-----Original Message----- From: Robert Freeman-Day [mailto:pres...@gmail.com] Sent: segunda-feira, 19 de Setembro de 2011 16:24 To: Bruno Martins Cc: samba@lists.samba.org; António Moreira Subject: Re: [Samba] Samba and AD integration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/19/2011 10:16 AM, Bruno Martins wrote: > Hello everyone. > > I am running Samba on a Debian system, and I'm currently getting the > following error on the logs: > > [2011/09/19 15:06:36.708281, 1] smbd/sesssetup.c:454(reply_spnego_kerberos) > Username GALILEU-F\bmartins is invalid on this system > > Being GALILEU-F my Windows domain and bmartins my username. > > However, both 'wbinfo -g' and 'wbinfo -u' are working fine. Also, 'kinit > (...)' works. > > My smb.conf: > [global] > workgroup = GALILEU-F > realm = GALILEU-F.GALILEU.PT > server string = Samba Server > security = ADS > auth methods = winbind > password server = 192.168.0.2 > username map = /etc/samba/smbusers > client NTLMv2 auth = Yes > log file = /var/log/samba/log.%m > max log size = 50 > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > printcap name = cups > dns proxy = No > wins server = 192.168.0.2 > idmap uid = 200000-300000 > idmap gid = 200000-300000 > winbind use default domain = Yes > winbind trusted domains only = Yes > cups options = raw > > My krb5.conf: > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = GALILEU-F.GALILEU.PT > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > forwardable = yes > > [realms] > GALILEU-F.GALILEU.PT = { > kdc = jupiter.galileu-f.galileu.pt > admin_server = jupiter.galileu-f.galileu.pt > default_domain = galileu-f.galileu.pt > } > > [domain_realm] > .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT > .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT > > [kdc] > profile = /var/kerberos/krb5kdc/kdc.conf > > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > } > > And... /etc/nsswitch.conf: > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > Can someone please give me a light on this? > > Best regards, > > Bruno Martins Bruno, You are using the option "winbind use default domain = Yes", so AD users should be able to access with just their username and there should be no need to pre-pend the domain and backslash. Robert - -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK x94AniXBk960e1L4ompA1nW+Wm+qZvAI =yDia -----END PGP SIGNATURE----- Hi there, mate. I've commented that line but I'm getting the same result. Also, I have set it to "no" but, again, without success. By the way, when I do a "getent passwd" it just shows me local users, no AD users. Is this a normal behavior? Best regards, Bruno Martins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba