[Samba] winbind, ads, win2k3, trusted domains,
user mapping [UPDATED]
Jason Gerfen
jason.gerfen at scl.utah.edu
Thu May 22 18:03:31 GMT 2008
UPDATE
Jason Gerfen wrote:
> I have been ready everything I can regarding this setup but am having a
> problem that I am unsure of.
>
> I am unable to authenticate any user despite the following commands
> working:
> %> getent passwd <username>
> %> wbinfo -u
> %> wbinfo -g
>
> With the getent passwd I am able to see all of my UID/GID being mapped
> via winbdind to the rid of the domain user account.
>
> This command fails:
> %> wbinfo -i <username>
This command works
%> wbinfo --krb5auth=smb%password
From a windows machine this fails
%> net use x: \\server.domain.com\share /user:smb
>
> And in the log files when attempting to authenticate against this
> machine by mapping a share the following is seen in the log files:
> check_ntlm_password: Checking password for unmapped user
> [server.domain.edu]\[username]@[DC] with the new password interface
>
> This is inacurate as with a krb5 tgt the correct line should look like:
> check_ntlm_password: Checking password for unmapped user
> [server.domain.edu]\[username]@[REALM.EDU] with the new password interface
>
> Unless I am missing something I believe my configuration shown below is
> accurate and as of yet I have not received any real answer to this problem.
>
> Any help is appreciated.
>
> Here is my smb.conf
> [global]
> workgroup = scl
> realm = SCL.DOMAIN.EDU
> server string = valhalla.scl.domain.edu
> netbios name = valhalla
>
> password server = *
> encrypt passwords = true
> security = ads
>
> os level = 20
>
> allow trusted domains = no
>
> ldap ssl = no
>
> idmap uid = 5000-2000000
> idmap gid = 5000-2000000
> idmap domains = SCL
>
> interfaces = eth0, lo
> bind interfaces only = yes
>
> log level = 20
> log file = /var/log/samba3/log.%m
> max log size = 50
>
> client signing = yes
> client schannel = no
> client use spnego = yes
>
> preferred master = no
> local master = no
> domain master = no
> wins proxy = no
> dns proxy = No
>
> template shell = /bin/bash
> nt acl support = yes
> create mask = 0775
> template homedir = /home/%U
>
> winbind uid = 500-2000000
> winbind gid = 500-2000000
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind nested groups = yes
> winbind use default domain = yes
> winbind offline logon = true
>
> printcap name = cups
> printing = cups
> load printers = yes
> cups options = raw
> print command =
> lpq command = %p
> lprm command =
>
> [test]
> comment = testing
> browsable = yes
> read only = yes
> create mode = 0644
> path = /home/jason
>
> Here is my krb5.conf
> [libdefaults]
> default_realm = UTAH.EDU
>
> [realms]
> UTAH.EDU = {
> kdc = 155.99.1.95
> }
>
> [domain_realm]
> .utah.edu = DOMAIN.EDU
> DOMAIN.EDU = DOMAIN.EDU
> scl.DOMAIN.EDU = DOMAIN.EDU
>
> [loggin]
> default = FILE:/var/log/krb5.log
>
> [appdefaults]
> pam = {
> ticket_lifetime = 365d
> renew_lifetime = 365d
> forwardable = true
> proxiable = false
> retain_after_close = true
> minimum_uid = 0
> }
>
> The nsswitch.com file:
> passwd: compat winbind
> shadow: compat
> group: compat winbind
>
> # passwd: db files nis
> # shadow: db files nis
> # group: db files nis
>
> hosts: files dns wins
> networks: files
>
> services: db files
> protocols: db files
> rpc: db files
> ethers: db files
> netmasks: files
> netgroup: files
> bootparams: files
>
> automount: files
> aliases: files
>
>
--
Jas
More information about the samba
mailing list