I'm working in a mixed Windows/Linux environment with about 50machines.
I successfully set up a Samba PDC backed by Open LDAP, hooked postfix, dovecot etc into it and all is gravy. Machines join the Samba domain, people log in, all is well.
So now all that was left to do was the "simple" share some directories on the server and lock them down to certain user groups.
To complicate things a little, I didn't want to handle the shares on the PDC, instead I have another server that has the shares on them.
So after reading lots of info on samba.org and other places I set samba to security = domain on the fileserver, joined the domain and all seemed ok until I tried to access the shares.
I can see the shares themselves but I get prompted for passwords and then access denied.
Testing with smbclient I get the same denied errors.
Finally (not sure if this is related) running getent on the file server returns none of my LDAP users but on the PDC it returns them as expected.
If I set the shares to guest ok = yes. I can do what I need to do but its not secure in any sense.
What am I missing?
Is security = domain correct for a pure Samba domain or does it only work with Windows domains?
Should I just give up and mount the shares via NFS on the PDC? I'm not sure what impact this has network traffic wise.
I've read a bit about using nss to authenticate directly with Open LDAP but can't find a decent starting point, does anyone know of a good tutorial?
Heres my samba config:
workgroup = MYDOMAIN
server string = %h server (Samba, Ubuntu)
security = DOMAIN
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
logon script = logon.bat
logon drive = Z:
logon home = \\FILESERVER\user$\%U
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
comment = Technical Users
path = /data/Technical
read list = @uk-technical
write list = @uk-technical
read only = No
directory mask = 0775
Any hints would be appreciated.