Samba MS LDAP authentication

On this moment i configure a testenvironment with 1 Microsoft active directory server and 1 Opensuse 11 samba filesharing server. But i have a issue. The samba server is add to the domain and the servers can communicate with eachother. I can login to the domain on the samba server and the LDAP settings tab on yast2 samba configuration tool tell me that samba and the MS LDAP server can communicate with eachother. I can see the shares on the samba server but i can’t autenticate myself. When i whant to logon than see i always “domain: domainname.local” and “access denied”. My question is now how can i give the MS administrator account rights to view the shares and configure the rights for the other users.

Samba config file

[global]
        workgroup = WIN-FVJBNQIJE9O@WOENSDRECHT.LOCAL
        passdb backend = ldapsam:ldap://win-fvjbnqije9o.woensdrecht.local
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$
        domain logons = Yes
        domain master = Yes
        security = user
        realm = WOENSDRECHT.LOCAL
        wins support = Yes
        ldap admin dn = Administrator
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = Yes
        ldap suffix = dc=woensdrecht,dc=local
        ldap user suffix = ou=Users
        usershare max shares = 100
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind refresh tickets = yes
        idmap backend = ldap:ldap://win-fvjbnqije9o.woensdrecht.local
        local master = Yes
        os level = 65
        preferred master = Yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

[Files]
        comment = Bestanden van de medewerkers.
        inherit acls = Yes
        path = /winshares/files
        read only = No
        admin users = root Administrator
        writable = Yes
        write list = Administrator

I don’t know a whole lot about ms active directory and ldap, so don’t really know what you can do as the ms administrator in your situation, but for adding samba users the only way I know of is to use the smbpasswd command as root, like this:

smbpasswd -a [username]

It then asks you to enter and comfirm a password for the users, after adding your users still as root run the command service smb reload

I think to give the windows administrator rights to control aspects of samba the ms administrator would need to have an account on the linux box and given access to commands like smbpasswd and smb using sudo, and to view shares run smbpasswd -a for the ms administrator

Might be ‘better’ ways to do it in the setup you have, but as I said I don’t really know muchg about ms active directory so someone more knowledgeable on the subject could probably confirm (or not) whether this is the case for you

I’m not all that clear on where the users/password info is being handled as you say you’re using active directory but also using a ‘samba domain’, you have the samba set up as the primary domain controller [PDC] and handling domain logons and I’m not sure where active directory fits into that scenario, I wouldn’t expect samba to be the pdc when using active directory

The more I think about it the more I think setting samba to not be the pdc and changing smb.conf to show security = ADS instead of security =user would be a good place to start, I also believe the preferred master setting should be ‘no’, you have it set to ‘yes’

It may be worth you checking out the Samba and Active Directory wiki found here: https://wiki.samba.org/index.php/Samba_&_Active_Directory