[Samba] winbind, ads, win2k3, trusted domains, user mapping [UPDATED]

Jason Gerfen jason.gerfen at scl.utah.edu
Thu May 22 18:03:31 GMT 2008


UPDATE
Jason Gerfen wrote:
> I have been ready everything I can regarding this setup but am having a 
> problem that I am unsure of.
> 
> I am unable to authenticate any user despite the following commands 
> working:
> %> getent passwd <username>
> %> wbinfo -u
> %> wbinfo -g
> 
> With the getent passwd I am able to see all of my UID/GID being mapped 
> via winbdind to the rid of the domain user account.
> 
> This command fails:
> %> wbinfo -i <username>

This command works
%> wbinfo --krb5auth=smb%password

 From a windows machine this fails
%> net use x: \\server.domain.com\share /user:smb

> 
> And in the log files when attempting to authenticate against this 
> machine by mapping a share the following is seen in the log files:
> check_ntlm_password:  Checking password for unmapped user 
> [server.domain.edu]\[username]@[DC] with the new password interface
> 
> This is inacurate as with a krb5 tgt the correct line should look like:
> check_ntlm_password:  Checking password for unmapped user 
> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface
> 
> Unless I am missing something I believe my configuration shown below is 
> accurate and as of yet I have not received any real answer to this problem.
> 
> Any help is appreciated.
> 
> Here is my smb.conf
> [global]
>         workgroup = scl
>         realm = SCL.DOMAIN.EDU
>         server string = valhalla.scl.domain.edu
>         netbios name = valhalla
> 
>         password server = *
>         encrypt passwords = true
>         security = ads
> 
>         os level = 20
> 
>         allow trusted domains = no
> 
>         ldap ssl = no
> 
>         idmap uid = 5000-2000000
>         idmap gid = 5000-2000000
>         idmap domains = SCL
> 
>         interfaces = eth0, lo
>         bind interfaces only = yes
> 
>         log level = 20
>         log file = /var/log/samba3/log.%m
>         max log size = 50
> 
>         client signing = yes
>         client schannel = no
>         client use spnego = yes
> 
>         preferred master = no
>         local master = no
>         domain master = no
>         wins proxy = no
>         dns proxy = No
> 
>         template shell = /bin/bash
>         nt acl support = yes
>         create mask = 0775
>         template homedir = /home/%U
> 
>         winbind uid = 500-2000000
>         winbind gid = 500-2000000
>         winbind separator = +
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind nested groups = yes
>         winbind use default domain = yes
>         winbind offline logon = true
> 
>         printcap name = cups
>         printing = cups
>         load printers = yes
>         cups options = raw
>         print command =
>         lpq command = %p
>         lprm command =
> 
> [test]
>         comment = testing
>         browsable = yes
>         read only = yes
>         create mode = 0644
>         path = /home/jason
> 
> Here is my krb5.conf
> [libdefaults]
>         default_realm = UTAH.EDU
> 
> [realms]
>         UTAH.EDU = {
>                 kdc = 155.99.1.95
>         }
> 
> [domain_realm]
>         .utah.edu = DOMAIN.EDU
>         DOMAIN.EDU = DOMAIN.EDU
>         scl.DOMAIN.EDU = DOMAIN.EDU
> 
> [loggin]
>         default = FILE:/var/log/krb5.log
> 
> [appdefaults]
>         pam = {
>                 ticket_lifetime = 365d
>                 renew_lifetime = 365d
>                 forwardable = true
>                 proxiable = false
>                 retain_after_close = true
>                 minimum_uid = 0
>         }
> 
> The nsswitch.com file:
> passwd:      compat winbind
> shadow:      compat
> group:       compat winbind
> 
> # passwd:    db files nis
> # shadow:    db files nis
> # group:     db files nis
> 
> hosts:       files dns wins
> networks:    files
> 
> services:    db files
> protocols:   db files
> rpc:         db files
> ethers:      db files
> netmasks:    files
> netgroup:    files
> bootparams:  files
> 
> automount:   files
> aliases:     files
> 
> 


-- 
Jas


More information about the samba mailing list