[Samba] Unable to use 'valid users' from Active Directory

Fri Jun 2 14:29:54 GMT 2006

It would act as if it's not seeing the credentials for the share that is
using the group specification.

So to summarize what going on:

The public share prompts for a username and password but does not take
one.

[public]
   comment = Public Stuff
   path = /home/
   public = yes
   read only = no
   valid users = @"_IFAS-FRE-USERS_autoGS"

A share that does not have the user requirement allows a Active
Direcotry user to login just fine.

[homes]
   comment = %U Home Directory
   browseable = no
   path = %H
   valid users = %U
   writable = yes
   create mode = 0664
   directory mode = 0775

-----Original Message-----
From: Adam Nielsen [mailto:adam.nielsen at uq.edu.au] 
Sent: Thursday, June 01, 2006 6:45 PM
To: Reese,Richard Stephen
Cc: samba at lists.samba.org
Subject: Re: [Samba] Unable to use 'valid users' from Active Directory

> I tried that but the results are the same, I am still prompted to 
> enter a username and password, and it doesn't take. IMO it shouldn't 
> even prompt for a username/password because I am already logged in and

> therefore authenticated against the domain.

OH, okay, I thought you *wanted* it to prompt for a username.  In that
case you'll only get a prompt if the credentials you're already using
are incorrect, i.e. you correctly logged into the domain, then you
connect to Samba and pass those same credentials on, Samba rejects the
credentials for whatever reason and then you get a prompt asking for a
valid username and password.

> I am getting a error when trying to access the share:
> 
> [2006/06/01 16:13:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
>   Username UFAD\IF-FRE-CETUS$ is invalid on this system
> 
> The username that it mentions is my computer name... 

Which computer name is that?  If it's the Samba machine, it would
indicate that it hasn't correctly joined the domain.  Part of the
process of joining a domain involves creating a computer account in
Active Directory, which is the account Samba uses when it connects to
the directory to retrieve a list of users/groups.

> I've attached my smb.conf in hopes that I am just missing something in

> the configuration.

Almost none of the domain config is stored in smb.conf, it's all updated
dynamically in the binary data files when you run commands like 'net
join'.  You'll need to run things like "net testjoin" etc. to try to
figure out why wbinfo is working but smbd isn't.

Cheers,
Adam.