[Samba] [SOLVED] RE: Samba and AD integration

Bruno Martins bmartins at galileu.pt
Sun Sep 25 07:26:02 MDT 2011 

Problem solved.

As long as I know it is related to the fact that I was using the same range of ID's (both GID and UID) in my smb.conf.

Change these values to different ranges and I am now being able to authenticate well.

Best regards,

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Bruno Martins
Sent: segunda-feira, 19 de Setembro de 2011 16:35
To: Robert Freeman-Day
Cc: samba at lists.samba.org; António Moreira
Subject: Re: [Samba] Samba and AD integration

-----Original Message-----
From: Robert Freeman-Day [mailto:presgas at gmail.com]
Sent: segunda-feira, 19 de Setembro de 2011 16:24
To: Bruno Martins
Cc: samba at lists.samba.org; António Moreira
Subject: Re: [Samba] Samba and AD integration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2011 10:16 AM, Bruno Martins wrote:
> Hello everyone.
> 
> I am running Samba on a Debian system, and I'm currently getting the following error on the logs:
> 
> [2011/09/19 15:06:36.708281,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
>   Username GALILEU-F\bmartins is invalid on this system
> 
> Being GALILEU-F my Windows domain and bmartins my username.
> 
> However, both 'wbinfo -g' and 'wbinfo -u' are working fine. Also, 'kinit (...)' works.
> 
> My smb.conf:
> [global]
>         workgroup = GALILEU-F
>         realm = GALILEU-F.GALILEU.PT
>         server string = Samba Server
>         security = ADS
>         auth methods = winbind
>         password server = 192.168.0.2
>         username map = /etc/samba/smbusers
>         client NTLMv2 auth = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>         printcap name = cups
>         dns proxy = No
>         wins server = 192.168.0.2
>         idmap uid = 200000-300000
>         idmap gid = 200000-300000
>         winbind use default domain = Yes
>         winbind trusted domains only = Yes
>         cups options = raw
> 
> My krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = GALILEU-F.GALILEU.PT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> 
> [realms]
> GALILEU-F.GALILEU.PT = {
>    kdc = jupiter.galileu-f.galileu.pt
>    admin_server = jupiter.galileu-f.galileu.pt
>    default_domain = galileu-f.galileu.pt }
> 
> [domain_realm]
> .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT 
> .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
> }
> 
> And... /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd:         compat  winbind
> group:          compat  winbind
> shadow:         compat
> 
> hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> Can someone please give me a light on this?
> 
> Best regards,
> 
> Bruno Martins

Bruno,

You are using the option "winbind use default domain = Yes", so AD users should be able to access with just their username and there should be no need to pre-pend the domain and backslash.

Robert

- --
________

Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK
x94AniXBk960e1L4ompA1nW+Wm+qZvAI
=yDia
-----END PGP SIGNATURE-----

Hi there, mate.

I've commented that line but I'm getting the same result. Also, I have set it to "no" but, again, without success.

By the way, when I do a "getent passwd" it just shows me local users, no AD users. Is this a normal behavior?

Best regards,

Bruno Martins
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list