Win 2003 AD and Samba 3.0.2

[ManicAJK]

I am in the middle of implementing a windows 2003 active directory domain. The windows side of it is going fine but we are struggling to get samba working with the new domain properly.
I have 4 AD domain controllers all running integrated DNS and WINS. We joined one of our test Unix boxes running true64 and samba 3.0.2 to the new domain with no problems at all and set it's host domain to be that of the new domain. I can ping the unix box with no trouble as well as perform reverse lookups on it's IP address
The problem is that I can browse to the unix server and access the samba shares fine if I use \\xxx.xxx.xxx.xxx but if i try and browse to the machine using \\servername format i get numerous errors. If browsing via windows explorer i get prompted for a username and password and no matter what combination I use nothing works. If browsing via a net view command from the command prompt I get a system error 5 access is denied message.
The new win2k3 domain has a 2 way trust to our present live NT4 domain and any client on the NT4 domain has no trouble in browsing to the machine via \\servername or \\xxx.xxx.xxx.xxx.
The unix machine has joined the win2k3 domain with no trouble as I can see the machine account in the AD admin tool. I am ut of ideas, can anybody help????

 

[ManicAJK]

ldap.conf is not configured, it is at it's default configuration, if i can find this dll i will instal it.

 

[ManicAJK]

looks like i have run out of time for this, my company has now dictated that we remain with our current method of authentication onto unix boxes by using the security = server option and not joining the unix boxes to the AD domain. Hopefully if we leave it a few more months there might be a bit more info out there to enable us to integrate the unix servers into AD at a later date.

Thanks for all your input guys, even if we never got it working.

 

[jerphillips]

Maybe I'm a little late on this thread but this is what I did to get Samba to work with Win 2003 and AD. First you need to modify the smb.conf, krb5.conf, and nwsswitch.conf. Also I had to make a few changes to my pam.conf file also. Here are my conf files for you to review.
p.s. I found that forcing the group on to the user folders works great.
REMEBER to back up your original files before modifing them.

smb.conf

# Global parameters
[global]
workgroup = Domain
realm = domain.COM
security = ADS
encrypt passwords = yes
password server = *
netbios name = "samba server name"
smb ports = 139 445
max log size = 100
log level = 3
log file = /logs/samba/log.%m
announce as = NT Workstation
name resolve order = host bcast
client signing = Yes
server signing = Yes
client use spnego = Yes
use spnego = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 10
preferred master = No
local master = No
domain master = No
dns proxy = No
#separate domain and username with +, like DOMAIN+username
winbind separator = +
#use uids from 10000 to 20000 for domain users
idmap uid = 10000-20000
#use gids from 10000 to 20000 for domain groups
idmap gid = 10000-20000
#allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
template homedir = /data/htdocs/%U
template shell = /bin/sh

[homes]
comment = Home Directories
read only = No
force group = "Domain Users"
browseable = No



[tmp]
comment = Temporary file space
path = /tmp
read only = yes
public = yes

krb5.conf

pragma ident "@(#)krb5.conf 1.2 99/07/20 SMI"
# Copyright (c) 1999, by Sun Microsystems, Inc.
# All rights reserved.
#

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
default_realm = domain.COM
clockskew = 300
default_etypes = des-cbc-crc des-cbc-md5
#default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc des-cbc-md5
#default_etypes_des = des-cbc-crc

default_tgs_enctypes = des-cbc-crc des-cbc-md5
#default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc des-cbc-md5
#default_tgs_enctypes = des-cbc-crc


[realms]
WPNI.COM = {
kdc = server.domain.com:88
admin_server = server.domain.com
default_domain = domain.com
}

[domain_realm]
.wpni.com = WPNI.COM
.WPNI.COM = WPNI.COM
wpni.com = WPNI.COM


[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}

NSSwitch.conf

#
# /etc/nsswitch.dns:
#
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
#
# &quot;hosts:&quot; and &quot;services:&quot; in this file are used only if the
# /etc/netconfig file has a &quot;-&quot; for nametoaddr_libs of &quot;inet&quot; transports.

#passwd: files # [nbb 20040107] moved winbind to PAM.
passwd: files winbind # very weird on how it maps uids/gids..
#passwd: winbind files # incorrect altogether.. fails normal logins.
#group: files
group: files winbind # also incorrect altogether..
#
# You must also set up the /etc/resolv.conf file for DNS name
# server lookup. See resolv.conf(4).
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: files dns

networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files
printers: user files

auth_attr: files
prof_attr: files
project: files

pam.conf

#
# ident &quot;@(#)pam.conf 1.19 03/01/10 SMI&quot;
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the &quot;other&quot; section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# [nbb 20040106] not sure which, think it's smbd
winbind auth required pam_winbind.so
smbd auth required pam_winbind.so
smb auth required pam_winbind.so
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_unix_auth.so.1
login auth required pam_radius_auth.so
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth sufficient pam_unix_auth.so.1
rlogin auth required pam_radius_auth.so
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth sufficient pam_unix_auth.so.1
rsh auth required pam_radius_auth.so
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth sufficient pam_unix_auth.so.1
ppp auth required pam_radius_auth.so
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1
other auth required pam_radius_auth.so
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
$

 

[sjdougherty]

Something I found that helped, is once you are connected, check the results of:

getent passwd

This will tell you the format of the users. With that information you can then edit smbusers and add the right information.

For instance, if you have an AD user named "bob" in an AD called "MYAD" and a unix user called "robert". You might find that an smb entry of

robert = bob

does not work. But with the info from getent passwd you will find

robert = MYAD\bob

works just fine and dandy.