MYDOMAIN.COM




        .mydomain.com = MYDOMAIN.COM 

        mydomain.com = MYDOMAIN.COM 



        default = FILE:/var/krb5/kdc.log

        kdc = FILE:/var/krb5/kdc.log

        kdc_rotate = {

                period = 1d

                versions = 10




        pam = {

                ticket_lifetime         = 1d

                renew_liftime           = 1d

                forwardable             = true

                proxiable               = false

                retain_after_close      = false

                minimum_uid             = 0

                debug                   = false


        kinit = {

                renewable = true

                forwardable= true


        gkadmin = {

                help_url =



/etc/nsswitch.conf includes the following entries:


passwd:     files winbind nis

group:      files winbind nis

hosts:      files dns nis



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list