[Samba] Problems using ADS to validate Windows Network users on a Samba3 Member Server

James Tullett JTULLETT at thebritishmuseum.ac.uk
Fri Feb 25 17:45:34 GMT 2005


Dear All:

I made a change to my Samba configuration to enable Solaris ACLs in my 
Installation of Samba 3.0.11.  After then, I lost the ability to permit
domain users to browse the shares.

The server is running Solaris 8 2/04, and Samba is bound against MIT
Kerberos 1.4 and OpenLDAP 2.2.23. It authenticates to two Windows 2000
DCs.  I had obtained a Kerberos ticket from the Domain Controllers, and
apparently had successfully joined the Domain and the Kerberos Realm.

When a user not registered on Unix attempts to browse Samba, I see this
sort of information appeating in the log (it is currently running at a
log level of 4).

##----------8<-----------------------------8<------------
[2005/02/25 12:58:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:40, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 12:58:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\Administrator is invalid on this system
[2005/02/25 13:04:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\BLMTESTDC1$ is invalid on this system
[2005/02/25 13:04:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\BLMTESTDC1$ is invalid on this system
[2005/02/25 13:04:44, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)

When I add the user to Unix, I no longer get problems browsing the
share, but I still see log lines related to failure to validate machine
accounts (as may be seen above below the failure to validate the Win2k
Administrator Account).
For example, with my own Unix account:-

  pc003533 (172.23.10.17) connect to service WebPages initially as user
jtullett (uid=1002, gid=107) (pid 10800)
[2005/02/25 14:54:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\PC003533$ is invalid on this system
[2005/02/25 14:54:21, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
  Username BRITISH-MUSEUM\PC003533$ is invalid on this system

I shall spare you the rest of the spnego_kerberos... Messages, there
appears to be one per item in the WebPages root directory, which is
large.  Below are the global settings on my smb.conf.  Could somebody
please tell me what I got wrong.

###--------------------- smb.conf [global only] ----------------------
# Settings applicable to the entire service from this server.
[global]
#	workgroup=LOCAL
	workgroup=BRITISH-MUSEUM
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
	winbind enum groups = yes
	#
	# Set up template home directories and shells.
	# Windows users don't get a real shell (yet)
	#
	template homedir = /home_area/%D/%U
	template shell = /bin/true
	wins server = 172.23.10.1
	server string = Samba Server %v on %h
	security=ADS
	realm=LOCAL
	encrypt passwords = yes
	password server=BLMTESTDC1,BLMBMTESTDC2
### ---------------------------------------------------------
Many Thanks in advance,
--
James Tullett


More information about the samba mailing list