Hi there
Could you also join your krb5.conf and your pam.d/login files ?
I also have the same kind of problem, and I just would like to see differences between our configurations ...
Thanks for reading !
Bertram
Hi Bertram,
sure:
:: krb5.conf ::
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.DE
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc[realms]
DOMAIN.DE = {
kdc = w2k3.domain.de:88
}[domain_realm]
.domain.de = DOMAIN.DE
domain.de = DOMAIN.DE[kdc]
profile = /etc/krb5kdc/kdc.conf[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}:: pam.d/system-auth ::
#%PAM-1.0
auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so auth sufficient /lib/security/pam_krb5.so use_first_pass likeauth auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password sufficient /lib/security/pam_krb5.so use_first_pass
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
session optional /lib/security/pam_ldap.so
But I don't think it's related to this one's. I've tried a little around and saw, that I had some problems understanding the permissions theory concerning windows and linux interoperability with samba. The main fact is, that if you have the same users (usernames) on both sides, they have the right to map their home drive. Even another share point, with exclusive rights for group membership, should give you the ability to map and/or access them. That does it for me. I don't know exactly why I had the problem, but it seems to be fixed. Maybe it was because winbind wasn't started, what could be. Now I can access the shares, if you have the permissions to access it.
Anyway at this time I can't set permissions in the security tab of windows for shares, but this is related to the SID -> UID mapping, which I will have a closer look later.
Best Regards -markus
From: Markus Klimke <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Samba] User problem (samba, w2k3) Date: Thu, 29 Apr 2004 13:00:53 +0200
Hello all,
:: Strategy ::
I am using Samba 3.0.2a with security mode ADS, hooking a fileserver up to a W2k3 server and domain. The join worked as mentioned in the documentation. For auth of users I use nssldap to query the LDAP database of W2k3, so my windows users are visible either under linux and windows.
:: Problem ::
If I try to share the homes or other points I'm asked to type in a username and a password. When I type in a username, which is as described visible on both sides, windows says that this user is not valid to enter the share. As a workaround I used an "admin" entry in the smbpasswd, which has access to the shares. I think this is a very ugly hack. I also tried it with winbind, but it didn't work also. When I open the security tab under windows of a share or the subdirectories within, it shows entries like "FILER\user" which is not my domain just the samba server itself. Maybe this is correct, but I can't make any change of adding a user to the security context of windows.
I am not using the winbind name switch in nsswitch.conf and not any winbind pam auth, because of using nssldap for making users visible on linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in advanced mode (not native or mixed mode), which might be a problem, but I don't believe this. If I type "wbinfo -u" the users on windows side are listed, but not with the domain separator, just the user itself.
:: Question ::
How can I map samba shares with "security = ADS" on a windows machine, without using "smbpasswd"?
:: smb.conf ::
# Global parameters [global] workgroup = DOMAIN realm = DOMAIN.DE security = ads password server = w2k3.domain.de encrypt passwords = yes #smb passwd file = /etc/samba/smbpasswd ;; I don't want to use this line, because the documentation ;; said I don't need this socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 10 preferred master = no idmap uid = 500-6000 idmap gid = 500-6000 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind trusted domains only = yes ;; Catched the above line from a hint, which was mentioned ;; to fix the problem
[homes] comment = %u's Home Directory ;; This one's always showing, if smbpasswd entry above ;; is enabled: "admin's Home Directory", where admin is ;; is the smbpasswd entry to get shares mapped create mask = 0755 read only = No browseable = No
[shared] comment = Share Point path = /shared read only = no browseable = yes
[backup] comment = Backup Repo path = /backup read only = yes browseable = no
Many thanks for every hint or assistance Best regards -markus
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
_________________________________________________________________ Trouvez l'�me soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
