[Samba] Samba 3.0.33 works, 3.5.4 doesn't

Jonathan Buzzard jonathan at buzzard.me.uk
Thu Apr 19 09:47:56 MDT 2012

On Thu, 2012-04-19 at 10:20 -0400, John Oliver wrote:
> I'm trying to get AD authentication working on a RHEL 5.4 base system
> I can wbinfo -[ug] and getent {passwd|group} with 3.0.33  Everything
> appears to work just fine, except I could not actually authenticate...
> I'd always get failed password.  A lot of Googling turned up a bug that
> indicated that it was impossible to get 3.0.33 to authenticate against a
> W2K8 AD, so I installed 3.5.4  Same smb.conf, same krb5.conf... but I
> cannot join the domain.  net ads status works, but net ads join tells
> me:

Your smb.conf is wrong needs to look something like the following. This
is covered in the man pages these days.

# deal with NSS and the whole UID/SID id mapping stuff
        idmap backend = tdb
        idmap uid = 2000000 - 2999999 
        idmap gid = 2000000 - 2999999
        idmap config MYDOMAIN : backend = ad
        idmap config MYDOMAIN : schema_mode = rfc2307
        idmap config MYDOMAIN : readonly = yes
        idmap config MYDOMAIN : range = 500 - 1999999
        idmap cache time = 604800
        idmap negative cache time = 20
        winbind cache time = 600
        winbind nss info = rfc2307
        winbind expand groups = 2
        winbind nested groups = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind offline logon = false

You of course need to have the RFC2307 attributes populated in the AD
for this to work, and a winbind entry in /etc/nsswitch and winbind

Note that you should upgrade to RHEL5.8 immediately and make sure that
you have samba3x-3.5.10-0.108.el5_8 installed unless you want your box
to be rooted by the first passer by.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list