[Samba] winbind and smb tries to auth as pdc$ rather than local name when using ADS
Jonathan Petersson
jpetersson at garnser.se
Thu Sep 24 00:53:55 MDT 2009
Going to try this a bit more tomorrow with a fresh install, please see
inline responses.
I'm thinking that I may have some kerberos stuff hanging around, I
noticed that there's a smb_krb5 directory with kdc data in
/var/lib/samba.
On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <adam.nielsen at uq.edu.au> wrote:
>> Thanks for the input Adam,
>>
>> In my case I've full control of the AD domain and just run net ads
>> join which is successful, shows up in AD.
>>
>> Here's my current config, can you see anything in it that I should
>> consider adding or removing?
>>
>> [global]
>> workgroup = PRESIDIO
>> password server = pdc.garnser.se
>> realm = garnser.se
>
> I would remove the password server, and (not being that familiar with
> the set up side of AD) shouldn't the workgroup be GARNSER? Or the realm
> be presidio.garnser.se? Mind you if you can join the domain it would
> seem these values are correct.
I named my workgroup differently from the domain/realm, I can
successfully join the domain.
>
> Just to confirm these values are correct, on a Windows PC, go Control
> Panel, System, Computer Name (where you can rename the PC) and on that
> page it should list the domain - is that garnser.se? That domain should
> be what is put in the realm.
The domain is equal to the realm.
>
> Likewise when you log in to a Windows PC, you can choose the domain you
> want to log in to from a drop-down list. Is that PRESIDIO? The value
> there should be the same as what you put in workgroup.
This is the same.
>
>> template shell = /bin/bash
>
> This will allow your AD users to SSH into your machine (just checking!)
Yes that's intentional.
>
>> netbios name = presidio3
>
> Is presidio3.garnser.se the full DNS name of your machine? Not sure if
> it makes a difference but it can't hurt to make the NetBIOS and DNS
> names match.
It's identical.
>
>> use kerberos keytab = yes
>> client use spnego = yes
>
> I don't have either of these two options set.
>
>> auth methods = winbind
>
> I don't have "auth methods" set, and the manpage recommends against
> setting it.
>
> Otherwise it looks fine. After updating these options you could try
> erasing all Samba's .tdb files to make it forget it belongs to a domain,
> then add it again fresh. I would be very surprised if that didn't work.
Thanks again!
/Jonathan
More information about the samba
mailing list