Kenneth at 00:58, 11 August 2014

2014-08-11T00:58:01Z

New page

==Summary==
[http://us1.samba.org/samba/ Samba]

[http://www.oreilly.com/catalog/samba/chapter/book/appc_01.html Samba Configuration Option Quick Reference]

==Install Samba==
# Install Samba Server
yum install samba

# Install Samba Client (mount.cifs, smbclient)
yum install samba-client

==Mounting Samba Shares==
[http://gentoo-wiki.com/HOWTO_Setup_Samba HOWTO Setup Samba]:
mount -t cifs //server/share /mnt/samba -o username=username

==Samba Configuration File==
/etc/samba/smb.conf

NOTE: Whenever you modify this file you should run the command "testparm" to check that you have not many any basic syntactic errors. [http://www.mail-archive.com/samba@lists.samba.org/msg20143.html]

==Joining a Domain==
[http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html Samba: Chapter 7. Adding Domain Member Servers and Clients]

*Delete the tdb files that cache Samba information
cd /etc/samba
rm *tdb

*Configure Samba (/etc/samba/smb.conf):
<pre>
[global]
# note: set to short domain name
workgroup = OEEY
# note: set to full domain name
realm = CORPORATE.OEEY.COM
netbios name = DATA
password server = snowbird.contractpal.com
username map = /etc/samba/smbusers

security = ADS
encrypt passwords = yes
passdb backend = tdbsam

winbind uid = 10000-65000
winbind gid = 10000-65000
winbind enum users = yes
winbind enum groups = yes
# winbind use default domain = yes

debuglevel = 1

# disable printers
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

#nt acl support = yes
#acl map full control = yes
#dos filemode = yes

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[files]
path = /test
comment = Test
read only = No
create mask = 0750
browseable = Yes
guest ok = no
preserve case = yes
#nt acl support = yes

[test]
path = /test
public = no
browsable = yes
read list = @"OEEY\domain users"
write list = @"OEEY\domain users"
create mask = 0777
directory mask = 0777
force create mode = 0777
force directory mode = 0777

[release]
path = /Release
public = no
browsable = yes
read list = @"OEEY\domain users"
write list =
read only = yes
</pre>

*Validate your Samba configuration:
testparm -s

*Join ADS domain:
# Samba does not need to be running at this step, but the smb.conf will be parsed
net ads join -UAdministrator
# for debugging purposes:
net ads join -UAdministrator%mypassword -d3

NOTE: never execute the net rpc join command in an attempt to join the Samba server to the domain, unless you wish not to use the Kerberos security protocols. [http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html]

*Test ADS connection:
Simple ADS information:
net ads info

One can also check that the connection was made by checking the secrets.tdb file.
tdbdump secrets.tdb

Or way more information than you care for:
net ads status -UAdministrator%mypassword

*Configure Kerberos (/etc/krb5.conf):
[libdefaults]
default_realm = CORPORATE.OEEY.COM
dns_lookup_kdc = true
...
[realms]
CORPORATE.OEEY.COM = {
kdc = snowbird.contractpal.com:88
admin_server = snowbird.contractpal.com:749
default_domain = contractpal.com
}
...
[domain_realm]
.corporate.OEEY.com = CORPORATE.OEEY.COM
corporate.OEEY.com = CORPORATE.OEEY.COM

*Test Kerberos connection:
kinit Administrator
klist

*Test Winbind:
service winbind restart

# list domain users
wbinfo -u
# list domain groups
wbinfo -g

List winbind database information:
tdbdump /var/cache/samba/winbindd_idmap.tdb
tdbdump /var/cache/samba/winbindd_cache.tdb

*Edit /etc/nsswitch.conf
# passwd, group, hosts: winbind
passwd: files winbind
#shadow: files winbind
shadow: files
group: files winbind

hosts: files wins
#possibly use:
#hosts: files dns winbind

*Test nss:
# should now show domain users
getent passwd

# should now show domain groups
getent passwd

*Edit samba PAM configuration (/etc/pam.d/samba):
#%PAM-1.0

# USE WINBIND FOR AUTHENTICATION
auth sufficient /lib/security/pam_winbind.so try_first_pass
account sufficient /lib/security/pam_winbind.so try_first_pass
session sufficient /lib/security/pam_winbind.so try_first_pass

