Bleh, sorry folks. Two days troubleshooting this and I find the problem ten minutes after posting. Fixed it by synchronising the time with the PDC and rebooting the Solaris box. All my users are listed fine now in "getent passwd", and I can browse to the shares. ... now I just need to work out how on earth I grant file permissions to my windows users.
_____ From: Ross Smith Sent: 22 February 2008 09:51 To: 'samba@lists.samba.org' Subject: Samba and ADS authentication problems Hey folks, I'm having trouble with AD integration with the version of Samba included in Solaris build 78 (Samba version 3.0.25a). I think it's almost working, but I get an authentication prompt every time I try to connect to samba from a windows client, and no matter what I enter I can't authenticate to see the shares. The main documentation I've been using is Sun's guide to setting up Samba: http://dlc.sun.com/pdf/819-3063/819-3063.pdf, but I've also been referring to the official How-To. I'm trying to join Samba to my windows domain as a member server using ADS. I've read and re-read all the documentation I can find over the last couple of days but I've no idea now where I've gone wrong. What *is* working is the following: - Kerberos seems fine. "klist" shows a valid ticket, and "kinit <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> .COM" authenticates ok. - The samba machine account in Active Directory created fine when I used the "net ... ADS JOIN ..." command. - From Solaris I can list Active Directory users and groups with "wbinfo -u" and "wbinfo -g". - From Solaris, smbclient works anonymously and can list the shares on both Samba and our windows servers with "smbclient -N -L computer". However, any attempt by a windows client to view shares on the Solaris server returns Access denied, followed by a password prompt, and on Solaris, smbclient returns NT_STATUS_LOGON_FAILURE if I try to authenticate with any username. I suspect the problem is linked to the fact that "getent passwd" and "getent group" just return the Solaris users and groups, whereas the documentation states that they should include the Active Directory accounts too. One other thing that might be wrong is that in all the examples I've seen online, "wbinfo -u" returns users in the form DOMAIN\user. However, in our case it simply lists the usernames, no domain is included. Searching on google, I've found a few people reporting identical problems, so I'm guessing whatever I've done it's a fairly basic mistake, but I haven't found any solution to this. Can anybody help out? This is my first time posting, I've attached the smb.conf and krb5.conf files but I'm not sure if they will be visible, please let me know if I need to copy/paste them into a message instead. thanks, Ross ----------------- Ross Smith Network Manager Robinson Construction http://www.robinsons.com <http://www.robinsons.com/> ********************************************************************* The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Robinson Construction. If you have received this transmission in error please advise the originator, or contact [EMAIL PROTECTED] This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. No responsibility is accepted for any virus or defect that might arise from opening this e-mail or attachment, whether or not it has been checked by anti-virus software. For further information visit www.clearswift.com. Thank you for your co-operation. Robinson Construction www.robinsons.com S. Robinson & Sons (Engineers) Limited is a limited company registered in England. Registration no: 823781 Registered office: S. Robinson & Sons (Engineers) Limited, Wincanton Close, Ascot Drive, Derby, DE24 8NJ ********************************************************************* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
