[Samba] Samba and ADS authentication problems

Ross Smith Ross.Smith at robinsons.com
Fri Feb 22 09:51:07 GMT 2008

Hey folks,
I'm having trouble with AD integration with the version of Samba
included in Solaris build 78 (Samba version 3.0.25a). I think it's
almost working, but I get an authentication prompt every time I try to
connect to samba from a windows client, and no matter what I enter I
can't authenticate to see the shares. 
The main documentation I've been using is Sun's guide to setting up
Samba:  http://dlc.sun.com/pdf/819-3063/819-3063.pdf, but I've also been
referring to the official How-To.
I'm trying to join Samba to my windows domain as a member server using
ADS.  I've read and re-read all the documentation I can find over the
last couple of days but I've no idea now where I've gone wrong.  What
*is* working is the following:

- Kerberos seems fine. "klist" shows a valid ticket, and "kinit 
<mailto:user at REALM> user at REALM <mailto:user at REALM.COM> .COM"
authenticates ok.
- The samba machine account in Active Directory created fine when I used
the "net ... ADS JOIN ..." command.
- From Solaris I can list Active Directory users and groups with "wbinfo
-u" and "wbinfo -g".
- From Solaris, smbclient works anonymously and can list the shares on
both Samba and our windows servers with "smbclient -N -L computer".
However, any attempt by a windows client to view shares on the Solaris
server returns Access denied, followed by a password prompt, and on
Solaris, smbclient returns NT_STATUS_LOGON_FAILURE if I try to
authenticate with any username.  I suspect the problem is linked to the
fact that "getent passwd" and "getent group" just return the Solaris
users and groups, whereas the documentation states that they should
include the Active Directory accounts too.
One other thing that might be wrong is that in all the examples I've
seen online, "wbinfo -u" returns users in the form DOMAIN\user. However,
in our case it simply lists the usernames, no domain is included.
Searching on google, I've found a few people reporting identical
problems, so I'm guessing whatever I've done it's a fairly basic
mistake, but I haven't found any solution to this. Can anybody help out?

This is my first time posting, I've attached the smb.conf and krb5.conf
files but I'm not sure if they will be visible, please let me know if I
need to copy/paste them into a message instead.
Ross Smith 
Network Manager 
Robinson Construction
http://www.robinsons.com <http://www.robinsons.com/> 

The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Robinson Construction.  If you have received this transmission in error please advise the originator, or contact IT at robinsons.com.

This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. No responsibility is accepted for any virus or defect that might arise from opening this e-mail or attachment, whether or not it has been checked by anti-virus software. For further information visit www.clearswift.com.

Thank you for your co-operation.

Robinson Construction

S. Robinson & Sons (Engineers) Limited is a limited company registered in England.  Registration no:  823781
Registered office:  S. Robinson & Sons (Engineers) Limited, Wincanton Close, Ascot Drive, Derby, DE24 8NJ

More information about the samba mailing list