*Start samba:
service smb start

*Test samba connection:
smbclient -L DATA -UAdministrator

Old bad way of joining a domain (do not use):
#Join Domain: "sudo net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101.8"

===Joining Domain References===
*[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html Samba: Domain Member]
*[http://us1.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#id2538809 Samba: Domain Membership]
*[http://acd.ucar.edu/~fredrick/linux/samba3/ Samba 3 and joining an Active Directory/domain]

==List users and groups of domain==
This [http://lists.samba.org/archive/samba/2004-January/079030.html article] shows a cool script.

Test joining the domain:
wbinfo -t
checking the trust secret via RPC calls succeeded

To view domain users:
wbinfo -u

To view domain groups:
wbinfo -g

To view user details (not local unix user):
wbinfo -i <user>

To view user groups id:
wbinfo -r <user>

To see all users (including those from winbind): [http://www.tek-tips.com/viewthread.cfm?qid=1113365&page=12]
getent passwd

Authenticate: [http://www.tek-tips.com/viewthread.cfm?qid=1113365&page=12]
wbinfo -a testuser%testpass

Test challenge/response:
wbinfo -a [domain]\\[user]%[password]

==PAM and Samba==
This [http://lists.samba.org/archive/samba/2006-September/124938.html article] shows how to use winbind for Samba PAM authentication:
/etc/pam.d/samba:

See [[/etc/pam.d/samba]]

[http://kbase.redhat.com/faq/FAQ_79_5365.shtm How can I configure my Red Hat Enterprise Linux system to use pam_winbind.so so users can log into the server using their domain username and password?]
:It is also assumed that the domain user's home directory has already been created on the system in the correct location, because winbind cannot create home directories.

/etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

A single line can be added to the session section of /etc/pam.d/system-auth file, to make use of the pam_mkhomedir.so PAM module. This module will automatically create a user's home directory if they have authenticated successfully and if the home directory does not already exist. If pam_mkhomedir.so has to create the user's home directory, the template homedir statement in /etc/samba/smb.conf will be used to determine where to create the user's home directory.

session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel umask=0077
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

Auto creation of home directories:

[http://www.ccs.neu.edu/home/battista/documentation/winbind/pam.html Using Winbind to Resolve Active Directory Accounts in Debian]:
:We need to configure our system to create home directories for each of the Active Directory users. Insert a reference to the pam_mkhomedir module in /etc/pam.d/common-session as shown below:
# /etc/pam.d/common-session
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_winbind.so
session required pam_unix.so

==nsswitch.conf==
See [[/etc/nsswitch.conf]]

[http://kbase.redhat.com/faq/FAQ_71_2462.shtm What changes do I need to make to nsswitch.conf for winbind to work?]

passwd: files winbind
shadow: files
group: files winbind

==IDMAP==
[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Samba: Chapter 14. Identity Mapping (IDMAP)]

==Winbind==
[http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html Samba: Chapter 24. Winbind: Use of Domain Accounts]

[http://joseph.randomnetworks.com/archives/2005/11/08/freebsd-users-and-groups-with-samba-winbind-and-active-directory/ Users and Groups with Samba (Winbind) and Active Directory]

[http://kbase.redhat.com/faq/FAQ_79_4760.shtm How do I set up winbind on our Samba server to create users and groups from our domain controller?]

# WINBIND STUFF
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = +
winbind use default domain = no
template homedir = /homes/%D/%U
template shell = /bin/bash

A brief explanation of some of these settings:

* idmap uid - the range of numeric uid's that winbind will use to enumerate domain users with on your system. You should select a range that does not conflict with uid numbers already in use on the system and also make sure not to assign users to uid numbers in this range after you start using winbind. Also, it's probably a good idea to not change the number range once you start using winbind, as it could cause file ownership or group ownership problems.

* idmap gid - the range of numeric gid's that winbind will use to enumerate domain groups on your system. The idmap uid cautions noted above apply here as well.

