[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Jonathan Petersson jpetersson at garnser.se
Thu Sep 24 00:13:41 MDT 2009

Thanks for the input Adam,

In my case I've full control of the AD domain and just run net ads
join which is successful, shows up in AD.

Here's my current config, can you see anything in it that I should
consider adding or removing?

   workgroup = PRESIDIO
   password server = pdc.garnser.se
   realm = garnser.se
   security = ads
   winbind use default domain = yes
   winbind trusted domains only = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind separator = +
   idmap uid = 8000-33554431
   idmap gid = 8000-33554431
   template shell = /bin/bash
   server string = Samba Server Version %v
   netbios name = presidio3
   log file = /var/log/samba/log.%m
   max log size = 1000
   passdb backend = tdbsam
   use kerberos keytab = yes
   encrypt passwords = yes
   preferred master = no
   idmap backend = ad
   client use spnego = yes	
   load printers = yes
   cups options = raw
   auth methods = winbind
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = %S
	read only = no
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

Thanks again


On Wed, Sep 23, 2009 at 10:41 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>> The kerberos stuff is for the PAM auth although I though this was
>> necessary for the Samba stuff too.
> Winbind is also an alternative for this, by making all the AD users
> visible as if they were accounts on the local machine.  Having winbind
> working is also crucial to being able to grant AD groups access to
> certain areas of your filesystem.
>> Also, as far as the workgroup-name goes it's true it's the shorter
>> name but in my case the short name is PRESIDIO.
>> Could you send me a copy of your config? I'm obviously a bit off
>> hacking kerberos.
> Here's the relevant bit from a server I put into production last night.
>  The machine name is sambaserver.mydomain.com:
> workgroup = MYDOMAIN
> netbios name = sambaserver
> security = ads
> realm = MYDOMAIN.COM
> Once that's done I precreated the account in AD (otherwise the machine
> account will be created somewhere I haven't been delegated access to)
> then I ran "net ads join -U <username>" where <username> is an account
> with access to join the machine to the domain (which you choose when
> adding the account to the domain - don't prefix it with MYDOMAIN\\ or
> @MYDOMAIN.COM) and then it may come up with some errors, but running
> "net ads testjoin" will hopefully return "OK".
> All the other options in my Samba config are related to shares, winbind,
> etc. but nothing to do with the domain.
> Cheers,
> Adam.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list