Looks like I'm stuck w/ a Win2K domain using ADS & the higher ups want linux file/web/mail servers. Looked through ALL the books by Terpstra & informative but still cannot map drives from windows 2k clients to the linux server. Keeps coming back wit a dialogue box saying "incorrect password or username". Need some guidance here if you can.

Conf files:

smb.conf :

[global]
unix charset = LOCALE
workgroup = HOME
realm = CULLUM.COM
security = ADS
netbios name = WEBMAIL
encrypt passwords = yes
printcap name = /etc/printcap
load printers = no
domain master = No
log level = 5
log file = /var/log/samba/%m.log
max log size = 50
interfaces = 172.19.220.3/24
local master = no
dns proxy = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template primary group = sambausers
template shell = /bin/false
winbind separator = +
winbind use default domain = yes
password server = *
guest ok = yes
ldap ssl = no


[homes]
comment = Home Directories
preserve case = yes
browseable = yes
writeable = yes
short preserve case = yes
****************************************************************************
krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = CULLUM.COM
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true

[realms]
CULLUM.COM = {
kdc = pdc-a.cullum.com:88
kdc = pdc-b.cullum.com:88
admin_server = pdc-b.cullum.com:644
default_domain = cullum.com
}

[domain_realm]
.cullum.com = CULLUM.COM
cullum.com = CULLUM.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
****************************************************************************
nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparms: nisplus [NOTFOUND=return] FILES
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files
services: files winbind
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
****************************************************************************
Tests:

[root@webmail samba]# wbinfo -g
BUILTIN\System Operators
BUILTIN\Replicators
BUILTIN\Guests
BUILTIN\Power Users
BUILTIN\Print Operators
BUILTIN\Administrators
BUILTIN\Account Operators
BUILTIN\Backup Operators
BUILTIN\Users
Domain Computers
Domain Users
Domain Guests
Group Policy Creator Owners
Cert Publishers
Domain Controllers
Enterprise Admins
Domain Admins
Schema Admins
DnsUpdateProxy
linux
****************************************************************************
[root@webmail samba]# wbinfo -u
bcullum
IWAM_PDC-B
IUSR_PDC-B
root
webmail/webmail
Guest
TsInternetUser
Administrator
krbtgt
dbcullum
dhcpuser
dacul
BILL-P4$
NS2$
HOST/webmail
WKSTN2K$
NS1$
PDC-B$
PDC-A$
****************************************************************************
group mappings:

[root@webmail samba]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> nobody
Domain Users (S-1-5-21-3378732851-2348953953-3721217398-513) -> users
Power Users (S-1-5-32-547) -> root
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> root
Domain Admins (S-1-5-21-3378732851-2348953953-3721217398-512) -> root
Account Operators (S-1-5-32-548) -> -1
Domain Guests (S-1-5-21-3378732851-2348953953-3721217398-514) -> nobody
SambaUsers (S-1-5-21-3378732851-2348953953-3721217398-2001) -> sambausers
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> users
****************************************************************************

The only problems I encountered when I set this up was I had to use the -a switch in the smbpasswd command to match the win2k administrator password & when I ran testparm on the smb.conf file it came back with "'winbind separator = +' might cause problems with group membership"

On the PDC's the group "SambaUsers" has all the domain users & computers as members. I've been working on this for a month now with RedHat 9 w/ latest versions of kerebos & samba and now w/ Fedora core 2 using the default versions. The current versions:

samba-client-3.0.3-5
system-config-samba-1.2.9-2
samba-3.0.3-5
samba-swat-3.0.3-5
samba-common-3.0.3-5

pam_krb5-2.0.10-1
krb5-libs-1.3.3-1
krb5-workstation-1.3.3-1
krb5-devel-1.3.3-1
krb5-server-1.3.3-1

By the way the pam config file has not been touched (messed up on RedHat 9 & could not log back in. Not even locally as root!)

