[Samba] SAMBA + KERBEROS + AD

Sadique Puthen sputhenp at redhat.com
Thu Mar 6 12:33:08 GMT 2008


Helio Calaça Filho wrote:
> SMB.CONF
>
> # Samba config file created using SWAT
> # from 10.10.15.33 (10.10.15.33)
> # Date: 2008/03/04 13:39:37
>
> [global]
>         workgroup = SAMBA
>         realm = SAMBA.COM
>         server string = Test Server
>         security = ADS
>         log level = 4
>         log file = /local/samba/var/%m.log
>         ldap ssl = no
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         veto files = /.exe/*mp3*/
>
> #[homes]
> #       comment = Personal Directory
> #       read only = No
> #       browseable = No
> [teste]
>         comment = Test Directory
>         path = /teste
>         valid users = SAMBA #Ps.: SAMBA string here it's the domain, to can
> accept all domain users
>   

I doubt whether this is valid. As per "man smb.conf",  "If  this  is  
empty  (the  default)  then any user can login." So you should either 
put it empty or specify valid users or groups. Specifying domain name to 
allow all users/groups may not be valid.

>         read only = No
>         veto files = /*.exe/*mp3*/
>
> [commom_ad]
>         comment = Common Directory
>         path = /comum_ad
>         force user = smbtest
>         read only = No
>         guest ok = Yes
>
> --------------------------------------------------------------------------------------------------------------
>
> NSSWITCH.CONF
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       nisplus or nis+         Use NIS+ (NIS version 3)
> #       nis or yp               Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       db                      Use the local database (.db) files
> #       compat                  Use NIS on compat mode
> #       hesiod                  Use Hesiod for user lookups
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
>
> # To use db, put the "db" in front of "files" for entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
>
> passwd:     files winbind
> shadow:     files
> group:      files winbind
>
> #hosts:     db files nisplus nis dns
> hosts:      files dns winbind
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   nisplus
>
> publickey:  nisplus
>
> automount:  files nisplus
> aliases:    files nisplus
> -------------------------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# ll libnss_winb*
>
> -rwxr-xr-x 1 root root   18588 Fev 26 12:51 libnss_winbind.so
> lrwxrwxrwx 1 root root      22 Fev 27 17:25 libnss_winbind.so.2 ->
> /lib/libnss_winbind.so
> -rwxr-xr-x 1 root root  892632 Set  1  2006 libnss_wins.so.2
>
> --------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# ps -A
>   PID TTY          TIME CMD
>
> 28736 ?        00:00:10 nmbd
> 28737 ?        00:00:00 winbindd
> 28738 ?        00:00:00 winbindd
> 28739 ?        00:00:00 smbd
> 28742 ?        00:00:00 smbd
> 28758 ?        00:00:00 winbindd
> 29019 ?        00:00:00 winbindd
> 31715 ?        00:00:00 smbd
> ----------------------------------------------------------------------------------------------------------------------
> [root at redh lib]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[teste]"
> Processing section "[comum_ad]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> -------------------------------------------------------------------------------------------------------------
>
> [root at redh lib]# net ads join -U Administrator
> suporte's password:
> Using short domain name -- SAMBA
> Joined 'REDH' to realm 'SAMBA.COM'
>
> --------------------------------------------------------------------------------------------------------------------------
> All correct apparently. But, when i try to access my samba shares using my
> winxp station (logged in ads domain), the samba server ask a user n' pass. I
> put any ads user and i can't.
>
> Where i wrong?
>
> See Ya!
>
> Atte,
> Hélio Calaça Filho
>   



More information about the samba mailing list