* winbind enum groups and winbind enum users - whether winbind should "create" the domain's groups/users on the system or not. Leave these both set to yes unless you want to turn the functionality off for some reason.

* winbind separator - the character winbind will use to separate the domain name from the user or group name. Using such a configuration will cause domain usernames to appear like this - "MYDOMAIN+username" and domain group names to appear like this - "MYDOMAIN+Domain Users" for example.

* The template homedir statement is used to generate the home directory path for domain users. The example given uses variable substitution and would cause winbind-enumerated users' home directories to appear as /homes/MYDOMAIN/username.

Note that if you wish certain (or all) domain users to have a home directory on the Samba server, you will have to create it for them. While the template homedir statement does control where Samba thinks the user's home directory will be, winbind will not actually create the user's home directory for you.

You can test the basic user and group enumeration functionality of winbind with wbinfo and getent commands:

# wbinfo -u
MYDOMAIN+vince
MYDOMAIN+Administrator
MYDOMAIN+Guest

# wbinfo -g
MYDOMAIN+Domain Admins
MYDOMAIN+Domain Users
MYDOMAIN+Domain Guests

# getent group
quaggavty:x:102:
quagga:x:92:
radvd:x:75:
radiusd:x:95:
MYDOMAIN+Domain Admins:x:15008:MYDOMAIN+Administrator
MYDOMAIN+Domain Users:x:15009:
MYDOMAIN+Domain Guests:x:15010:MYDOMAIN+Guest

# getent passwd
radvd:x:75:75:radvd user:/:/sbin/nologin
radiusd:x:95:95:radiusd user:/:/bin/false
MYDOMAIN+vince:x:15001:15009:Vince:/homes/MYDOMAIN/vince:/bin/bash
MYDOMAIN+administrator:x:15009:15009:Administrator:/homes/MYDOMAIN/
administrator:/bin/bash
MYDOMAIN+guest:x:15010:15009:Guest:/homes/MYDOMAIN/guest:/bin/bash

[http://www.comms.scitech.susx.ac.uk/fft/howto/Samba-tng/winbindd.8.html winbindd (8)]

==Read Write Groups==
Domain Groups [http://lists.samba.org/archive/samba/2004-March/082794.html]
write list = @"AMITY+Domain Admins"
write list = @"Domain Admins"

==Controlling Access to Shares==
[http://www.oreilly.com/catalog/samba/chapter/book/ch06_02.html Controlling Access to Shares]

[http://kbase.redhat.com/faq/FAQ_71_2356.shtm How can I restrict access in Samba?]:
[global]
workgroup = WORKGROUP
netbios name = LOCALHOST
security = share
hosts allow = 127.0.0. 10.

[share1]
comment = First Share
path = /home/share1
#bob janet and all members of groupa are permitted access
valid users = bob janet @groupa
#only machines with 10.0.0.5, 10.2.5.10, and 10.0.1.1-255 are allowed
hosts allow = 10.0.0.5 10.2.5.10 10.0.1.

==Mounting disk with loopback device to test ACLs==
See [[Mounting Loopback Device]]

7. Mount with ACL option
mkdir /mnt/disk.image
mount -t ext3 -o loop,defaults,acl disk.image /mnt/disk.image

==Disable Printers==
[http://lists.samba.org/archive/samba/2006-February/117184.html Novice question - How to completely disable printing and /etc/printcap errors]:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

==Firewall==
[http://troy.jdmz.net/samba/fw/ Samba and IPTables]

netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service

Easier:
system-config-security-tui
(which writes out to /etc/sysconfig/system-config-securitylevel)

==Troubleshooting==
# Check /var/log/messages
# Ceheck /var/log/samba/*

===Could not connect to server snowbird===
$ net rpc join -W OEEY -U Administrator -S snowbird -I 10.161.101.
Password:
Could not connect to server snowbird
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

===Cannot find KDC for requested realm===
The log files are repoting:
==> /var/log/samba/log.wb-OEEY <==
[2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm
[2007/10/10 14:00:21, 1] nsswitch/winbindd_ads.c:ads_cached_connection(114)
ads_connect for domain OEEY failed: Cannot find KDC for requested realm

