Re: [Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails

Sat, 21 Mar 2009 08:29:10 -0700 


Rob LaRose wrote:


Hi Mark,


    Mind if I ask how you're doing ssh against your Windows AD?  I'm 
trying to do this now.  I've got a script that joins me to the domain 
and makes SSH work but not samba.  Then I can do net ads join and 
samba works but not ssh.  Gotta find the happy medium!


    Are you somehow using samba to auth ssh too?

--Rob LaRose
   Imaginary Forces


On Mar 19, 2009, at 3:19 PM, Mark Casey wrote:


Hello all,


As the subject says, as far as I can tell everything works on my ads 
integrated samba server. Domain accounts can be used for ssh, and 
accessing shares, I just can't leave the domain. Here is a successful 
join command followed by an unsuccessful leave command at debug level 
4. Any ideas?


TIA,
Mark

u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4
[2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063)
lp_load: refreshing parameters
[2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448)
Initialising global parameters
[2009/03/19 14:00:07, 3] param/params.c:pm_process(572)

params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"

[2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802)
Processing section "[global]"
doing parameter workgroup = MYDOMAIN
doing parameter realm = MYDOMAIN.COM
doing parameter security = ADS

doing parameter password server = dal-dc1.mydomain.com, 
den-dc1.mydomain.com

doing parameter client schannel = Yes
doing parameter server schannel = Yes
doing parameter username map = /etc/samba/smbusers
doing parameter obey pam restrictions = Yes
doing parameter enable privileges = Yes
doing parameter restrict anonymous = 2
doing parameter allow trusted domains = No
doing parameter lanman auth = No
doing parameter ntlm auth = No
doing parameter client NTLMv2 auth = Yes
doing parameter log level = 1
doing parameter syslog = 0
doing parameter min protocol = NT1
doing parameter client signing = Yes
doing parameter server signing = Yes
doing parameter load printers = No
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter host msdfs = No
doing parameter idmap domains = MYDOMAIN
doing parameter idmap alloc backend = ldap
doing parameter template shell = /bin/false
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter idmap alloc config:range = 100000 - 500000

doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

doing parameter idmap config MYDOMAIN:range = 100000 - 500000

doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com
doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=mydomain,dc=com
doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=mydomain,dc=com

doing parameter idmap config MYDOMAIN:backend = ldap
doing parameter idmap config MYDOMAIN:default = yes

doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0

doing parameter map acl inherit = No
doing parameter hide special files = Yes
doing parameter map archive = No
doing parameter map readonly = No
doing parameter map system = No
doing parameter map hidden = No
doing parameter ea support = No
doing parameter store dos attributes = No
doing parameter wide links = No
doing parameter follow symlinks = No
doing parameter dos filemode = No
doing parameter add share command = /etc/samba/command.pl
doing parameter delete share command = /etc/samba/command.pl
doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094)
pm_process() returned Yes
[2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73)
ads_dc_name: domain=MYDOMAIN
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(139)
ads_dc_name: using server='DAL-DC1.MYDOMAIN.COM' IP=10.0.1.30
administra...@mydomain.com's password:
[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)

ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
found)

[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
expiration Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, 
den-dc1.mydomain.com"

[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:00:14, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:00:14, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:00:14, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:00:14, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:00:14, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] 
expiration Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
Connecting to 10.0.1.30 at port 445

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(795)

Doing spnego session setup (blob length=113)

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(820)

got OID=1 2 840 48018 1 2 2

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(820)

got OID=1 2 840 113554 1 2 2

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(820)

got OID=1 2 840 113554 1 2 2 3

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(820)

got OID=1 3 6 1 4 1 311 2 2 10

[2009/03/19 14:00:14, 3] 
libsmb/cliconnect.c:cli_session_setup_spnego(828)

got principal=dal-d...@mydomain.com

[2009/03/19 14:00:14, 2] 
libsmb/cliconnect.c:cli_session_setup_kerberos(615)

Doing kerberos session setup
[2009/03/19 14:00:14, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)

ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] 
expiration Fri, 20 Mar 2009 00:00:14 CDT

[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \lsarpc fnum 
0x10 bind request returned ok.

