Re: [Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed

Tue, 24 Feb 2004 13:47:21 -0800 

On Wed, 2004-02-25 at 00:59, JonR wrote:
> Slowly making progress with Active Directory integration. I have Samba 3.0.2
> as an ADS member, and I can see shares, including user home directories. My
> linux boxes run Debian unstable, and use the PAM and NSS LDAP backends,
> against an Active Directory on Windows 2000 SP4, using the MS Services For
> Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine,
> although I did have to enable anonymous searches of the Active Directory on
> the DC.
> 
> To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian
> only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash
> that stopped anything from working. I use a completely minimal krb5.conf:
> 
> [libdefaults]
>         default_realm           = XXX.XXX.XXX.XXX
> 
> [realms]
>         XXX.XXX.XXX.XXX = {
>                 kdc = 192.168.0.2
>         }
> 
> However, my final problem is that users cannot write to files in their home
> directories. I gather the way to fix this is to use Luke's idmap_ad plugin
> from PADL, so I built that (for Debian you also need to at least configure a
> Samba source tree somewhere - I apt-get the source, and killed the build
> after the configuration). Now, I have winbindd using the idmap-ad plugin,
> and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and
> wbinfo -S <sid> gets the uid).
> 
> BUT: I still get permission denied trying to create new files or delete
> existing ones in user home directories from a Windows XP SP1 client:
> 
> [2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203)
>   change_to_user uid=(1001,1001) gid=(0,500)


Is that the right user?  If so, then this is just a matter of unix file 
permissions, or possibly smb.conf settings.  (ie, it looks like you have IDMAP working)

Andrew Bartlett
-- 
Andrew Bartlett                                 [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org     http://build.samba.org     http://hawkerc.net

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to