[Samba] Trouble getting samba AD integration to work

Jason Haar Jason.Haar at trimble.co.nz
Fri Dec 8 02:18:03 GMT 2006

soleblazer wrote:
> So I think alot of this is setup.  My problem is I cannot get Samba to
> authenticate to AD.  When I am logged into a windoze box and try and
> get to
> a share, the password dialogue comes up.  I enter my AD username/password
> and it never works.  For the share I made the AD group that I belong
> to in
> the write list.  Do I need to do anything else?

I have just been through this myself. Hopefully my experience can help

First off - shouldn't it be "workgroup = MYDOMAIN", and I see no mention
of winbind - if you expect to control  access via AD groups, you'll need

Secondly, get rid of the "guest ok" thing. It confuses things during
such debugging. You can always re-enable it after getting the core stuff

Thirdly, stop the winbind and smb services, rejoin the domain and TEST
THE JOIN. I have  had several occurrences of joins that appears to
succeed - but didn't. This produced the symptoms you've been seeing.


#stop winbind and smb services
kinit administrator at MYDOMAIN.COM
net join
sleep 10
net ads testjoin
#start winbind and smb services

Any errors in the above commands must be fixed before anything works

Finally, if you have trusted domains you also want to support (e.g.
allow OTHER\user to connect to your MYDOMAIN Samba shares), make sure
they are all explicitly mentioned within the [realms] section in 
/etc/krb5.conf. My thanks to Rashid for that trick.

Good luck. Hope that helps. I just love being able to "chown
domain\\username filename" - freaks the hell out of the Windows Admins ;-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list