Any help you or anybody can give me would be appreciated.

hi.

I want to add smth about the smbusers file when using samba 3 security = ADS.

I use SuSE 9.1 with samba 3 and have managed to use Security = ADS to validate user access to shares
against a win2003 server active domain.
With samba 3 and Security = Domain everything works well.
However, with Security = ADS, i now seem to have a problem with mapping the windows administrator user to
my user (jgm) on the samba box.
Details:
--- jgm exists on both linux and windows2003 boxes.
--- on the samba box, i have "jgm = administrator" in /etc/samba/smbusers.
--- smbusers is included in smb.conf as "username map = /etc/samba/smbusers"

All this worked with security = Domain, but now, with ADS when I log on to winxp as administrator and access a
samba share, I'm prompted for username & password. If i enter "jgm" and password I'm granted access to the
share as jgm (i see my jgm home folder, so trust me here).

This is a minor inconvenience, i know, but it troubles me because its as if samba 3 with ads has forgotten to
use the "username map = /etc/samba/smbusers" parameter of smb.conf and although it authenticates
"administrator" against active directory, it doesn't know what to do next with this user called "administrator"
who isn't a linux user.

The rest of the users which have the same names on linux and windows don't have this problem, they log onto
all samba shares transparently.

Does anyone use smbusers successfully with samba 3 and security = ADS?

Ok,

I've used the configurations found in this thread, and I'm able to join the Domain, which is great, and I can also use Windows-machines logged on to the AD to access shares on the Samba-machine without having to type passwords or anything.
Great!
But!
I would like to manage the computer from the AD-server using Computer Management.
Does anyone know if this is possible?
I can see the computer in the AD server and I can click manage. but when i try to change anything or view the shares.. etc.. I get a message that says: "Access is denied".
I cant stop shares or add groups or users for access to the shares.
I would also prefer to be able to add shares, but I understand if that aint possible.

Anyone else who had a problem with this?
Or has someone even looked in to it?

/Mattias

First off,

Cheers to everyone contributing to this post. I spent the better part of 3-4 days working on setting up a Fileserver and this thread has kept me sane. I pretty much followed this to the t:

I am was able to join the domain, i can query users and groups (wbinfo -u or -g), wbinfo -t is successful, I can chown dir's to users and groups create on the Win AD server I can even log in locally on the linux machine using an AD account created on the Win machine.....BUT I'm still having a little issue. I can't seem to modify permissions on shares from a win machine. For example:

right clicking on a share on a win machine and going to the security tab, I try to remove "Everyone" from the list. As soon as a hit apply "Everyone" comes right back. If I try to add a user or group I get "Unable to change permission changes on ***** Acess Denied."

The share is owned by the user and I've chmod'ed 755 that dir. Can anyone point me in the direction of where I may have gone wrong?

Heres my samba config

I modified nsswitch.conf as follows:


and krb5.conf as follows:

One last thing... is an LDAP server nessecary for this to work properly?

Any help is greatly appreciated ..... thanx again !

For those of you with Fedora Core 2, did winbind install? It's not showing up under my services like it did on Enterprise 3.

Also, has anyone been able to create a fileserver joined to a NT4 domain and setup shares using NT4 domain users? I have a mixed network and I can list all the users from every domain (ADS based), but that's about it.

Also wbinfo -u / -g will not work in ADS mode...only in Domain.

Any ideas as to what is up would be greatly appreciated.

Do you use Samba to configure shares? If so, if you click on the "Properties" button and then click "Access".. are you supposed to see a list of all the domain users in there? The only place I see a list domain users is under "Samba Users" under the "Unix Username" drop down. But I don't know what to do with it. Any insight would be helpful!

FYI: The book hlslaughter was talking about "Samba-3 by Example" by John H. Terpstra is available for download from the Samba.org website here. Also (as posted ealier in this topic), the book: "The Official Samba-3 HOWTO and Reference Guide" is also available for download.