[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS

Jonathan Petersson jpetersson at garnser.se
Thu Sep 24 00:53:55 MDT 2009

Going to try this a bit more tomorrow with a fresh install, please see
inline responses.

I'm thinking that I may have some kerberos stuff hanging around, I
noticed that there's a smb_krb5 directory with kdc data in

On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>> Thanks for the input Adam,
>> In my case I've full control of the AD domain and just run net ads
>> join which is successful, shows up in AD.
>> Here's my current config, can you see anything in it that I should
>> consider adding or removing?
>> [global]
>>    workgroup = PRESIDIO
>>    password server = pdc.garnser.se
>>    realm = garnser.se
> I would remove the password server, and (not being that familiar with
> the set up side of AD) shouldn't the workgroup be GARNSER?  Or the realm
> be presidio.garnser.se?  Mind you if you can join the domain it would
> seem these values are correct.

I named my workgroup differently from the domain/realm, I can
successfully join the domain.

> Just to confirm these values are correct, on a Windows PC, go Control
> Panel, System, Computer Name (where you can rename the PC) and on that
> page it should list the domain - is that garnser.se?  That domain should
> be what is put in the realm.

The domain is equal to the realm.

> Likewise when you log in to a Windows PC, you can choose the domain you
> want to log in to from a drop-down list.  Is that PRESIDIO?  The value
> there should be the same as what you put in workgroup.

This is the same.

>>    template shell = /bin/bash
> This will allow your AD users to SSH into your machine (just checking!)

Yes that's intentional.

>>    netbios name = presidio3
> Is presidio3.garnser.se the full DNS name of your machine?  Not sure if
> it makes a difference but it can't hurt to make the NetBIOS and DNS
> names match.

It's identical.

>>    use kerberos keytab = yes
>>    client use spnego = yes
> I don't have either of these two options set.
>>    auth methods = winbind
> I don't have "auth methods" set, and the manpage recommends against
> setting it.
> Otherwise it looks fine.  After updating these options you could try
> erasing all Samba's .tdb files to make it forget it belongs to a domain,
> then add it again fresh.  I would be very surprised if that didn't work.

Thanks again!


More information about the samba mailing list