What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up.
Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson <[email protected]>wrote: > How did you solve the kerberos portion how things, when winbind tries > to connect to my server the kerberos sessions fails as it tries to > connect with the workgroup instead of the realm. > > Thanks > > /Jonathan > > On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez <[email protected]> > wrote: > > > > > > Jonathan Petersson wrote: > >> > >> Hi Ivan, > >> > >> I'm working on a similar thing but is having some issues with the > >> kerberos sessions between samba and AD. Is your Samba server a member > >> of a Win2k8R2 or a Win2k3 domain? > >> > >> Thanks > >> > >> /Jonathan > >> > >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez <[email protected]> > >> wrote: > >> > >>> > >>> Robert LeBlanc wrote: > >>> > >>>> > >>>> What are the permissions on /shared/drive? We use ACLs to control > access > >>>> rather than smb.conf. This gives us great flexability and you can kind > >>>> of > >>>> manage it using a Windows machine. If you have Kerberos keytab > >>>> generated, > >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are > >>>> needed, > >>>> it also obeys ACL. The only catch is that you need to use RID or LDAP > >>>> for > >>>> uid/gid mapping or else your permissions won't line up. > >>>> > >>>> Robert LeBlanc > >>>> Life Sciences & Undergraduate Education Computer Support > >>>> Brigham Young University > >>>> > >>>> > >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez <[email protected] > >>>> <mailto:[email protected]>> wrote: > >>>> > >>>> Hello, > >>>> > >>>> We have a Gentoo box running Samba and is a member of the Active > >>>> Directory domain. This Gentoo box will be a fileserver when > >>>> everything is completed and setup as it should. I want our users > >>>> to login to their computer (Computers are all members of the same > >>>> Active Directory domain) using Active Directory accounts/domain > >>>> for authentication. I am using Winbind for Active Directory > >>>> authentication/integration. I'm almost done except file permission > >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent, > >>>> etc.). I can access/map the shared drive on the Gentoo box from > >>>> any Windows computer, login to a machine without a problem using > >>>> Active Directory accounts. The Active Directory authentication > >>>> with Winbind is working as it should. > >>>> > >>>> For some odd reason, I can't figure out how to give permissions to > >>>> all users the ability to make changes/add new folders on the > >>>> shared drive. I am getting access denied even when the users or > >>>> group are valid users of the shared drive per smb.conf. Below is > >>>> my smb.conf shared configuration: > >>>> > >>>> [shared] > >>>> comment = shared > >>>> path = /shared/drive > >>>> read only = no > >>>> inherit permissions = yes > >>>> create mask = 755 > >>>> directory mask = 755 > >>>> valid users = @"MYDOMAIN+mygroup" > >>>> browseable = yes > >>>> writable = yes > >>>> > >>>> Any help would be greatly appreciated. > >>>> > >>>> -Ivan > >>>> -- To unsubscribe from this list go to the following URL and read > >>>> the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >>> > >>> Hi, > >>> > >>> The files and folders on the shared drive are owned by local Linux > >>> account. > >>> The permissions are read, write and execute by the owner, read and > write > >>> by > >>> group and all. I was hoping that smb.conf will control the shared > drive > >>> access but having a hard time doing so. I would like to use ACL if > that > >>> is > >>> the best way to make it work. Would you mind giving me few pointers > or > >>> point me to the right direction to get started on ACL? I am no LDAP > >>> expert > >>> but I think I can get by if I have to use it. > >>> > >>> Thanks! > >>> > >>> -Ivan > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > > > > Hi Jonathan, > > > > Our Samba server is a member of Win2k8R2 domain. > > Thanks, > > -Ivan > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
