[Samba] SSO Samba/AD integration

Brian Atkins batkins at tlcdelivers.com
Thu Sep 15 13:03:33 GMT 2005

OK, I'm certain that this topic has been beat to death, but I need some
assistance.  I am trying to migrate to a SSO for the majority of our
workstations and servers within our organization.  I am currently trying
to integrate a Gentoo Linux workstation to authenticate to the AD
server.  Once I get the process nailed down, I'll be moving on to bigger
and better things...

Prior to starting, I already had Samba installed and was able to share
files with Windows based boxes, though only through a guest account. 
Since yesterday, I have installed openLDAP with mit-krb5 and Samba
support enabled.  I modified smb.conf, nsswitch.conf, and /etc/hosts in
accordance with a document I located on the Gentoo site.  It was pretty
straight forward, nothing earth-shattering.  Once Samba was restarted
(with windbind), I was able to use kinit to join the domain
successfully, and can now get user and group listings using the 'getent
[passwd|group]' commands.  However, when I try signing into the
workstation using an AD account, the login is denied.  What gives? 

Here are my basics:

passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns winbind
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

...    tlcdcm.UNICITY.TLCDELIVERS.COM  tlcdcm UNICITY    tlcdcm2.UNICITY.TLCDELIVERS.COM tlcdcm2    web-backupws.UNICITY.TLCDELIVERS.COM    web-backupws

   netbios name = briansrapier
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind gid = 10000-20000
   workgroup = UNICITY
   os level = 20
   winbind enum groups = yes
   password server = *
   preferred master = no
   winbind separator = +
   max log size = 50
   log file = /var/log/samba3/log.%m
   encrypt passwords = yes
   dns proxy = no
   security = ADS
   wins server =
   wins proxy = no

Doing a 'getent passwd' returns users similar to:

But also lists computer accounts as well:

However, 'getent group' works just fine:
UNICITY+Exchange Domain Servers:x:10025:
UNICITY+Exchange Enterprise Servers:x:10026:

The '/bin/false' login shell in the passwd schema leads me to believe that is where the problem lies, but I am not sure what to do to fix it.

Thanks for the input.

Brian Atkins

"An adventure is never an adventure 
when it's happening.  Challenging
experiences need time to ferment, 
and an adventure is simply physical 
and emotional discomfort recollected 
in tranquility." -- Tim Cahill

More information about the samba mailing list