[Samba] Samba and AD integration

Robert Freeman-Day presgas at gmail.com
Mon Sep 19 09:23:36 MDT 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2011 10:16 AM, Bruno Martins wrote:
> Hello everyone.
> 
> I am running Samba on a Debian system, and I'm currently getting the following error on the logs:
> 
> [2011/09/19 15:06:36.708281,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
>   Username GALILEU-F\bmartins is invalid on this system
> 
> Being GALILEU-F my Windows domain and bmartins my username.
> 
> However, both 'wbinfo -g' and 'wbinfo -u' are working fine. Also, 'kinit (...)' works.
> 
> My smb.conf:
> [global]
>         workgroup = GALILEU-F
>         realm = GALILEU-F.GALILEU.PT
>         server string = Samba Server
>         security = ADS
>         auth methods = winbind
>         password server = 192.168.0.2
>         username map = /etc/samba/smbusers
>         client NTLMv2 auth = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         printcap name = cups
>         dns proxy = No
>         wins server = 192.168.0.2
>         idmap uid = 200000-300000
>         idmap gid = 200000-300000
>         winbind use default domain = Yes
>         winbind trusted domains only = Yes
>         cups options = raw
> 
> My krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = GALILEU-F.GALILEU.PT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> 
> [realms]
> GALILEU-F.GALILEU.PT = {
>    kdc = jupiter.galileu-f.galileu.pt
>    admin_server = jupiter.galileu-f.galileu.pt
>    default_domain = galileu-f.galileu.pt
> }
> 
> [domain_realm]
> .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
> 
> And... /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat  winbind
> group:          compat  winbind
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> Can someone please give me a light on this?
> 
> Best regards,
> 
> Bruno Martins

Bruno,

You are using the option "winbind use default domain = Yes", so AD users
should be able to access with just their username and there should be no
need to pre-pend the domain and backslash.

Robert

- -- 
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK
x94AniXBk960e1L4ompA1nW+Wm+qZvAI
=yDia
-----END PGP SIGNATURE-----

More information about the samba mailing list