[Samba] ADS authentication issues.

Jeff Honey jhoney at psmanagement.net
Fri Oct 6 03:05:10 GMT 2006

[2006/10/05 17:14:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
  Username MYDOMAIN\MYCOMPUTER$ is invalid on this system

I get the above-listed entry in my winbindd log and my smbd log when attempting to access a simple network share I've created.

        workgroup = MYDOMAIN
        realm = MYDOMAIN.NET
        security = ADS
        auth methods = guest, sam, winbind
        password server = kds.mydomain.net
        wins server =
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        guest ok = Yes
        path = /home/me
        valid users = me
        admin users = me, root
        read list = @users
        read only = No
        guest ok = No

This is my, seemingly simple, smb.conf setup. I've done all of the other requisite setup with Kerberos and have joined successfully to the domain as a member. I can also perform all of the tests (wbinfo, getent, etc) successfully against the local machine and against the domain. I can browse to the share but I get a logon box when I attempt to access its contents, which won't go away. Oh, I've also done net ads groupmap for the local users group to the domain's "Domain Users" group.

My goal is to setup ubiquitous SMB shares for my Windows domain users to a simple domain member server and compartmentalize that access based upon group membership.

I've steeled myself against the inevitable lambasting I'm sure to get for whatever boneheaded mistake I've made, so I'm asking for help from the group on this one. After doing my RTFM research I'm stumped.

¤ Jeff Honey, Network Administrator
¤ PS America, Inc.
¤ 4426 N. Orange Blossom Trl
¤ Orlando, FL  32804
¤ 407-521-1011 voice
¤ 407-521-1007 fax

More information about the samba mailing list