[2009/03/19 14:00:14, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(224)
lsa_io_sec_qos: length c does not match size 8
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \samr fnum 
0x1e bind request returned ok.

Using short domain name -- MYDOMAIN
[2009/03/19 14:00:14, 3] libsmb/cliconnect.c:cli_start_connection(1556)
Connecting to host=DAL-DC1.mydomain.com
[2009/03/19 14:00:14, 3] lib/util_sock.c:open_socket_out(866)
Connecting to 10.0.1.30 at port 445
[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
fnum 0x400a bind request returned ok.
[2009/03/19 14:00:14, 4] 
rpc_client/cli_netlogon.c:rpccli_net_req_chal(46)
cli_net_req_chal: LSA Request Challenge from DORDAL to 
\\DAL-DC1.mydomain.com

[2009/03/19 14:00:14, 4] rpc_client/cli_netlogon.c:rpccli_net_auth2(170)

cli_net_auth2: srv:\\DAL-DC1.mydomain.com acct:DORDAL$ sc:2 mc: 
DORDAL neg: 600fffff

[2009/03/19 14:00:14, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2082)

rpc_pipe_bind: Remote machine DAL-DC1.mydomain.com pipe \NETLOGON 
fnum 0x400b bind request returned ok.

[2009/03/19 14:00:14, 3] libads/ldap.c:ads_domain_func_level(2471)
ads_domain_func_level: 2

[2009/03/19 14:00:14, 3] 
libads/kerberos.c:kerberos_secrets_store_des_salt(337)
kerberos_secrets_store_des_salt: Storing salt 
"host/dordal.mydomain....@mydomain.com"

[2009/03/19 14:00:14, 4] libads/dns.c:ads_dns_lookup_ns(508)
ads_dns_lookup_ns: 2 records returned in the answer section.
Joined 'DORDAL' to realm 'MYDOMAIN.COM'
[2009/03/19 14:00:14, 2] utils/net.c:main(1046)
return code = 0




u...@dordal:~$ sudo net ads leave -U administra...@mydomain.com -d 4
[2009/03/19 14:02:44, 3] param/loadparm.c:lp_load(5063)
lp_load: refreshing parameters
[2009/03/19 14:02:44, 3] param/loadparm.c:init_globals(1448)
Initialising global parameters
[2009/03/19 14:02:44, 3] param/params.c:pm_process(572)

params.c:pm_process() - Processing configuration file 
"/etc/samba/smb.conf"

[2009/03/19 14:02:44, 3] param/loadparm.c:do_section(3802)
Processing section "[global]"
doing parameter workgroup = MYDOMAIN
doing parameter realm = MYDOMAIN.COM
doing parameter security = ADS

doing parameter password server = dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com

doing parameter client schannel = Yes
doing parameter server schannel = Yes
doing parameter username map = /etc/samba/smbusers
doing parameter obey pam restrictions = Yes
doing parameter enable privileges = Yes
doing parameter restrict anonymous = 2
doing parameter allow trusted domains = No
doing parameter lanman auth = No
doing parameter ntlm auth = No
doing parameter client NTLMv2 auth = Yes
doing parameter log level = 1
doing parameter syslog = 0
doing parameter min protocol = NT1
doing parameter client signing = Yes
doing parameter server signing = Yes
doing parameter load printers = No
doing parameter preferred master = No
doing parameter local master = No
doing parameter domain master = No
doing parameter dns proxy = No
doing parameter ldap ssl = no
doing parameter host msdfs = No
doing parameter idmap domains = MYDOMAIN
doing parameter idmap alloc backend = ldap
doing parameter template shell = /bin/false
doing parameter winbind enum users = Yes
doing parameter winbind enum groups = Yes
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter idmap alloc config:range = 100000 - 500000

doing parameter idmap alloc config:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
doing parameter idmap alloc config:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
doing parameter idmap alloc config:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com

