[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.2

Accessing Samba shares using winbind to authenticate to Active Directory on OpenSolaris 11

Asked by spcomputing in Sun Solaris, Samba File Server, Lightweight Directory Access Protocol (LDAP)

Tags: OpenSolaris, Solaris, LDAP, Winbind, Samba, Kerberos, Active Directory

Purpose:
I have an OpenSolaris 11 server running Samba version 3.034. We need to be able to access the samba shares on this server with Active Directory users and groups.

Progress thus far:
Successfully joined the server to the domain using Winbind. I can populate AD users and groups on the Solaris server using wbinfo -u and -g. I can also authenticate AD users from the terminal using kinit.

Problem:
When i try to access a samba share from windows, I receive the error:

"The account is not authorized to log in from this station" It does not ask me for credentials, so I assume it is passing my AD credentials from Windows.

If I try to log on to the server with an AD account, it says access denied. If I try too many times, it will lock the account on the domain. So this leads me to believe that the credentials are being passed to the domain controller, but they are not being understood correctly. The error logs have been uninformative, but I will include what I can find. I will also include config files below.

Thank you in advance for your assistance. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:

==smb.conf==
 
[global]
	log file = /var/samba/log/log.%m
	load printers = yes
	idmap gid = 10000-20000
	allow trusted domains = no
	winbind trusted domains only = yes
	encrypt passwords = yes
	winbind use default domain = yes
	realm = DOMAIN.NET
	passdb backend = smbpasswd
	dns proxy = no 
	netbios name = SERVER01
	idmap uid = 10000-20000
	winbind enum users = no
	winbind nested groups = yes
	unix password sync = yes
	workgroup = DOMAIN
	winbind enum groups = yes
	server signing = yes
	os level = 20
	security = ads
	max log size = 50
	winbind separator = +
 
[data]
	browseable = yes
	writable = yes
	writeable = yes
	write list = admingroup
	path = /data
	comment = 
	valid users = user1,@admingroup
	available = yes
 
 
==pam.conf==
 
login	auth requisite		pam_authtok_get.so.1
login	auth required		pam_dhkeys.so.1
login	auth required		pam_unix_cred.so.1
login	auth required		pam_unix_auth.so.1
login	auth required		pam_dial_auth.so.1
login 	auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth requisite		pam_authtok_get.so.1
rlogin	auth required		pam_dhkeys.so.1
rlogin	auth required		pam_unix_cred.so.1
rlogin	auth required		pam_unix_auth.so.1
rlogin 	auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# Kerberized rlogin service
#
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth required		pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh	auth required		pam_unix_cred.so.1
krsh	auth required		pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth required		pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp	auth requisite		pam_authtok_get.so.1
ppp	auth required		pam_dhkeys.so.1
ppp	auth required		pam_unix_cred.so.1
ppp	auth required		pam_unix_auth.so.1
ppp	auth required		pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other	auth requisite		pam_authtok_get.so.1
other	auth required		pam_dhkeys.so.1
other	auth required		pam_unix_cred.so.1
other	auth required		pam_unix_auth.so.1
other 	auth sufficient		/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# passwd command (explicit because of a different authentication module)
#
passwd	auth required		pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron	account required	pam_unix_account.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups	account	required	pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other	account requisite	pam_roles.so.1
other 	account sufficient	/usr/lib/security/pam_winbind.so.1 try_first_pass
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other	session required	pam_unix_session.so.1
other 	session sufficient	/usr/lib/security/pam_winbind.so.1 try_first_pass
 
 
==nsswitch.conf==
 
passwd:     files winbind
group:      files winbind
hosts:      dns files ldap
ipnodes:    files dns ldap
networks:   files
protocols:  files winbind
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files winbind
automount:  files winbind
aliases:    files
services:   files winbind
printers:	user files
 
auth_attr:  files
prof_attr:  files
project:    files
 
tnrhtp:     files
tnrhdb:     files
 
==krb5.conf==
 
[libdefaults]
        default_realm = DOMAIN.NET
	dns_lookup_realm = true
	dns_lookup_kdc = true
 
[realms]
#        ___default_realm___ = {
#                kdc = ___master_kdc___
#                kdc = ___slave_kdc1___
#                kdc = ___slave_kdc2___
#                kdc = ___slave_kdcN___
#                admin_server = ___master_kdc___
#        }
 
[domain_realm]
	domain.net = DOMAIN.NET
	.domain.net = DOMAIN.NET
[+][-]08/03/09 09:05 AM, ID: 25005687Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]08/03/09 10:11 AM, ID: 25006353Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]08/24/09 06:56 AM, ID: 25168326Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Sun Solaris, Samba File Server, Lightweight Directory Access Protocol (LDAP)
Tags: OpenSolaris, Solaris, LDAP, Winbind, Samba, Kerberos, Active Directory
Sign Up Now!
Solution Provided By: spcomputing
Participating Experts: 1
Solution Grade: A
 
 
Loading Advertisement...
20091111-EE-VQP-89 - Hierarchy / EE_QW_3_20080625