Fw: Samba as fileserver in an Windows AD Domain

> I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble with
> SuSE11.1).
>
> I got a valid Kerberos Ticket and joined successfully the domain (with net
> join).
>
> Users and group are displayed with wbinfo -u / -g . I could also verify
> accounts with wbinfo -a user%pass.
>
> When I tried to access the shares, the dialog apears to give the
> credentials. It doesn't matter what you fill in, there is no access.
>
> I also could not get users and groups with getent passwd / group. I tried
> different configs of
> /etc/nsswitch.conf with different results:
>
> only local accounts will be showed:
> passwd: compat
> group: compat
>
> local account and the group BUILTIN
> passwd: files winbind
> group: files winbind
>
> here are the local account, the BUILTIN group and a new entry like this:
> "+::0:" are displayed
> I think there is a problem with matching Windows LDAP with *nix LDAP
> passwd: files winbind ldap
> group: files winbind ldap
>
> My /etc/smb.conf:
> [global]
>        workgroup = WIN2003SRV
>        security = ADS
>        realm = win2003srv.loc
>        idmap backend = ad
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        template homedir = /home/%D/%U
>        winbind separator = +
>        password server = 10.1.2.154
>        domain master = No
>        ldap ssl = no
>        winbind use default domain = yes
>        winbind enum users = yes
>        winbind enum groups = yes
>        winbind nested groups = yes
>        encrypt passwords = yes
>        client use spnego = yes
>        wins server = 10.1.2.154
>
> I see successful logins at the Windows DC.
> Do I need LDAP, or is Kerberos enough?
> Could somebody tell me what I do wrong?

> > different configs of
> > /etc/nsswitch.conf with different results:
> >
> > only local accounts will be showed:
> > passwd: compat
> > group: compat
> >
> > local account and the group BUILTIN
> > passwd: files winbind
> > group: files winbind
> >
> > here are the local account, the BUILTIN group and a new entry like

> > "+::0:" are displayed
> > I think there is a problem with matching Windows LDAP with *nix LDAP
> > passwd: files winbind ldap
> > group: files winbind ldap
> >
> > My /etc/smb.conf:
> > [global]
> >        workgroup = WIN2003SRV
> >        security = ADS
> >        realm = win2003srv.loc
> >        idmap backend = ad
> >        idmap uid = 10000-20000
> >        idmap gid = 10000-20000
> >        template homedir = /home/%D/%U
> >        winbind separator = +
> >        password server = 10.1.2.154
> >        domain master = No
> >        ldap ssl = no
> >        winbind use default domain = yes
> >        winbind enum users = yes
> >        winbind enum groups = yes
> >        winbind nested groups = yes
> >        encrypt passwords = yes
> >        client use spnego = yes
> >        wins server = 10.1.2.154
> >
> > I see successful logins at the Windows DC.
> > Do I need LDAP, or is Kerberos enough?
> > Could somebody tell me what I do wrong?
>
> is really nobody able to give me a hint what to look for?
>

>> > I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble
> with
>> > SuSE11.1).
>> >
>> > I got a valid Kerberos Ticket and joined successfully the domain
> (with net
>> > join).
>> >
>> > Users and group are displayed with wbinfo -u / -g . I could also
> verify
>> > accounts with wbinfo -a user%pass.
>> >
>> > When I tried to access the shares, the dialog apears to give the
>> > credentials. It doesn't matter what you fill in, there is no access.
>> >
>> > I also could not get users and groups with getent passwd / group. I
> tried
>> > different configs of
>> > /etc/nsswitch.conf with different results:
>> >
>> > only local accounts will be showed:
>> > passwd: compat
>> > group: compat
>> >
>> > local account and the group BUILTIN
>> > passwd: files winbind
>> > group: files winbind
>> >
>> > here are the local account, the BUILTIN group and a new entry like
> this:
>> > "+::0:" are displayed
>> > I think there is a problem with matching Windows LDAP with *nix LDAP
>> > passwd: files winbind ldap
>> > group: files winbind ldap
>> >
>> > My /etc/smb.conf:
>> > [global]
>> >        workgroup = WIN2003SRV
>> >        security = ADS
>> >        realm = win2003srv.loc
>> >        idmap backend = ad
>> >        idmap uid = 10000-20000
>> >        idmap gid = 10000-20000
>> >        template homedir = /home/%D/%U
>> >        winbind separator = +
>> >        password server = 10.1.2.154
>> >        domain master = No
>> >        ldap ssl = no
>> >        winbind use default domain = yes
>> >        winbind enum users = yes
>> >        winbind enum groups = yes
>> >        winbind nested groups = yes
>> >        encrypt passwords = yes
>> >        client use spnego = yes
>> >        wins server = 10.1.2.154
>> >
>> > I see successful logins at the Windows DC.
>> > Do I need LDAP, or is Kerberos enough?
>> > Could somebody tell me what I do wrong?
>>
>> is really nobody able to give me a hint what to look for?
>>
>
> Is nscd running?  If so, turn it off.  I think the default SUSE installs
> have nscd enabled.

> Hi Andrew,
>
> From: "Andrew Masterson" <Andrew.Masterson@...>
>>> > I tried to setup a SuSE10.2 with samba 3.0.23d (but the same trouble
>> with
>>> > SuSE11.1).
>>> >
>>> > I got a valid Kerberos Ticket and joined successfully the domain
>> (with net
>>> > join).
>>> >
>>> > Users and group are displayed with wbinfo -u / -g . I could also
>> verify
>>> > accounts with wbinfo -a user%pass.
>>> >
>>> > When I tried to access the shares, the dialog apears to give the
>>> > credentials. It doesn't matter what you fill in, there is no access.
>>> >
>>> > I also could not get users and groups with getent passwd / group. I
>> tried
>>> > different configs of
>>> > /etc/nsswitch.conf with different results:
>>> >
>>> > only local accounts will be showed:
>>> > passwd: compat
>>> > group: compat
>>> >
>>> > local account and the group BUILTIN
>>> > passwd: files winbind
>>> > group: files winbind
>>> >
>>> > here are the local account, the BUILTIN group and a new entry like
>> this:
>>> > "+::0:" are displayed
>>> > I think there is a problem with matching Windows LDAP with *nix LDAP
>>> > passwd: files winbind ldap
>>> > group: files winbind ldap
>>> >
>>> > My /etc/smb.conf:
>>> > [global]
>>> >        workgroup = WIN2003SRV
>>> >        security = ADS
>>> >        realm = win2003srv.loc
>>> >        idmap backend = ad
>>> >        idmap uid = 10000-20000
>>> >        idmap gid = 10000-20000
>>> >        template homedir = /home/%D/%U
>>> >        winbind separator = +
>>> >        password server = 10.1.2.154
>>> >        domain master = No
>>> >        ldap ssl = no
>>> >        winbind use default domain = yes
>>> >        winbind enum users = yes
>>> >        winbind enum groups = yes
>>> >        winbind nested groups = yes
>>> >        encrypt passwords = yes
>>> >        client use spnego = yes
>>> >        wins server = 10.1.2.154
>>> >
>>> > I see successful logins at the Windows DC.
>>> > Do I need LDAP, or is Kerberos enough?
>>> > Could somebody tell me what I do wrong?
>>>
>>> is really nobody able to give me a hint what to look for?
>>>
>>
>> Is nscd running?  If so, turn it off.  I think the default SUSE installs
>> have nscd enabled.
>
> no I disabled it, because some guys mentioned trouble with nscd.
>
> Thanks
> Daniel