[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
jpetersson at garnser.se
Thu Sep 24 00:53:55 MDT 2009
Going to try this a bit more tomorrow with a fresh install, please see
I'm thinking that I may have some kerberos stuff hanging around, I
noticed that there's a smb_krb5 directory with kdc data in
On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>> Thanks for the input Adam,
>> In my case I've full control of the AD domain and just run net ads
>> join which is successful, shows up in AD.
>> Here's my current config, can you see anything in it that I should
>> consider adding or removing?
>> workgroup = PRESIDIO
>> password server = pdc.garnser.se
>> realm = garnser.se
> I would remove the password server, and (not being that familiar with
> the set up side of AD) shouldn't the workgroup be GARNSER? Or the realm
> be presidio.garnser.se? Mind you if you can join the domain it would
> seem these values are correct.
I named my workgroup differently from the domain/realm, I can
successfully join the domain.
> Just to confirm these values are correct, on a Windows PC, go Control
> Panel, System, Computer Name (where you can rename the PC) and on that
> page it should list the domain - is that garnser.se? That domain should
> be what is put in the realm.
The domain is equal to the realm.
> Likewise when you log in to a Windows PC, you can choose the domain you
> want to log in to from a drop-down list. Is that PRESIDIO? The value
> there should be the same as what you put in workgroup.
This is the same.
>> template shell = /bin/bash
> This will allow your AD users to SSH into your machine (just checking!)
Yes that's intentional.
>> netbios name = presidio3
> Is presidio3.garnser.se the full DNS name of your machine? Not sure if
> it makes a difference but it can't hurt to make the NetBIOS and DNS
> names match.
>> use kerberos keytab = yes
>> client use spnego = yes
> I don't have either of these two options set.
>> auth methods = winbind
> I don't have "auth methods" set, and the manpage recommends against
> setting it.
> Otherwise it looks fine. After updating these options you could try
> erasing all Samba's .tdb files to make it forget it belongs to a domain,
> then add it again fresh. I would be very surprised if that didn't work.
More information about the samba