[Samba] Samba 3.2 experiences

Jelmer Jaarsma jelmer.jaarsma at sara.nl
Thu Jul 24 14:30:03 GMT 2008

Hash: SHA1


I've been trying to get Samba 3.2 to work in the past few days, and I'm
running into a few problems which I have been unable to solve myself.

My first problem isn't blocking for me, but it seems not consistent with
documentation. I can't join my server using a domain admin's kerberos
ticket. I need to specify "-U <username" and then type in the password
to join.

The second problem is weird, and I'm not sure if it's a problem, but
when I join the domain (with specifying -U <username>) I get an error
telling me that it failed to create the Kerberos keytab. If I run a
testjoin after that it tells me everything is okay :-)
Output of a "net ads join -d3" and a listing of the created keytab over
here: http://pastebin.org/56716

So far I've assumed that the error about not being able to join the
domain is bogus, since everything appears to be working. A "wbinfo -u"
returns all users it ought to report.
However, I can't get the nss details from the trusted domain. It's
working awesome for the primary domain though (where the Samba machine
is in itself). What am I doing wrong here? Please see my smb.conf linked
at the bottom.

I hope I'm providing enough information, if not, please let me know and
I'll provide whatever is needed

Thanks in advance,

Jelmer Jaarsma

== Configuration details ==

I'm using Ubuntu Hardy 8.04 with the package from the Intrepid
repository (which is synched with Debian), currently at version
3.2.0-4ubuntu1. I also build the package for libtalloc1 from Intrepid
(version 1.2.0~git20080616-1) which is Jelmer Vernooij's package)

My smb.conf: http://pastebin.org/56705
My krb5.conf: http://pastebin.org/56707

Our Windows environment exists of w2k8 servers, running in w2k3 native
mode. We have 4 domains in total with some trusts in between them, the

KA and VANCIS trust eachother
KA and PROJECTS trust eachother
VANCIS and VPROJECTS trust eachother

All trusts are 2-way, non-transitive

The schema for the KA and VANCIS domains have been extended with the
rfc2307 schema and for the relevent users and groups the details have
been filled in.
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list