[Samba] Solaris 10 + Samba 3.0.24 = AD-Member Win2003Server

Neuwald, Björn Neuwald at medianet.freinet.de
Thu Feb 15 07:50:55 GMT 2007


I have problems with my Samba 3.0.24 on my Solaris 10 machine.
I hope u can help me?
I "google'd" a lot and asked many people but nobody can help me.

So... I have...
Solaris 10 with Samba 3.0.24
Kerberos installed
OpenLDAP installed
OpenSSL installed

I configured and compiled Samba 3.0.24 (Options: ./configure --prefix=/usr/local/samba --with-winbind --with-ads --with-ldap --with-krb5=/usr/local --with-acl-support )

Know i want Samba to be a member of the ADS Domain.
I maked an "Keytab"-File with the following command on the Windows 2003 Domaincontroller:
C:\>ktpass -princ host/FQDN at XXX.XXXX.DE -mapuser XXX\user1  -pass ***** -out c:\user1.keytab

After this i configured  SWAT...and SWAT was working good.

Then i registered the "Keytab"-File with the following commands:
#ktutil: rkt /usr/local/krb5/usr1.keytab
#ktutil: wkt /usr/local/krb5/krb5.keytab

I set copied the "libnss_winbind.so" and set the symbolic links.
#cp .../samba-3.0.24/source/nsswitch/libnss_winbind.so  /usr/lib
#ln -s libnss_winbind.so libnss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.2

After this is configured Kerberos...edited "krb5.conf" like this:

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
        ticket_lifetime = 24000
        default_realm = XXX.XXXX.DE
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des-cbc-crc des-cbc-md5

                kdc = server1.xx.xxxx.de
                kdc = server2.xx.xxxx.de
                admin_server = server1.xx.xxxx.de
                default_domain = xx.xxxx.de

        .mn.freinet.de = XXX.XXXX.DE
        mn.freinet.de = XXX.XXXX.DE

        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10

        kinit = {
                renewable = true
                forwardable= true

Now i edited the "/etc/nscd.conf", I added the following:
#       logfile                 /var/adm/nscd.log
        enable-cache            hosts           no
        enable-cache            passwd        no
        enable-cache            group           no

And the "/etc/nsswitch.conf" i edited too:
passwd:     files winbind
group:      files winbind

Via "SWAT", i configured Samba like this:

# Samba config file created using SWAT
# from (
# Date: 2006/09/11 15:14:18
	workgroup = XX
	realm = XX.XXXX.DE
	netbios name = test1
	server string = SambaTest
	interfaces =
	bind interfaces only = Yes
	security = ADS
	password server = server1.xx.xxx.de
	log file = /user/local/samba/log/log.%m
	ldap ssl = No
	idmap uid = 5000-100000000
	idmap gid = 5000-100000000
	template homedir = /usr/local/samba/%D/%U
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	force create mode = 0775
	force directory mode = 06775
	comment = TestShare
	path = /shared
	valid users = @XX\group1, at XX\group4
	read only = No

Then I Registered the Server in the Active Directory:
#kinit domainadmin
Password for domainadmin at XX.XXXX.DE: 
#./net ads join
Using short domain name - XX
Joined 'test1' to realm 'XX.XXXXX.DE'#

Then i tested the following:

#/usr/local/samba/bin/wbinfo -u

# /usr/local/samba/bin/wbinfo -g

#/usr/local/samba/bin/net ads info
LDAP server:
LDAP server name: server1.XX.XXXX.de
Bind Path: dc=XX,dc=XXXX,dc=DE
LDAP port: 389
Server time: Tue, 12 Sep 2006 14:10:57 MEST
KDC server:
Server time offset: 0

# id "XX\user1"
uid=5000(XX\user1) gid=5000(XX\group4)
# ./wbinfo -r "XX\user1"

I created a Test Share, like in the Samba config.
Valid User/group for the Share was the group1 ("@XX\group1") and group4 ("@XX\group2"), like configured in smb.conf.
The user user1 which have the primary-group group4 "XX\group4" and is also member of the group3 "XX\group3" 
must enter this share and should be allowed to enter it. Ok this works.

But when i want to enter an folder in this share, which i created in Solaris (for example "/shared/testfolder") and added the ACL: #setfacl -m g:"XX\group3":rwx /shared/testfolder, then the window on my windows machine appears, that i have not the permission to enter it.

But the user1 have the primary-group group4 and the secondary-group group3. The share have rights in samba (valid-users) for group4 and group1. the folder in the share have via acl permissions set (rwx) for the group3, and in group3 is the user 1 a member. 

So, think nested groups or secondary groups are completely ignored.

I hope u can help me.

Best Regards, Björn


                MediaNet GmbH Netzwerk- und Applikations-Service 
                      Lörracher Straße 5a, D-79115 Freiburg
            Telefon 0761/496-1400 - e-mail: info at medianet.freinet.de
       Geschäftsführer: Meinhard Fleig - Handelsregister Freiburg HRB 4869
      Bankverbindung: Sparkasse Freiburg - BLZ 680 501 01 - Konto 211 085 7

More information about the samba mailing list