[Samba] Samba 3.0.10 issues with native mode ADS...

[David Wruck]

Earlier I had written regarding an issue with ADS
support not compiling in in the 3.0.9 release. As of a
few days ago, we scrapped the 3.0.9 install, and set
up 3.0.10, and ADS support compiled in immediately. It
looks like there might be something funny in the make
file for 3.0.9 building on Solaris 9?

Anyhow, we are much closer to an implementation on
3.0.10, but still are not quite there yet. Once again,
we are running Solaris 9, and have Samba 3.0.10
installed, and running. We joined the Win2k ADS
without any issues at all, and seemed to have a near
flawless compile and installation.

Where we are at now, the SMB service is advertising
correctly, including allowing for auto fill-in in the
RUN box, however access is still denied to any
Win-Only account. Those with a twined Unix/Win account
seem to have access. We tried manually adding a Samba
account for one of the Win-Only users, but they still
were unable to access the share, the error on the
Windows side was unknown user or password, on the
Samba side we got this:

[2005/01/03 15:25:35, 5] libsmb/credentials.c:(167)
new clnt cred: B7B5BB53C76108AD
[2005/01/03 15:25:35, 2] nsswitch/winbindd_pam.c:(361)
  Plain-text authentication for user root returned
NT_STATUS_NO_SUCH_USER (PAM: 13)
[2005/01/03 15:25:35, 10] nsswitch/winbindd.c:(524)
  client_write: wrote 1300 bytes.
[2005/01/03 15:25:35, 10] nsswitch/winbindd.c:(470)
  client_read: read 0 bytes. Need 1824 more for a full
request.
[2005/01/03 15:25:35, 5] nsswitch/winbindd.c:(477)
  read failed on sock 21, pid 6255: EOF
[2005/01/03 15:25:35, 3] smbd/sec_ctx.c:(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/03 15:25:35, 5] auth/auth_util.c:(486)
  NT user token: (NULL)
[2005/01/03 15:25:35, 5] auth/auth_util.c:(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary
groups

Indicating that for some reason I am not sure of,
Samba is trying to contact the domain as root.
Frankly, we are stumped here. I have logs, and configs
available to post, but will refrain unless someone
need to see them, as it would turn what is already a
fairly long post into a book-like nightmare.

David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Issues with Solaris 9, and ADS

[David Wruck]

I have been working with this for a little over a month now, and here's 
where we are at:

We have 3 domains, 2 of them are sending SIDs to the Solaris box, and 
Kerbos is compiled and working (we can authenticate to any of the 3 
domains), we can get user IDs from any of the 3 domains, however none of 
the users can gain access to the share unless we give them a Unix account.

Samba was compiled with ADS support, and the make file shows that krb5 
and ADS are both 1, however when we add the 'realm =' to the config file 
we get an error with Samba claiming it does not understand the realm 
setting.

We are using 3.0.9, and the exact error is that the AD user is not 
found, yet wbinfo can find the user accounts just fine. The AD is a 2000 AD.

We have followed steps in the docs, and on more mailing lists than I 
care to remember at this point. If anyone could point out any possible 
flaw, I'd appreciate it. I apologize for not having cut and paste 
messages and such, but I'm not anywhere near the machine at the moment, 
however I could post anything that would be useful later.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba