[Samba] Can"t map group domain share from ADS

[G Sly]

 libraries)       #./configure       #make depend       #make       #make test       #make install ____________________________________________________________________________   # kinit  administrator at OURORG.OURDOMAIN.ORG  # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@ OURORG.OURDOMAIN.ORG Valid starting     Expires            Service principal 01/10/05 10:36:06  01/10/05 20:37:39  krbtgt/ OURORG.OURDOMAIN.ORG @ OURORG.OURDOMAIN.ORG         renew until 01/10/05 10:36:06 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ____________________________________________________________________________   Samba 3.0.11 (patch for username and password. Log (level 3) file shows: user "sylveg" (from session setup) not permitted to OURSAMBALINUX. I tried what I found so far (add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u) in smb.conf, but it doesnt work.   SYSTEM INFO FOLLOWS: ________________________________________________________________________ W2K ADServer  = W2KADS.OURORG.OURDOMAIN.ORG __________________________________________________________________________  Slackware/Samba server = OURSAMBASERVER HP570ML G3 w/Compaq Smart array 640 Slackware 10.1 2.4.29 kernel Scsi.s boot kernel ___________________________________________________________________________________ Add entrys to I"ve set up the following and can open a home share for me (sylveg). I"ve created a group on W2KADS and on OURSAMBALINUX called oadmin and added me as a member server in smb.conf   # /usr/local/samba/lib/smb.conf # Global parameters [global]         unix charset = LOCALE         workgroup = OURORG         netbios name = OURSAMBALINUX         realm = OURORG.OURDOMAIN.ORG         server string = OURORG Samba linux         security = ADS         password server = W2KADS.OURORG.OURDOMAIN.ORG         username map = /etc/samba/smbusers         log level = 3         syslog = 0         log file = /var/log/samba/%m         max log size = 50         add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u         ldap ssl = no         idmap uid = 10000-90000         idmap gid = 10000-90000         template homedir = /home/%D/%U         template shell = /bin/bash         winbind separator = + [public]         comment = Data         path = /home/public         read only = No [homes]         comment = Home Directories         path = /home/%U         valid users = %S         read only = No         browseable = No [o_drive]         comment = o_drive         path = /home/o_drive         valid users = @%D+oadmin         inherit permissions = Yes         read only = no #       force user = smbuser #       force group = nobody   #testparm No errors _____________________________________________________________________________________ # net ads testjoin   # net ads join –Uadministrator%password (echos back) Using short domain name -- OURORG Joined 'OURSAMBALINUX' to \\OURSAMBALINUX IP\o_drive from my W2K workstation (joined of linux groups)   # wbinfo –u (long list of access this share (o_drive)  I also would like to set up automatic user and group creation from to the Samba SMB file/print server: # /etc/rc.d/rc.samba start # winbindd ______________________________________________________________________________ # more /usr/local/samba/smbusers root = administrator admin nobody = guest pcguest smbguest   # smbpasswd –a root ______________________________________________________________________________ # getent passwd (list of ADS OURORG+groups)   # tdbdump /etc/samba/private/secrets.tdb # net ads info # net ads status (Cool outputs)   On Windoze workstation PC that is joined to know how to /hosts Samba machine /etc/hosts  127.0.0.1               localhost         localhost.localdomain (our W2KADS IP)         W2KADS            W2KADS.OURORG.OURDOMAIN.ORG (OURSAMBALINUX  IP)     OURSAMBALINUX     URSAMBALINUX.OURORG.OURDOMAIN.ORG   Windows Active Directory server (%Systemroot%\System32\drivers\etc\hosts)  127.0.0.1               localhost         localhost.localdomain (our W2KADS IP)         W2KADS            W2KADS.OURORG.OURDOMAIN.ORG (OURSAMBALINUX  IP)     OURSAMBALINUX     OURSAMBALINUX.OURORG.OURDOMAIN.ORG __________________________________________________________________________ # etc/resolv.conf search          OURORG.OURDOMAIN.ORG domain          OURORG.OURDOMAIN.ORG nameserver      OURNAMESERVER1 nameserver      OURNAMESERVER2 nameserver      OURNAMESERVER3 nameserver      OURNAMESERVER4 nameserver      (our W2KADS IP) _____________________________________________________ # date (MMDDHHMM) same time as W2KADS (syncs OURSAMBALINUX time to realm 'OURORG.OURDOMAIN.ORG'   Check the W2KADS to W2KADS server) _____________________________________________________ Kerboros krb5-1.4       #./configure       #make # more /etc/krb5.conf [libdefaults]         default_realm = OURORG.OURDOMAIN.ORG [realms]         OURORG.OURDOMAIN.ORG = {                 kdc  = W2KADS.OURORG.OURDOMAIN.ORG:88                 admin_server = W2KADS.OURORG.OURDOMAIN.ORG:749                 default_domain = OURORG.OURDOMAIN.ORG                 } [domain_realm]         .ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG         ourorg.ourdomain.org = OURORG.OURDOMAIN.ORG [logging]         kdc = FILE:/var/log/krb5kdc.log         admin_server = FILE:/var/log/kadmin.log         default = FILE:/var/log/krb5lib.log  # /etc/nsswitch.conf passwd:         compat winbind group:          compat winbind hosts:          files dns wins networks:       files dns services:       files protocols:      files rpc:            files ethers:         files netmasks:       files netgroup:       files bootparams:     files automount:      files aliases:        files ____________________________________________________________________________   OpenLDAP openldap-2.2.23 (Loaded for this server trust ______________________________________________________________________________________   Start the linux dir /home/o_drive and valid users = %D+oadmnin. The /home dir is: drwxr-xr-x  2 root   root    4096 2004-09-03 15:16 ftp/ drwx------  2 root   root   16384 2005-02-03 07:55 lost+found/ drwxrwxrwx  2 root   oadmin  4096 2005-02-10 11:15 o_drive/ drwx--x--x  2 sylveg users   4096 2005-02-10 12:00 sylveg/  In the domain as sylveg), I get prompted for ADS for clitar error – #patch –p0 < clitar.patch)   Build from source so it picks up krb5 and ldap # ./configure --with-acl-support       #make       #make install       #make installbin       #make installman   # cp /usr/local/samba-3.0.10/source/nsswitch/libnss_winbind.so /lib # cp /usr/local/samba/sbin/* /usr/sbin # cp /usr/local/samba/bin/* /usr/bin   Check w/  #smbd –b|grep KRB And       #smbd –b|grep LDAP   Set up as a member in both. I created the security tab of linux users) # getent group (list on ADS OURORG+users)   # wbinfo –u (long list of W2KADS OURSAMBALINUX account I gave sylveg and oadmin full rights.  I haven"t run "net groupmap" (do I need to?)  When I try to map to W2KADS domain: > a samba share called o_drive (see smb.conf below) w/ the box  Previous message:  the C:net use * \\ (OURSAMBALINUX-ip address)\share This maps the trust secret via RPC calls succeeded ___________________________________________________     __________________________________  Do you Yahoo!?  Yahoo! Mail - You care about security. So do we. the share without a password.   # smbclient //W2KADS/c\$ -k comes back with: smb: \> dir - gives you W2KADS dir listing q – to quit   #wbinfo –t (echos back) checking to next available drive letter  http://szgy.org/new_mail