[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Adam Nielsen adam.nielsen at uq.edu.au
Thu Sep 24 00:37:43 MDT 2009


> Thanks for the input Adam,
> 
> In my case I've full control of the AD domain and just run net ads
> join which is successful, shows up in AD.
> 
> Here's my current config, can you see anything in it that I should
> consider adding or removing?
> 
> [global]
>    workgroup = PRESIDIO
>    password server = pdc.garnser.se
>    realm = garnser.se

I would remove the password server, and (not being that familiar with
the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
be presidio.garnser.se?  Mind you if you can join the domain it would
seem these values are correct.

Just to confirm these values are correct, on a Windows PC, go Control
Panel, System, Computer Name (where you can rename the PC) and on that
page it should list the domain - is that garnser.se?  That domain should
be what is put in the realm.

Likewise when you log in to a Windows PC, you can choose the domain you
want to log in to from a drop-down list.  Is that PRESIDIO?  The value
there should be the same as what you put in workgroup.

>    template shell = /bin/bash

This will allow your AD users to SSH into your machine (just checking!)

>    netbios name = presidio3

Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
it makes a difference but it can't hurt to make the NetBIOS and DNS
names match.

>    use kerberos keytab = yes
>    client use spnego = yes	

I don't have either of these two options set.

>    auth methods = winbind

I don't have "auth methods" set, and the manpage recommends against
setting it.

Otherwise it looks fine.  After updating these options you could try
erasing all Samba's .tdb files to make it forget it belongs to a domain,
then add it again fresh.  I would be very surprised if that didn't work.

Cheers,
Adam.


More information about the samba mailing list