Going to try this a bit more tomorrow with a fresh install, please see inline responses.
I'm thinking that I may have some kerberos stuff hanging around, I noticed that there's a smb_krb5 directory with kdc data in /var/lib/samba. On Wed, Sep 23, 2009 at 11:37 PM, Adam Nielsen <[email protected]> wrote: >> Thanks for the input Adam, >> >> In my case I've full control of the AD domain and just run net ads >> join which is successful, shows up in AD. >> >> Here's my current config, can you see anything in it that I should >> consider adding or removing? >> >> [global] >> workgroup = PRESIDIO >> password server = pdc.garnser.se >> realm = garnser.se > > I would remove the password server, and (not being that familiar with > the set up side of AD) shouldn't the workgroup be GARNSER? Or the realm > be presidio.garnser.se? Mind you if you can join the domain it would > seem these values are correct. I named my workgroup differently from the domain/realm, I can successfully join the domain. > > Just to confirm these values are correct, on a Windows PC, go Control > Panel, System, Computer Name (where you can rename the PC) and on that > page it should list the domain - is that garnser.se? That domain should > be what is put in the realm. The domain is equal to the realm. > > Likewise when you log in to a Windows PC, you can choose the domain you > want to log in to from a drop-down list. Is that PRESIDIO? The value > there should be the same as what you put in workgroup. This is the same. > >> template shell = /bin/bash > > This will allow your AD users to SSH into your machine (just checking!) Yes that's intentional. > >> netbios name = presidio3 > > Is presidio3.garnser.se the full DNS name of your machine? Not sure if > it makes a difference but it can't hurt to make the NetBIOS and DNS > names match. It's identical. > >> use kerberos keytab = yes >> client use spnego = yes > > I don't have either of these two options set. > >> auth methods = winbind > > I don't have "auth methods" set, and the manpage recommends against > setting it. > > Otherwise it looks fine. After updating these options you could try > erasing all Samba's .tdb files to make it forget it belongs to a domain, > then add it again fresh. I would be very surprised if that didn't work. Thanks again! /Jonathan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
