[Samba] Problems using ADS to validate Windows Network users on a
Samba3 Member Server
James Tullett
JTULLETT at thebritishmuseum.ac.uk
Fri Feb 25 17:45:34 GMT 2005
Dear All:
I made a change to my Samba configuration to enable Solaris ACLs in my
Installation of Samba 3.0.11. After then, I lost the ability to permit
domain users to browse the shares.
The server is running Solaris 8 2/04, and Samba is bound against MIT
Kerberos 1.4 and OpenLDAP 2.2.23. It authenticates to two Windows 2000
DCs. I had obtained a Kerberos ticket from the Domain Controllers, and
apparently had successfully joined the Domain and the Kerberos Realm.
When a user not registered on Unix attempts to browse Samba, I see this
sort of information appeating in the log (it is currently running at a
log level of 4).
##----------8<-----------------------------8<------------
[2005/02/25 12:58:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 13:04:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\BLMTESTDC1$ is invalid on this system
[2005/02/25 13:04:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\BLMTESTDC1$ is invalid on this system
[2005/02/25 13:04:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
When I add the user to Unix, I no longer get problems browsing the
share, but I still see log lines related to failure to validate machine
accounts (as may be seen above below the failure to validate the Win2k
Administrator Account).
For example, with my own Unix account:-
pc003533 (172.23.10.17) connect to service WebPages initially as user
jtullett (uid=1002, gid=107) (pid 10800)
[2005/02/25 14:54:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\PC003533$ is invalid on this system
[2005/02/25 14:54:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username BRITISH-MUSEUM\PC003533$ is invalid on this system
I shall spare you the rest of the spnego_kerberos... Messages, there
appears to be one per item in the WebPages root directory, which is
large. Below are the global settings on my smb.conf. Could somebody
please tell me what I got wrong.
###--------------------- smb.conf [global only] ----------------------
# Settings applicable to the entire service from this server.
[global]
# workgroup=LOCAL
workgroup=BRITISH-MUSEUM
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#
# Set up template home directories and shells.
# Windows users don't get a real shell (yet)
#
template homedir = /home_area/%D/%U
template shell = /bin/true
wins server = 172.23.10.1
server string = Samba Server %v on %h
security=ADS
realm=LOCAL
encrypt passwords = yes
password server=BLMTESTDC1,BLMBMTESTDC2
### ---------------------------------------------------------
Many Thanks in advance,
--
James Tullett
More information about the samba
mailing list