[Samba] Can't map group domain share from ADS

G Sly gdssly1 at yahoo.com
Fri Feb 11 18:52:28 GMT 2005

I've set up the following and can open a home share
for me (sylveg). I've created a group on W2KADS and on
OURSAMBALINUX called oadmin and added me as a member
in both. I created a samba share called o_drive (see
smb.conf below) w/ the linux dir /home/o_drive and
valid users = %D+oadmnin. The /home dir is:
drwxr-xr-x  2 root   root    4096 2004-09-03 15:16
drwx------  2 root   root   16384 2005-02-03 07:55
drwxrwxrwx  2 root   oadmin  4096 2005-02-10 11:15
drwx--x--x  2 sylveg users   4096 2005-02-10 12:00

In the security tab of W2KADS OURSAMBALINUX account I
gave sylveg and oadmin full rights.

I haven't run "net groupmap" (do I need to?)

When I try to map to \\OURSAMBALINUX IP\o_drive from
my W2K workstation (joined to the domain as sylveg), I
get prompted for username and password. Log (level 3)
file shows:
user 'sylveg' (from session setup) not permitted to
access this share (o_drive)

I also would like to know how to set up automatic user
and group creation from the W2KADS to OURSAMBALINUX. I
tried what I found so far (add machine script =
/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u) in smb.conf, but it doesnt work.


Slackware/Samba server = OURSAMBASERVER
HP570ML G3 w/Compaq Smart array 640
Slackware 10.1
2.4.29 kernel
Scsi.s boot kernel
Add entrys to /hosts
Samba machine
/etc/hosts               localhost        
(our W2KADS IP)         W2KADS           
Windows Active Directory server
(%Systemroot%\System32\drivers\etc\hosts)               localhost        
(our W2KADS IP)         W2KADS           
# etc/resolv.conf
search          OURORG.OURDOMAIN.ORG
domain          OURORG.OURDOMAIN.ORG
nameserver      OURNAMESERVER1
nameserver      OURNAMESERVER2
nameserver      OURNAMESERVER3
nameserver      OURNAMESERVER4
nameserver      (our W2KADS IP)
# date (MMDDHHMM) same time as W2KADS
(syncs OURSAMBALINUX time to W2KADS server)
Kerboros krb5-1.4
# more /etc/krb5.conf
        default_realm = OURORG.OURDOMAIN.ORG
                kdc  = W2KADS.OURORG.OURDOMAIN.ORG:88
                admin_server =
                default_domain = OURORG.OURDOMAIN.ORG
        .ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG
        ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

# /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
hosts:          files dns wins
networks:       files dns
services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files
automount:      files
aliases:        files
OpenLDAP openldap-2.2.23
(Loaded for libraries)
      #make depend
      #make test
      #make install
# kinit administrator at OURORG.OURDOMAIN.ORG
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@ OURORG.OURDOMAIN.ORG
Valid starting     Expires            Service
01/10/05 10:36:06  01/10/05 20:37:39  krbtgt/
        renew until 01/10/05 10:36:06
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Samba 3.0.11
(patch for clitar error – #patch –p0 < clitar.patch)
Build from source so it picks up krb5 and ldap
# ./configure --with-acl-support
      #make install
      #make installbin
      #make installman
# cp
# cp /usr/local/samba/sbin/* /usr/sbin
# cp /usr/local/samba/bin/* /usr/bin
Check w/  #smbd –b|grep KRB
And       #smbd –b|grep LDAP
Set up as a member server in smb.conf
# /usr/local/samba/lib/smb.conf
# Global parameters
        unix charset = LOCALE
        workgroup = OURORG
        netbios name = OURSAMBALINUX
        realm = OURORG.OURDOMAIN.ORG
        server string = OURORG Samba linux
        security = ADS
        password server = W2KADS.OURORG.OURDOMAIN.ORG
        username map = /etc/samba/smbusers
        log level = 3
        syslog = 0
        log file = /var/log/samba/%m
        max log size = 50
        add machine script = /usr/sbin/useradd -d
/dev/null -g 100 -s /bin/false -M %u
        ldap ssl = no
        idmap uid = 10000-90000
        idmap gid = 10000-90000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind separator = +
        comment = Data
        path = /home/public
        read only = No
        comment = Home Directories
        path = /home/%U
        valid users = %S
        read only = No
        browseable = No
        comment = o_drive
        path = /home/o_drive
        valid users = @%D+oadmin
        inherit permissions = Yes
        read only = no
#       force user = smbuser
#       force group = nobody
No errors
# net ads testjoin
# net ads join –Uadministrator%password
(echos back)
Using short domain name -- OURORG
Check the box on ADS for this server trust
Start the Samba SMB file/print server:
# /etc/rc.d/rc.samba start
# winbindd
# more /usr/local/samba/smbusers
root = administrator admin
nobody = guest pcguest smbguest
# smbpasswd –a root
# getent passwd
(list of linux users)
# getent group
(list of linux groups)
# wbinfo –u
(long list of ADS OURORG+users)
# wbinfo –u
(long list of ADS OURORG+groups)
# tdbdump /etc/samba/private/secrets.tdb
# net ads info
# net ads status
(Cool outputs)
On Windoze workstation PC that is joined to W2KADS
>From dos prompt:
C:net use * \\ (OURSAMBALINUX-ip address)\share
This maps the next available drive letter to the share
without a password.
# smbclient //W2KADS/c\$ -k
comes back with:
smb: \>
dir - gives you W2KADS dir listing
q – to quit
#wbinfo –t
(echos back)
checking the trust secret via RPC calls succeeded

Do you Yahoo!? 
Yahoo! Mail - You care about security. So do we. 

More information about the samba mailing list