Looks like I'm stuck w/ a Win2K domain using ADS & the higher ups want linux file/web/mail servers. Looked through ALL the books by Terpstra & informative but still cannot map drives from windows 2k clients to the linux server. Keeps coming back wit a dialogue box saying "incorrect password or username". Need some guidance here if you can.
Conf files: smb.conf : [global] unix charset = LOCALE workgroup = HOME realm = CULLUM.COM security = ADS netbios name = WEBMAIL encrypt passwords = yes printcap name = /etc/printcap load printers = no domain master = No log level = 5 log file = /var/log/samba/%m.log max log size = 50 interfaces = 172.19.220.3/24 local master = no dns proxy = no idmap uid = 15000-20000 idmap gid = 15000-20000 template primary group = sambausers template shell = /bin/false winbind separator = + winbind use default domain = yes password server = * guest ok = yes ldap ssl = no [homes] comment = Home Directories preserve case = yes browseable = yes writeable = yes short preserve case = yes **************************************************************************** krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = CULLUM.COM dns_lookup_realm = true dns_lookup_kdc = true default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 forwardable = true proxiable = true [realms] CULLUM.COM = { kdc = pdc-a.cullum.com:88 kdc = pdc-b.cullum.com:88 admin_server = pdc-b.cullum.com:644 default_domain = cullum.com } [domain_realm] .cullum.com = CULLUM.COM cullum.com = CULLUM.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } **************************************************************************** nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind hosts: files dns bootparms: nisplus [NOTFOUND=return] FILES ethers: files netmasks: files networks: files protocols: files winbind rpc: files services: files winbind netgroup: files winbind publickey: nisplus automount: files winbind aliases: files nisplus **************************************************************************** Tests: [root@webmail samba]# wbinfo -g BUILTIN\System Operators BUILTIN\Replicators BUILTIN\Guests BUILTIN\Power Users BUILTIN\Print Operators BUILTIN\Administrators BUILTIN\Account Operators BUILTIN\Backup Operators BUILTIN\Users Domain Computers Domain Users Domain Guests Group Policy Creator Owners Cert Publishers Domain Controllers Enterprise Admins Domain Admins Schema Admins DnsUpdateProxy linux **************************************************************************** [root@webmail samba]# wbinfo -u bcullum IWAM_PDC-B IUSR_PDC-B root webmail/webmail Guest TsInternetUser Administrator krbtgt dbcullum dhcpuser dacul BILL-P4$ NS2$ HOST/webmail WKSTN2K$ NS1$ PDC-B$ PDC-A$ **************************************************************************** group mappings: [root@webmail samba]# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> nobody Domain Users (S-1-5-21-3378732851-2348953953-3721217398-513) -> users Power Users (S-1-5-32-547) -> root Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> root Domain Admins (S-1-5-21-3378732851-2348953953-3721217398-512) -> root Account Operators (S-1-5-32-548) -> -1 Domain Guests (S-1-5-21-3378732851-2348953953-3721217398-514) -> nobody SambaUsers (S-1-5-21-3378732851-2348953953-3721217398-2001) -> sambausers Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> users **************************************************************************** The only problems I encountered when I set this up was I had to use the -a switch in the smbpasswd command to match the win2k administrator password & when I ran testparm on the smb.conf file it came back with "'winbind separator = +' might cause problems with group membership" On the PDC's the group "SambaUsers" has all the domain users & computers as members. I've been working on this for a month now with RedHat 9 w/ latest versions of kerebos & samba and now w/ Fedora core 2 using the default versions. The current versions: samba-client-3.0.3-5 system-config-samba-1.2.9-2 samba-3.0.3-5 samba-swat-3.0.3-5 samba-common-3.0.3-5 pam_krb5-2.0.10-1 krb5-libs-1.3.3-1 krb5-workstation-1.3.3-1 krb5-devel-1.3.3-1 krb5-server-1.3.3-1 By the way the pam config file has not been touched (messed up on RedHat 9 & could not log back in. Not even locally as root!) Any help you or anybody can give me would be appreciated. |
hi.
I want to add smth about the smbusers file when using samba 3 security = ADS. I use SuSE 9.1 with samba 3 and have managed to use Security = ADS to validate user access to shares against a win2003 server active domain. With samba 3 and Security = Domain everything works well. However, with Security = ADS, i now seem to have a problem with mapping the windows administrator user to my user (jgm) on the samba box. Details: --- jgm exists on both linux and windows2003 boxes. --- on the samba box, i have "jgm = administrator" in /etc/samba/smbusers. --- smbusers is included in smb.conf as "username map = /etc/samba/smbusers" All this worked with security = Domain, but now, with ADS when I log on to winxp as administrator and access a samba share, I'm prompted for username & password. If i enter "jgm" and password I'm granted access to the share as jgm (i see my jgm home folder, so trust me here). This is a minor inconvenience, i know, but it troubles me because its as if samba 3 with ads has forgotten to use the "username map = /etc/samba/smbusers" parameter of smb.conf and although it authenticates "administrator" against active directory, it doesn't know what to do next with this user called "administrator" who isn't a linux user. The rest of the users which have the same names on linux and windows don't have this problem, they log onto all samba shares transparently. Does anyone use smbusers successfully with samba 3 and security = ADS? |
Ok,
I've used the configurations found in this thread, and I'm able to join the Domain, which is great, and I can also use Windows-machines logged on to the AD to access shares on the Samba-machine without having to type passwords or anything. Great! But! I would like to manage the computer from the AD-server using Computer Management. Does anyone know if this is possible? I can see the computer in the AD server and I can click manage. but when i try to change anything or view the shares.. etc.. I get a message that says: "Access is denied". I cant stop shares or add groups or users for access to the shares. I would also prefer to be able to add shares, but I understand if that aint possible. Anyone else who had a problem with this? Or has someone even looked in to it? /Mattias |
First off,
Cheers to everyone contributing to this post. I spent the better part of 3-4 days working on setting up a Fileserver and this thread has kept me sane. I pretty much followed this to the t: Quote:
right clicking on a share on a win machine and going to the security tab, I try to remove "Everyone" from the list. As soon as a hit apply "Everyone" comes right back. If I try to add a user or group I get "Unable to change permission changes on ***** Acess Denied." The share is owned by the user and I've chmod'ed 755 that dir. Can anyone point me in the direction of where I may have gone wrong? Heres my samba config Quote:
I modified nsswitch.conf as follows: Quote:
and krb5.conf as follows: Quote:
One last thing... is an LDAP server nessecary for this to work properly? Any help is greatly appreciated ..... thanx again ! |
For those of you with Fedora Core 2, did winbind install? It's not showing up under my services like it did on Enterprise 3.
Also, has anyone been able to create a fileserver joined to a NT4 domain and setup shares using NT4 domain users? I have a mixed network and I can list all the users from every domain (ADS based), but that's about it. Also wbinfo -u / -g will not work in ADS mode...only in Domain. Any ideas as to what is up would be greatly appreciated. |
Do you use Samba to configure shares? If so, if you click on the "Properties" button and then click "Access".. are you supposed to see a list of all the domain users in there? The only place I see a list domain users is under "Samba Users" under the "Unix Username" drop down. But I don't know what to do with it. Any insight would be helpful!
|
FYI: The book hlslaughter was talking about "Samba-3 by Example" by John H. Terpstra is available for download from the Samba.org website here. Also (as posted ealier in this topic), the book: "The Official Samba-3 HOWTO and Reference Guide" is also available for download.
|
All times are GMT -5. The time now is 07:11 AM. |