==> /var/log/messages <==
Oct 10 14:00:21 stage winbindd[20879]: [2007/10/10 14:00:21, 0] libads/kerberos.c:ads_kinit_password(208)
Oct 10 14:00:21 stage winbindd[20879]: kerberos_kinit_password STAGE$@CORPORATE.OEEY.COM failed: Cannot find KDC for requested realm

===NT_STATUS_NO_SUCH_USER===
==> /var/log/samba/smbd.log <==
[2007/10/10 15:06:44, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [test] -> [test] FAILED with error NT_STATUS_NO_SUCH_USER

The user exists in the domain, but not on the local box.

This means that the /etc/krb5.conf is not setup correctly. Reconfigure the file and try 'kinit administrator'. This should connect to the correct default domain, else you still have the krb5.conf file wrong.

===winbindd: idmap uid range missing or invalid===
The log files are reporting the following when starting winbind:
==> /var/log/samba/winbindd.log <==
[2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(953)
winbindd version 3.0.24-7.fc5 started.
Copyright The Samba Team 2000-2004
[2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
winbindd: idmap uid range missing or invalid
[2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788)
winbindd: cannot continue, exiting.
[2007/10/10 14:14:17, 1] nsswitch/winbindd.c:main(986)
Could not init idmap -- netlogon proxy only

==> /var/log/messages <==
Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(787)
Oct 10 14:14:17 stage winbindd[21382]: winbindd: idmap uid range missing or invalid
Oct 10 14:14:17 stage winbindd[21382]: [2007/10/10 14:14:17, 0] nsswitch/winbindd_util.c:winbindd_param_init(788)
Oct 10 14:14:17 stage winbindd[21382]: winbindd: cannot continue, exiting.

According to this [http://ubuntuforums.org/archive/index.php/t-184505.html thread] simple include the following lines:
/etc/samba/smb.conf:
idmap uid = 10000-20000
idmap gid = 10000-20000

===Access is denied upon changing ACL===
[Security]
Unable to save permission changes on <FILE>.
Access is denied.

===Logon failure: unknown user name or bad password===
C:\>net use x: \\stage\files /user:OEEY\administrator
The password or user name is invalid for \\stage\files.

Enter the password for 'OEEY\administrator' to connect to 'stage':
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

This is caused by the username not existing on the local unix machine. See [[#PAM and Samba]]

===Set ACL failed===
==> /var/log/samba/smbd.log <==
[2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502)
set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported).
[2007/10/10 15:44:32, 2] smbd/posix_acls.c:set_canon_ace_list(2502)
set_canon_ace_list: sys_acl_set_file type file failed for file c/big (Operation not supported).

This is because the file system does not support ACLs

===Add User Not Working===
[http://lists.samba.org/archive/samba/2004-January/079063.html Add user script, with winbind, without PAM (Solaris 9)]:
add machine script = /path/tothesame/adduserscript %u

The 'add machine script' is used to create machine trusts accounts
when running Samba as a PDC (which you are not in this case)

But if you are using winbindd then the user already exists
in UNIX. The getpwnam() call for the DOMAIN\user will succeed
and so the 'add user script' will never be called. This is by
design. Do you run winbindd on the 2.2.8a server?

The better way to solve your problem is with a 'root preexec'
script of the share in question.

===Vista workstation unable to connect to Samba share===
\\server\share
The parameter is incorrect.

\\server\share
A device attached to the system is not functioning.

\\server\share
The referenced account is currently locked out and may not be logged on to.

[http://www.nobluescreens.com/solutions/samba_vista.php Samba and Vista]

Microsoft's security policy on Windows Vista is interestingly set by default to exclude mapping to Samba shares.

To fix this:
# click START | Run | '''secpol.msc'''.
# Go to Local Policies | Security Options and find '''Network Security: LAN Manager authentication level'''
# Change the settings from Send NTLMv2 response only to Send '''LM & NTLM - use NTLMv2 session security if negotiated'''.

Vista defaults to only send the more secure NTLMv2 protocol, which Samba (and, incidentally, some NAS devices) do not support.

