[Samba] Help with ADS authentication and Samba

Geoff Winkless samba at geoff.dj
Fri Mar 11 04:49:04 MST 2011

2011/3/11 Brian O'Mahony <brian.omahony at curamsoftware.com>:
> Hi there, just recently joined this list as I seem to be having a little trouble that I am hoping someone can help with.
> I recently installed a RHEL5.5 server and updated samba to samba3-3.4.11-42.el5.x86_64.rpm. I had never set up samba to authenticate with ADS so I read a little bit and dove right in. The server now works fine, so when I browse to \\machinename<file:///\\machinename> no login box pops up, and I see the shares, and every user in the domain can write to them.
> So far so good. I then try to replicate this on another server and then the problems started. Here is the procedure I followed:
> I copied smb.conf, krb5.conf over to the new server from the working copy. Edited nsswitch.conf to add winbind to the end of passwd, group and shadow.
> I then ran "kinit admin". This worked. I than ran kdestroy to destroy the token.
> [root at rhel5u5live ~]# net ads join -U ictadmin
> Enter ictadmin's password:
> Using short domain name -- XXX
> Joined 'RHEL5U5LIVE' to realm 'xxx.com'
> [root at rhel5u5live ~]# net ads testjoin
> Join is OK
> [root at rhel5u5live ~]# wbinfo -u | grep brian.om
> XXX/brian.omahony
> So it seems to be able to look up users etc on the Domain controller. How ever when I browse to \\machinename<file:///\\machinename> a login box pops up. I *know* I must have forgotten something, but cant figure out what.

Welcome to my world. I have exactly the same issue - one server works
fine, the other doesn't, even though all the wb tests seem to be fine.

Is it an XP client, by any chance?

I've narrowed it down to a kerberos issue, I believe. If you run

    net use \\servername\share /user:XXX/brian.omahony

does it work correctly without asking for a password? This seems to be
NTLM vs Kerberos auth, but I can't get any further than that.

One thing to check, make sure that you have FQDN entries in the
server's /etc/hosts (or as reverse entries in DNS) for your dc and the
server itself. ie when you do

  dig -x

(the ip address of the server, obviously) from the server, do you get
the full domain name or just the hostname? Various pages suggest that
might be the cause of the problem, although it doesn't help me.


More information about the samba mailing list