[Samba] winbind,ads, win2k3, trusted domains, user mapping

Thu May 22 16:39:49 GMT 2008

I have been ready everything I can regarding this setup but am having a 
problem that I am unsure of.

I am unable to authenticate any user despite the following commands working:
%> getent passwd <username>
%> wbinfo -u
%> wbinfo -g

With the getent passwd I am able to see all of my UID/GID being mapped 
via winbdind to the rid of the domain user account.

This command fails:
%> wbinfo -i <username>

And in the log files when attempting to authenticate against this 
machine by mapping a share the following is seen in the log files:
check_ntlm_password:  Checking password for unmapped user 
[server.domain.edu]\[username]@[DC] with the new password interface

This is inacurate as with a krb5 tgt the correct line should look like:
check_ntlm_password:  Checking password for unmapped user 
[server.domain.edu]\[username]@[REALM.EDU] with the new password interface

Unless I am missing something I believe my configuration shown below is 
accurate and as of yet I have not received any real answer to this problem.

Any help is appreciated.

Here is my smb.conf
[global]
         workgroup = scl
         realm = SCL.DOMAIN.EDU
         server string = valhalla.scl.domain.edu
         netbios name = valhalla

         password server = *
         encrypt passwords = true
         security = ads

         os level = 20

         allow trusted domains = no

         ldap ssl = no

         idmap uid = 5000-2000000
         idmap gid = 5000-2000000
         idmap domains = SCL

         interfaces = eth0, lo
         bind interfaces only = yes

         log level = 20
         log file = /var/log/samba3/log.%m
         max log size = 50

         client signing = yes
         client schannel = no
         client use spnego = yes

         preferred master = no
         local master = no
         domain master = no
         wins proxy = no
         dns proxy = No

         template shell = /bin/bash
         nt acl support = yes
         create mask = 0775
         template homedir = /home/%U

         winbind uid = 500-2000000
         winbind gid = 500-2000000
         winbind separator = +
         winbind enum users = yes
         winbind enum groups = yes
         winbind nested groups = yes
         winbind use default domain = yes
         winbind offline logon = true

         printcap name = cups
         printing = cups
         load printers = yes
         cups options = raw
         print command =
         lpq command = %p
         lprm command =

[test]
         comment = testing
         browsable = yes
         read only = yes
         create mode = 0644
         path = /home/jason

Here is my krb5.conf
[libdefaults]
         default_realm = UTAH.EDU

[realms]
         UTAH.EDU = {
                 kdc = 155.99.1.95
         }

[domain_realm]
         .utah.edu = DOMAIN.EDU
         DOMAIN.EDU = DOMAIN.EDU
         scl.DOMAIN.EDU = DOMAIN.EDU

[loggin]
         default = FILE:/var/log/krb5.log

[appdefaults]
         pam = {
                 ticket_lifetime = 365d
                 renew_lifetime = 365d
                 forwardable = true
                 proxiable = false
                 retain_after_close = true
                 minimum_uid = 0
         }

The nsswitch.com file:
passwd:      compat winbind
shadow:      compat
group:       compat winbind

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns wins
networks:    files

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

-- 
Jas