[http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=660925&SiteID=1 If you are using Vista Premium]:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel

This controls the security level mandated or allowed for logins. In Vista it defaults to 0x3, which means "NTLMv2 only". This is not supported by Samba, or at least not supported by any of the Samba servers I use (Mac OS X, Debian Sarge, or Buffalo TeraStation). This is despite the fact that the Samba documentation implies that it should work.

The fix is to change it to 0x1, which means "use NTLMv2 if available, or older versions if not." Reboot. Samba shares will work just fine.

If we try \\build\release we get "A device attached to the system is not functioning.". This [http://www.infrant.com/forum/viewtopic.php?=&p=42685 thread] suggests trying by IP address \\10.161.101.12\release\. This worked. Also by full domain \\build.contractpal.com\release\.

"The referenced account is currently locked out and may not be logged on to." This is caused by a non domain member vista box attempting to connect to a samba share that is domain authenticated, but does not have the LM security setting enabled.

===Kinit(v5) KDC reply did not match expectations while getting initial credentials===
Note: this should probably go under Kerberos

Kinit(v5) KDC reply did not match expectations while getting initial credentials

[http://www.webservertalk.com/archive213-2004-4-185249.html Answer]:

You can get this error when the case of your principal name doesn't match
the one returned by the AD KDC. For example:
administrator@mydomain.com
But the KDC returns the ticket as
Administrator@MYDOMAIN.COM

[http://www.trustix.org/wiki/index.php/Samba_and_ADS Answer]:

Note: If you don't capitalize your realm, you will receive an error

Another article:
[http://www.netadmintools.com/art172.html Using Samba to Authenticate GNU/Linux Against Active Directory]

==="net ads join" fails, but "net rpc join" works===
http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html

Q. When I tried to execute net ads join, I got no output. It did not work, so I think that it failed. I then executed net rpc join and that worked fine. That is okay, isn't it?

A. No. This is not okay. It means that your Samba-3 client has joined the ADS domain as a Windows NT4 client, and Samba-3 will not be using Kerberos-based authentication.

===change permissions of a file===
3.1.2. I'm logged in as Administrator - why can't I edit permissions or change ownership of a file on a domain-connected Samba share? [http://www.bluelightning.org/linux/samba_acl_howto/]

Under Linux and probably most Unixes, you can't change permissions on a file unless you are the current owner of the file or root, and you can't change ownership of a file unless you are root. So you will need to make yourself operate as root when you are logged in as Administrator. To do this, add the following line to the section in smb.conf for the share you are trying to administer:

admin users = DOMAINNAME\Administrator

Currently, if you are using the winbind use default domain option then you will need to omit the domain name:

admin users = Administrator

==References==
*[http://www.freeos.com/articles/3842/ Samba NT Domain Controller]
*[http://www.justlinux.com/forum/archive/index.php/t-118512.html Using Winbind with Samba Domain Member Servers]

==Samba Configuration==
Inherit ACLs [http://www.linuxquestions.org/questions/linux-networking-3/winbindd-idmap-range-missing-error-356259/]:
inherit acls = yes

Include Configuration Files [http://www.linuxquestions.org/questions/linux-networking-3/winbindd-idmap-range-missing-error-356259/]:
include = /etc/samba/shares.conf

==Files==

===/etc/samba/smb.conf===
<pre>
# Your Workgroup or Domain that you want
# to login to
workgroup = OEEY

netbios name = STAGE

#realm = CORPORATE.OEEY.COM

# Tell Samba to talk to domain controller
# for authentication
security = domain

# Specify the server to get authenticate
# from. You can specify the
# NetBIOS # names of the servers or simply
# put in a "*" here to let
# Samba find the server through broadcast
password server = 10.161.101.8

#add user script = /usr/sbin/useradd -s /bin/false -m %u

# Make sure Samba is using encrypted
# passwords
encrypt passwords = yes

debuglevel = 2

#winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
#template homedir = /home/winnt/%D/%U
#template homedir = /dev/null
template homedir = /home/%D/%U
template shell = /bin/bash
# template primary group = "Domain Users"
winbind use default domain = yes
#winbind enum users = yes
#winbind enum groups = yes
#winbind cache time = 300
# no is default
#winbind nested groups = No

