[Samba] Samba 3.5 w/ Active Directory Share Authentication
Baird, Josh
jbaird at follett.com
Tue Oct 16 14:13:48 MDT 2012
Hi,
I'm attempting to configure Samba 3.5 to authenticate share access via Active Directory. I do not wish to authenticate system users against AD, only Samba shares. I have successfully joined the server to the AD domain, with a few errors:
$ net join -W buildel664 -U jbadmin
Enter jbadmin's password:
Using short domain name -- NA
Joined 'BUILDEL664' to realm 'na.blah.lan'
[2012/10/16 14:50:36.636201, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password BUILDEL664$@NA.FOLLETT.LAN failed: Client not found in Kerberos database
DNS Update for buildel664.corp.xxx.com failed: ERROR_DNS_GSS_ERROR
DNS update failed!
I can't seem to figure out what is causing these errors, but the domain join is successful. I am able to successfully enumerate groups and users using "wbinfo -g" and "wbinfo -u," although "getent passwd" only returns local users. I am not sure if this is a problem or not. While "wbinfo -g" does work, it does not return a listing that includes smb.conf's "winbind separator." According to docs that I have found, wbinfo should output this separator.
When I try to assign domain users/groups to a samba share I get an error in Samba's logs that the user is not valid.
My smb.conf:
workgroup = NA
realm = NA.XXX.LAN
security = ads
template shell = /bin/false
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
idmap uid = 10000000-50000000 # increased for larger AD environments
idmap gid = 10000000-50000000 # increased for larger AD environments
encrypt passwords = yes
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 500
os level = 20
preferred master = no
dns proxy = no
load printers = no
cups options = raw
[adauth]
comment = Testing
path=/adauth
create mask = 0660
directory mask = 770
writeable = yes
browseable = yes
valid users = +"NA+jbadmin"
guest ok = no
Any ideas how to further troubleshoot?
Thanks,
Josh
More information about the samba
mailing list