doing parameter idmap config MYDOMAIN:range = 100000 - 500000

doing parameter idmap config MYDOMAIN:ldap_url = 
ldap://dal-dc1.MYDOMAIN.com ldap://den-dc1.MYDOMAIN.com
doing parameter idmap config MYDOMAIN:ldap_user_dn = 
cn=idmapmgr,cn=users,dc=MYDOMAIN,dc=com
doing parameter idmap config MYDOMAIN:ldap_base_dn = 
ou=idmap,dc=sambaidmap,dc=MYDOMAIN,dc=com

doing parameter idmap config MYDOMAIN:backend = ldap
doing parameter idmap config MYDOMAIN:default = yes

doing parameter hosts allow = 10.0.0.0/255.255.254.0 
10.1.0.0/255.255.254.0

doing parameter map acl inherit = No
doing parameter hide special files = Yes
doing parameter map archive = No
doing parameter map readonly = No
doing parameter map system = No
doing parameter map hidden = No
doing parameter ea support = No
doing parameter store dos attributes = No
doing parameter wide links = No
doing parameter follow symlinks = No
doing parameter dos filemode = No
doing parameter add share command = /etc/samba/command.pl
doing parameter delete share command = /etc/samba/command.pl
doing parameter change share command = /etc/samba/command.pl
[2009/03/19 14:02:44, 4] param/loadparm.c:lp_load(5094)
pm_process() returned Yes
[2009/03/19 14:02:44, 2] lib/interface.c:add_interface(81)
added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0
administra...@mydomain.com's password:
[2009/03/19 14:02:47, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"

[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:47, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:47, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:47, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:02:47, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:47, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:02:47, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)

ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache 
found)

[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

ads_krb5_mk_req: krb5_get_credentials failed for 
dal-d...@mydomain.com (Ticket not yet valid)

[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
valid

[2009/03/19 14:02:48, 3] libsmb/namequery.c:get_dc_list(1489)

get_dc_list: preferred server list: "10.0.1.30, dal-dc1.MYDOMAIN.com, 
den-dc1.MYDOMAIN.com"

[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1599)
get_dc_list: returning 2 ip addresses in an ordered list
[2009/03/19 14:02:48, 4] libsmb/namequery.c:get_dc_list(1600)
get_dc_list: 10.0.1.30:389 10.1.1.30:389
[2009/03/19 14:02:48, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 10.0.1.30
[2009/03/19 14:02:48, 4] libads/ldap.c:ads_current_time(2414)
time offset is 0 seconds
[2009/03/19 14:02:48, 4] libads/sasl.c:ads_sasl_bind(587)
Found SASL mechanism GSS-SPNEGO
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(291)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2009/03/19 14:02:48, 3] libads/sasl.c:ads_sasl_spnego_bind(300)
ads_sasl_spnego_bind: got server principal name = dal-d...@mydomain.com
[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

ads_krb5_mk_req: krb5_get_credentials failed for 
dal-d...@mydomain.com (Ticket not yet valid)

[2009/03/19 14:02:48, 1] libsmb/clikrb5.c:ads_krb5_mk_req(602)

ads_krb5_mk_req: krb5_get_credentials failed for 
dal-d...@mydomain.com (Ticket not yet valid)

[2009/03/19 14:02:48, 0] libads/sasl.c:ads_sasl_spnego_bind(330)

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet 
valid

[2009/03/19 14:02:48, 2] utils/net.c:main(1046)
return code = -1
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




Rob,


I just added winbind to pam. If you search for "add winbind pam" or 
something like that, you'll probably find it. I'm short on time at the 
moment...but the main things I can remember for this is the parameter 
(something like) "obey pam restrictions=yes", then also setting the 
default shell parameter in smb.conf, and making sure the pam module that 
makes home directories is in place, and maybe add users to sudo if 
needed. Let me know if that isn't enough to get it for you and I can 
send some of what I've got in my configs.


ty,
Mark
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to