I have two brand new boxes loaded up with RHEL4AS (2.6.9-67.ELsmp) and Samba 3.0.28a. I am trying to configure them to authenticate via Active Directory.

(I've marked out some info to not expose client info.)

My [smb.conf]
=============================
# Global Perameters
[global]
workgroup = D***
realm = d***.***.atosorigin-asp.com
preferred master = no
server string = Samba file servers
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind use default domain = No
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
#give winbind users a real shell
template homedir = /home/%U
template shell = /bin/bash
password server = 1**.*.***.**
===========================
[nsswitch.conf] has the following entries:
passwd: files winbind
shadow: files winbind
group: files winbind
==========================
[krb5.conf]
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = D***.***.ATOSORIGIN-ASP.COM
default_etypes = dec-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
D***.***.ATOSORIGIN-ASP.COM = {
kdc = 1##.#.##.##
admin_server = 1##.#.##.##
default_domain = D**.***.ATOSORIGIN-ASP.COM
}

[domain_realm]
.d***.***.atosorigin-asp.com = D***.***.ATOSORIGIN-ASP.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
=============================
[/etc/pam.d/system-auth]
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
===========================

Now, wbinfo -u and wbinfo -g prints out active directory users and groups as it should. getent group shows me active directory groups. But getent passwd only returns local users. And unfortunately, the port for samba isn't opened on the firewall yet, so I can't test to see how samba is working. Did I make a typo somewhere? Can you see something I've done wrong?

This might help you, my students had to join samba to AD in a project last year. This is one of my top student's documentation:

http://www.bryntassell.ca/zambra/samba.php

You will also note that any delay in time will give you issues, ensure that the time's are not out of a sync by more than 4.59 seconds.

Cheers,

Brent.

Thank you. The time may be an issue. Everything else appears to be working properly and the users are able to log into the box with their AD credentials. I am going to try and find out today if the AD DCs are using the time servers.