[Samba] ADS member server w/ winbind on debian sarge

Noah Dain noahdain at gmail.com
Sun Jun 19 22:21:57 GMT 2005

ok, i've been buggering on and off with this for way too long now. 
I'm just plain stuck.

The objective is to get full authentication working for a samba
machine by integrating it into and existing AD system as a member

The domain is windows 2003, in native mode.  There are two domain controllers.

The samba box is running debian sarge, using only the official sarge
packages.  (samba 3.0.14a-3, MIT kerberos 1.3.6-2)

I followed the Samba3 By Example, chapter 7.  I can join the domain
via 'net ads join' and all the tests seem to work, meaning:

  getent passwd|group
  wbinfo u|g
  wbinfo --sequence
  wbinfo -a username%passwd
  wbinfo -t
  kinit & klist
  net ads status|user|group|info|testjoin

all succeed.

dns is working properly.  I've even tried with/without hosts files.

The samba machine syncs time to one of the domain controllers.

I can create files and chown/chgrp them to domain user and group accounts.

I can create a share made writeable for the 'domain users' group and
have various 'domain users' create files in there.

However, I cannot log onto the samba machine using a domain account,
and when i attempt to access home directories of domain accounts
hosted on the samba machine, i keep getting prompted for a password
(and no passwords work).

I created the home directories and then chown'd them to the
DOMAIN+user and chgrp'd them to the domain user's primary group.

so, without further delay, the /etc/samba/smb.conf:

    unix charset = LOCALE
    workgroup = DOMAIN
    realm = DOMAIN.LOCAL
    security = ADS
;    auth methods = winbind guest sam
    password server = dc1.domain.local
    username map = /etc/samba/smbusers
    log level = 3 passdb:2 auth:2 winbind:2
    syslog = 0
    log file = /var/log/samba/%m
    max log size = 0
    printcap name = CUPS
    printing = cups
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind separator = +
    winbind trusted domains only = no
    winbind use default domain = no
    winbind enum users = yes
    winbind enum groups = yes
    template primary group = "Domain Users"
    template shell = /bin/bash
    template homedir = /home/%D/%U
    domain master = no
    local master = yes
    preferred master = no
    os level = 255
    interfaces =
    bind interfaces only = yes

    comment = Home Dirs
    valid users = %S
    read only = No
    browseable = No
;    root preexec = /etc/samba/scripts/mk_sambadir "/home/%D/%U" "%U" "%G"

    path = /test
    comment = samba ads test share
    read only = no
    browseable = yes
    writelist = @"Domain Users"

    comment = SMB Print Spool
    path = /var/spool/samba
    guest ok = Yes
    printable = Yes
    browseable = No

    comment = Printer Drivers
    path = /var/lib/samba/drivers
    admin users = root, Administrator
    write list = root


    default_realm = DOMAIN.LOCAL
    dns_lookup_kdc = true
    dns_lookup_realm = true

    default_domain = domain.local
    kdc = dc1.domain.local

    .domain.local = DOMAIN.LOCAL
    domain.local = DOMAIN.LOCAL


passwd:     files winbind
shadow:     files winbind
group:      files winbind

hosts:      files dns wins
networks:   files

services:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
netgroup:   files
publickey:  files

bootparams: files
automount:  files
aliases:    files

debian uses /etc/pam.d/common-* files to hold pam settings which are
@included into all other pam.d files.


account required    pam_unix.so
account sufficient  pam_winbind.so use_first_pass


auth    required    pam_unix.so nullok_secure
auth    sufficient  pam_winbind.so use_first_pass


password    required    pam_unix.so nullok obscure min=4 max=8 md5
password    sufficient  pam_winbind.so use_first_pass


session required    pam_unix.so
session sufficient  pam_winbind.so use_first_pass

there are security audit entries of the samba machine logging on and
off, using kerberos.


Noah Dain  
noahdain at gmail.com

More information about the samba mailing list