centoS 5.5
[root@osra ~]# rpm -q samba3x
samba3x-3.3.8-0.52.el5_5.2
[root@osra ~]# rpm -q krb5-workstation
krb5-workstation-1.6.1-36.el5_5.5
domain controller windows 2k3 sp3
i follow those guides:
http://wiki.samba.org/index.php/Samb...tive_Directory
http://www.samba.org/samba/docs/man/...html#ch9-adsdc
i join the domain, i can test the user
[root@osra ~]# wbinfo -a mbottalico%#########
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root@osra ~]# wbinfo -u
administrator
guest
krbtgt
[root@osra ~]# wbinfo -g
utenti wins
dhcp users
dhcp administrators
computer del dominio
controller di dominio
getent passwd and group ok without "DOMAIN+"
kinit e klist ok.
i can browser the samba server, but i can enter on "temp", but not in "test" (access denied)
[root@osra ~]# smbclient \\\\osra\\test -U administrator
Enter administrator's password:
Domain=[DOMAINSHORT] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> ls
NT_STATUS_NETWORK_ACCESS_DENIED
listing \* (I noticed only writing this message)
[root@osra ~]# smbclient \\\\osra\\tmp -U administrator
Enter administrator's password:
Domain=[DOMAINSHORT] OS=[Unix] Server=[Samba 3.3.8-0.52.el5_5.2]
smb: \> dir
. D 0 Wed Oct 20 15:15:23 2010
.. D 0 Wed Oct 20 11:42:23 2010
T0100000160 D 0 Wed Oct 20 12:33:32 2010
t01tty90 D 0 Wed Oct 20 11:42:23 2010
T01port-mb1 D 0 Thu Oct 21 15:21:51 2010
impexp D 0 Wed Jul 14 12:11:44 2010
T0100000140 D 0 Wed Oct 20 12:05:00 2010
dirvuota.txt A 0 Wed Nov 6 08:15:20 1991
t01tty01 D 0 Wed Oct 20 11:42:23 2010
aggiofix A 5237760 Thu Nov 17 20:27:58 2005
t01tty02 D 0 Wed Oct 20 11:42:23 2010
T0100000150 D 0 Wed Oct 20 12:16:10 2010
53488 blocks of size 2097152. 49908 blocks available
smb: \> q
0 blocks of size 0. 511 blocks available
any help?
config file:
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
default_tkt_enctypes = des-cbc-crc; des-cbc-md5
default_tgs_enctypes = des-cbc-crc; des-cbc-md5
[realms]
DOMAIN.COM = {
kdc = alpha.DOMAIN.com
admin_server = alpha.domain.com
default_domain = domain.com
}
[domain_realm]
shortdomain = DOMAIN.COM
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/smb.conf
[global]
workgroup = SHORTDOMAIN
realm = DOMAIN.COM
preferred master = no
server string = Linux Machine
security = ads
encrypt passwords = yes
log level = 5
log file = /var/log/samba/%m
client use spnego = yes
client ntlmv2 auth = yes
max log size = 50
printcap name = cups
printing = cups
username map = /etc/samba/smbusers
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 100-20000
idmap gid = 100-20000
; template primary group = "Domain Users"
template shell = /bin/bash
[printers]
comment = All Printers
path = /var/spool/cups
browseable = no
printable = yes
guest ok = yes
[test]
comment = test
path = /u/test
Valid Users = DOMAIN.COM+user @DOMAIN.COM+group
writable = yes
browseable = yes
[tmp]
comment = test-no-security-ads
path = /tmp
guest ok = yes
public = yes
browseable = yes
read only = no
create mask = 0777
directory mask = 0777
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
/etc/pam.d/system-auth
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password requisite pam_cracklib.so retry=3 type=
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session required pam_winbind.so use_first_pass