[Samba] Logging into linux machine using AD account?

[Brian Atkins]

Greetings. I have just started scratching the surface of using Samba to 
create a SSO environment for my network. I have been playing a bit with 
both SuSE 9.3 and CentOS 4.1 to authenticate to an AD PDM (W2K).

I've made it the farthest with the CentOS server.  I have joined it to 
the domain and been able to verify AD users and groups using wbinfo 
[-u|-g] and getent [passwd|group]. I have even been able to `su` to an 
AD user on the CentOS server, but only with errors:

# su - DOMAIN\+testuser
id: cannot find name for user ID 16777216
-bash-3.00$

It seems to pass, but with errors. (I had to manually create the homedir 
for the user: /home/DOMAIN/testuser to get `su` to work.)

I can't seem to login to the server using the account, though. I've been 
using a number of documents from Samba, O`Reilly, and other sources I 
googled up, but they are all pretty much the same. Am I missing 
something? Do I have to do something else to allow an existing AD 
account to log into the machine?

Here's my config:

smb.conf:
---------
[global]
     workgroup = DOMAIN
    server string = Samba Server
    printcap name = /etc/printcap
    load printers = yes
    cups options = raw
    log file = /var/log/samba/%m.log
    max log size = 50
    security = ADS
    winbind separator = +
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = no
    idmap uid = 16777216-33554431
    idmap gid = 16777216-33554431
    template shell = /bin/bash
    winbind use default domain = no
    password server = pdc.addomain.mydomain.com
    realm = ADDOMAIN.MYDOMAIN.COM
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes

krb5.conf:
----------
[libdefaults]
         ticket_lifetime = 600
         default_realm = ADDOMAIN.MYDOMAIN.COM
         dns_lookup_kdc=0
         dns_lookup_realm=0
         dns_fallback=0
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 
rc4-hmac
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 
rc4-hmac
         permitted_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc 
des-cbc-md5 arcfoug-hmac-md5 arcfour-hmac-md
[realms]
         ADDOMAIN.MYDOMAIN.COM = {
         kdc = 10.10.10.10
         kdc = 10.10.10.12
         }
[logging]
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log

nsswitch.conf:
--------------
passwd:     compat winbind
shadow:     files winbind
group:      compat winbind
hosts:      files dns winbind
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus


-- 
Brian

"An adventure is never an adventure
when it’s happening. Challenging
experiences need time to ferment,
and adventure is simply physical
and emotional comfort recollected
in tranquility." - Tim Cahill
(Hold the Enlightenment - 2002)