[Samba] User and Groups Problem with ADS (Win2003) and Solaris 10

Tue Nov 22 16:11:59 GMT 2005

Hi,

I got samba 2.0.30b running on a Sparc machine with Solaris 10.

I installed

Kerberos 1.4.2

Openldap stable version 20051018

To compile Samba 2.0.30b with ADS

Looks like Kerberos works

kinit Administrator at MYDOMAIN.COM <mailto:Administrator at MYDOMAIN.COM>  ==> works

klist ==> shows ticket

I added the server to the domain

net join -U Administrator

Joined 'SAMBA' to realm 'MYDOMAIN.COM'

But after that it starts getting  weird:

wbinfo -u

Returns the users but no domain in front like I saw in many other examples

user1

user2

user3

user4

PC1$

PC2$

PC3$

wbinfo -g

Returns the groups but also no domain in front 

group1

group2

group3

smb.conf:

[global]

        workgroup =  MYDOMAIN

        netbios name = SAMBA

        realm = MYDOMAIN.COM

        winbind uid = 10000-15000

        winbind gid = 10000-15000

        winbind separator = +

        winbind use default domain = yes

        security = ADS

        encrypt passwords = Yes

        password server = win2003.mydomain.com

        client use spnego = yes

[test1]

        comment = test1

        path = /smbshares/test1

        public = Yes

       valid users = user1, user2, user3

        writable = YES

[test2]

        comment = test2

        path = /smbshares/test2

        public = Yes

        valid users = @group1

        writable = YES

[test3]

        comment = test3

        path = /smbshares/test3

        public = Yes

        valid users = @group2

        writable = YES

Share test1 works if the user1 exists as a unix user otherwise ==> NT_STATUS_LOGON_FAILURE

Share test2 works if the user1 exists as a unix user and is in the group user1 otherwise ==> NT_STATUS_LOGON_FAILURE

If I use

net groupmap add unixgroup=group2 ntgroup="Administrators"

or

net groupmap add unixgroup=group2 ntgroup="Administratoren"

(I am working on a german Win2003 System)

And try to log on test3 I get the following error:

tree connect failed: NT_STATUS_ACCESS_DENIED

net user info user1

Administratoren

My guess is that the samba server can't map the windows user to unix users ==> That is the reason why I can't logon with a user which is not an unix user

I guess I have the same problem with the groups they just can't be mapped into new unix groups or on existing unix groups

Has anyone any idea, why there seams to be this problem, didn't I understand the concept, is there configuration problem or do I have to RTFM another 100 times?

Greetings 

Max Mustermann

Other configure files

krb5.conf:

[libdefaults]

        default_realm = MYDOMAIN.COM 

[realms]

        MYDOMAIN.COM = {

                kdc = WIN2003.MYDOMAIN.COM 

                default_domain = MYDOMAIN.COM

        }

[domain_realm]

        .mydomain.com = MYDOMAIN.COM 

        mydomain.com = MYDOMAIN.COM 

[logging]

        default = FILE:/var/krb5/kdc.log

        kdc = FILE:/var/krb5/kdc.log

        kdc_rotate = {

                period = 1d

                versions = 10

        }

[appdefaults]

        pam = {

                ticket_lifetime         = 1d

                renew_liftime           = 1d

                forwardable             = true

                proxiable               = false

                retain_after_close      = false

                minimum_uid             = 0

                debug                   = false

        }

        kinit = {

                renewable = true

                forwardable= true

        }

        gkadmin = {

                help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195

        }

/etc/nsswitch.conf includes the following entries:

passwd:     files winbind nis

group:      files winbind nis

hosts:      files dns nis