# DISABLE PRINTERS
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

nt acl support = yes
#acl map full control = yes
#dos filemode = yes

[homes]
read only = no
create mask = 0750
browseable = yes
guest ok = no
preserve case = yes

[files]
path = /test
comment = Test
read only = No
create mask = 0750
browseable = Yes
guest ok = no
preserve case = yes
#nt acl support = yes

[test]
path = /test
public = no
browsable = yes
read list = @"OEEY\domain users"
write list = @"OEEY\domain users"
create mask = 0777
directory mask = 0777
force create mode = 0777
force directory mode = 0777
directory security mask = 0777
admin users = DOMAINNAME\Administrator
force group = "OEEY\domain users"
</pre>

===/etc/nsswitch.conf===
...
#passwd: files
passwd: files winbind
shadow: files
#group: files
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns winbind
...

===/etc/pam.d/samba===
#%PAM-1.0
#auth required pam_nologin.so
#auth required pam_stack.so service=system-auth
#account required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
#password required pam_stack.so service=system-auth

# USER WINBIND FOR AUTHENTICATION
auth sufficient /usr/lib/security/pam_winbind.so try_first_pass
account sufficient /usr/lib/security/pam_winbind.so try_first_pass
session sufficient /usr/lib/security/pam_winbind.so try_first_pass

===/etc/etc/krb5.conf===
<pre>
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CORPORATE.OEEY.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
OEEY = {
kdc = snowbird:88
admin_server = snowbird:749
default_domain = corporate.OEEY.com
}

[domain_realm]
.corporate.OEEY.com = CORPORATE.OEEY.COM
corporate.OEEY.com = CORPORATE.OEEY.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
</pre>

==To Read==

Samba PDC + ACL : default ACLs ignored on directory:
*http://lists.samba.org/archive/samba/2006-June/122252.html
*http://lists.samba.org/archive/samba-technical/2006-July/048430.html
*http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
*http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
*http://marc.info/?l=samba&m=108669545304698&w=2
*http://gentoo-wiki.com/HOWTO_Implement_Samba_as_your_PDC
*http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
*http://osdir.com/ml/org.user-groups.linux.gnhlug/2006-01/msg00293.html
*http://www.ibm.com/developerworks/library/l-samba/index.html
*http://help.lockergnome.com/linux/Domain-public-shares-ftopict489907.html

Fix a Vista to Mac failure to connect problem:
*http://www.macosxhints.com/article.php?story=20070405070132724
*http://lists.samba.org/archive/samba/2004-March/081772.html

[Samba] domain user map:
*http://lists.samba.org/archive/samba/2003-March/064122.html
*http://ckdake.com/projects/documentation/sambamysql
*http://www.zytrax.com/tech/howtos/samba.html
*http://mordor.clayton.edu/samba-tng/tng-pdc-trust.html
*http://ubuntuforums.org/archive/index.php/t-132025.html
*http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html
*http://marc.info/?l=samba&m=111539109116227&w=2

samba30b1 - net join responds failure - but machine accountwas created:
*http://www.mail-archive.com/samba@lists.samba.org/msg19061.html
*http://www.mail-archive.com/samba@lists.samba.org/msg37693.html
*http://lists.olug.org/pipermail/olug/2002-July/006052.html
*http://www.tek-tips.com/viewthread.cfm?qid=1049929&page=1
*http://www.experts-exchange.com/Networking/Linux_Networking/Q_20375677.html
*http://gentoo-wiki.com/HOWTO_Add_a_gentoo_server_to_a_windows_network
*http://readlist.com/lists/lists.samba.org/samba/1/7248.html
*http://www.nabble.com/Is-there-any-way-to-talk-to-a-preferred-PDC-IP-address--t4560185.html
*http://www.fedoraforum.org/forum/showthread.php?page=3&t=92804
*http://www.linuxquestions.org/questions/linux-networking-3/win2k-ad-server-because-of-very-tight-secuirty-i-cant-make-my-linux-box-join-domain-141701/
*http://www.webservertalk.com/archive217-2006-8-1626382.html
*http://threebit.net/mail-archive/samba/msg02379.html
*http://lists.zerezo.com/samba/msg21928.html

