Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Authenticating to Samba with AD account
- Date: Thu, 19 Oct 2006 14:59:29 +0900
- From: "Patrick Niessen" <tlug.niessen@example.com>
- Subject: Re: [tlug] Authenticating to Samba with AD account
- References: <20061017004300.GA14839@example.com>
Nik,
First of all, ensure your samba machine is properly registered in the domain. If necessary delete from Windows, and then add it again, following correct procedure as specified by Samba manual. Ensure your time is synced! You may need to use NTP using AD controller as a timesource. Kerberos is very time sensitive!
[global]
workgroup = FOO
old style windows domain name, eg: domain
realm = FOO.LOCAL
this must be the full AD domain name, ie. FOO.LOCAL.COM
netbios name = BAR
security = ADS
password server = BAR.FOO.LOCAL
this must be your domain controller's beautifully long name
winbind uid = 100000-120000 winbind gid = 100000-120000 winbind separator = + winbind use default domain = yes
Is your winbindd backend working? Look inside to see whether users are all in. I actually use LDAP for backend.
Increase log level to get more output from samba, any problem with resolution?
obey pam restrictions = yes
I don't use this, so not sure whether it affects the system. If you only need to provide Samba access there is no need to involve PAM ! Authent will be handled only by samba. Use Pam if you need to access other services like ssh or ftp with AD username & password. To have unified login from other services, it may be an option to use ldap instead of PAM (I use ldap from php to check passowrd and username are correct).
You forgot to include the share section.
Make sure it looks something like this:
[Main]
comment = Basic Share for Main users
path = /srv/samba/Main
read only = No
inherit permissions = Yes
nt acl support = No
hide unreadable = Yes
map archive = No
mangled names = NoSecondly set permission on dir. Try "chmod -r a+rwx /srv/samba/Main" for a start, and check whether problems persist. Also please remember that USer and group are now domain users, eg: NOT "chown patrick /srv/samba/Main/Patrick" BUT "chown foo+patrick /srv/samba/Main/Patrick".
I had similar problems before with the backend. Is it really stable in operation, is winbind really running? ONe way to check is to delete winbind.tdb and winbind cache files while daemons are down, then start them up and check what happens. If backend doesn't work, winbindd falls back to tdb. So maybe no matter what you change in LDAP, it doesn't have effect. In case of LDAP, samba may have trouble connecting to LDAP server.
Check logfiles, also system logfiles to narrow down problem.
Good Luck
-- Patrick Niessen
- Follow-Ups:
- Re: [tlug] Authenticating to Samba with AD account
- From: Nikolay Elenkov
- Re: [tlug] Authenticating to Samba with AD account
- References:
- [tlug] Authenticating to Samba with AD account
- From: Nikolay Elkov
- [tlug] Authenticating to Samba with AD account
- Prev by Date: [tlug] Flash Player 9 - beta
- Next by Date: RE: [tlug] Linux and Windows {2k|Xp|Vista} Comparison
- Previous by thread: [tlug] Authenticating to Samba with AD account
- Next by thread: Re: [tlug] Authenticating to Samba with AD account
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |