[Samba] Need a tiny bit of help with ADS integration

Bill Long segfahlt at longboys.net
Wed Jul 26 06:00:23 GMT 2006

Hey List,

I need just a bit of help. I'm stuck on my integration of a samba server 
into an ADS domain. I've read(and re-read) the entire Samba How-To as 
well as several other articles on the net.

Here is what I need to do: Have a share set up so that windows users can 
browse to it via Win Explorer/Network Neighborhood and not have to 
provide credentials as 2nd time (SSO type stuff)

Here are the nitty gritties
SMB 3.0.9-1.3E.10 (latest from up2date)
KRB5 3.1 (latest from up2date)

proper entry in /etc/hosts
winbind set up in smb.conf and nsswitch.conf files
krb5.conf setup

I can successfully authenticate against the ADS server using kinit. I've 
done this using a default domain with the krb5.conf file and explicitly 
giving the realm and not having a krb5.conf file.

I can successfully add my linux box to the domain using net ads. Once 
done, I can see it okay in my ADS in MMC on Windows.

I can see the machine in my network neighborhood no problem. However, 
when I click on it, it prompts me for a password. No matter what I 
supply, I can't get authenticated.

If I add the username that my windows account has to the linux box, I 
get right in, no prompting or anything.

I'm thinking this has to be something I'm missing in the smb.conf file, 
but can't for the life of me figure it out.

Can anybody see if I'm missing something important? 
Here is an excerpt of my smb.conf file
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        netbios name = LINUXSHARE
        password server = PDC.MYDOMAIN.COM
        preferred master = no
        security = ADS
        encrypt passwords = yes
        log level = 3
        server string = A RHEL3 Samba Server
        log file = /var/log/samba/%m.log
        max log size = 50
        name resolve order = host wins bcast
        winbind separator = /
        idmap uid = 10000 - 20000
        idmap gid = 10000 - 20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind user default domain = yes

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        wins server =
        guest ok = Yes
        cups options = raw

here is my share config
        path = /data/share1
        read only = No

Here is a snapshot of my smbd.log, which shows some wierdness
[2006/07/25 21:40:58, 3] libads/ldap.c:ads_server_info(2432)
  got ldap server name pdc at MYDOMAIN.COM, using bind path: dc=MYDOMAIN,dc=COM
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(204)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2006/07/25 21:40:58, 3] libads/sasl.c:ads_sasl_spnego_bind(211)
  ads_sasl_spnego_bind: got server principal name =pdc$@MYDOMAIN.COM
[2006/07/25 21:40:58, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2006/07/25 21:40:59, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)

Any help is greatly appreciated.

More information about the samba mailing list