
I'm attempting to configure Samba 3.5 to authenticate share access via Active 
Directory.  I do not wish to authenticate system users against AD, only Samba 
shares.  I have successfully joined the server to the AD domain, with a few 

$ net join -W buildel664 -U jbadmin
Enter jbadmin's password:
Using short domain name -- NA
Joined 'BUILDEL664' to realm 'na.blah.lan'
[2012/10/16 14:50:36.636201,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password BUILDEL664$@NA.FOLLETT.LAN failed: Client not found 
in Kerberos database
DNS Update for buildel664.corp.xxx.com failed: ERROR_DNS_GSS_ERROR
DNS update failed!

I can't seem to figure out what is causing these errors, but the domain join is 
successful.  I am able to successfully enumerate groups and users using "wbinfo 
-g" and "wbinfo -u," although "getent passwd" only returns local users.  I am 
not sure if this is a problem or not.  While "wbinfo -g" does work, it does not 
return a listing that includes smb.conf's "winbind separator."  According to 
docs that I have found, wbinfo should output this separator.  

When I try to assign domain users/groups to a samba share  I get an error in 
Samba's logs that the user is not valid.

My smb.conf:

workgroup = NA
   realm = NA.XXX.LAN
   security = ads
   template shell = /bin/false
   winbind use default domain = yes
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes
   winbind separator = +
   idmap uid = 10000000-50000000 # increased for larger AD environments
   idmap gid = 10000000-50000000 # increased for larger AD environments
   encrypt passwords = yes

        server string = Samba Server Version %v

        # logs split per machine
        log file = /var/log/samba/%m.log
        # max 50KB per log file, then rotate
        max log size = 500

        os level = 20
        preferred master = no
        dns proxy = no

        load printers = no
        cups options = raw

        comment = Testing
        create mask = 0660
        directory mask = 770
        writeable = yes
        browseable = yes
        valid users = +"NA+jbadmin"
        guest ok = no

Any ideas how to further troubleshoot?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to