[Samba] create_canon_ace_lists: unable to map SID:
*http://lists.samba.org/archive/samba/2004-April/085007.html
*http://lists.samba.org/archive/samba-ntdom/2001-October/020105.html
*http://www.mail-archive.com/samba@lists.samba.org/msg35659.html
*http://www.mail-archive.com/samba@lists.samba.org/msg38419.html
*http://archives.devshed.com/forums/samba-120/create-canon-ace-lists-unable-to-map-sid-307806.html
*http://www.hostingforum.ca/240299-re-samba-relationship-between-2-pdc-samba-acl.html
*http://lists.slug.org.au/archives/slug/2004/08/msg00839.html
*http://lists.slug.org.au/archives/slug/2004/08/msg00828.html

[Samba] Cannot find KDC for requested realm:
*http://lists.samba.org/archive/samba/2005-August/109339.html
*http://lists.samba.org/archive/samba/2004-March/082074.html
*http://www.webservertalk.com/archive217-2004-4-202585.html
*http://www.webservertalk.com/message555089.html
*http://www.nabble.com/Cannot-find-KDC-for-requested-realm-t214937.html
*http://www.mail-archive.com/samba@lists.samba.org/msg26098.html
*http://www.mail-archive.com/samba@lists.samba.org/msg45564.html
*http://archives.devshed.com/forums/samba-120/problems-when-i-want-join-a-w2k-domain-140075.html
*http://www.redaht.com/archives/redhat-install-list/2004-November/msg00056.html
*http://www.linuxquestions.org/questions/linux-networking-3/samba-as-a-windows-2003-ads-member-231606/

Linux Extended Attributes and ACLs:
*http://acl.bestbits.at/
*http://www.vanemery.com/Linux/ACL/linux-acl.html
*http://www.uwsg.iu.edu/hypermail/linux/kernel/0310.0/1284.html
*http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.0/1119.html
*http://lists.openwall.net/linux-ext4/2006/12/20/3
*http://lists.openwall.net/linux-ext4/2006/12/20/1
*http://osdir.com/ml/linux.vserver/2003-03/msg00000.html
*http://osdir.com/ml/file-systems.ext4/2006-12/msg00142.html
*http://lwn.net/Articles/69839/

ACLs on Samba:
*http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
*http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
*http://docs.hp.com/en/B8725-90053/ch03s06.html
*http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
*http://c.mills.ctru.auckland.ac.nz/Samba/XfsAclWinAuth.html
*http://home.subnet.at/~max/fs/xfs.php
*http://bugs.opensolaris.org/view_bug.do?bug_id=2149388
*http://oss.sgi.com/archives/xfs/2001-05/msg00804.html
*http://lists.freebsd.org/pipermail/posix1e/2001-April/000428.html
*http://lists.freebsd.org/pipermail/posix1e/2001-April/000427.html

Samba ACL Linux:
*http://www.bsdzone.net/howto/Samba/Samba_ACL_Linux/
*http://techxworld.com/community/blogs/features/archive/2007/05/21/acls-on-samba.aspx
*http://docs.hp.com/en/B8725-90053/ch03s06.html
*http://searchenterpriselinux.techtarget.com/loginMembersOnly/1,289498,sid39_gci1080966,00.html?NextURL=http%3A//searchenterpriselinux.techtarget.com/tip/0%2C289483%2Csid39_gci1080966%2C00.html
*http://c.mills.ctru.auckland.ac.nz/Samba/XfsAclWinAuth.html
*http://home.subnet.at/~max/fs/xfs.php
*http://www.faqs.org/docs/samba/ch08.html

Installing Fermi Kerberos on a Linux System: (all good articles)
http://www.fnal.gov/docs/strongauth/linuxinstall.html
http://weblog.bignerdranch.com/?p=6
http://www.linuxjournal.com/article/7336
http://www.net-security.org/advisory.php?id=7909
http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html

Linux/Samba/Domain Member - Revision history

Kenneth at 00:58, 11 August 2014