Since I am chiming in three days late I suppose I should ask; have you got it working yet? I can tell you how I do it and why. 0) I use Red Hat derivatives (FC5, FC6, RHEL4, and CentOS4) because they do this much easier for me then any other flavor. 1) I do join my nix boxes to the AD because I want single sign on and have need for basic user group permission sets. However if you want read or write to the world or if you don't mind managing multiple authentication schemes or if you get you AD to be subservient to you nix's then you do not need to do this. a. I use straight up Kerberos and the account you use to proxy the tickets must have administrative rights or you must set up an account with access to authenticate to and read all accounts in the AD node in question. I personally use the default Admin account because I deal with the Windows SBS server and it is just to funky to mess with. Also, as we all know, I am incredibly cavalier. b. You must change the password of the account on the windows server at least once or else AD will not issue you a ticket via krb. It is a security "feature" that is only reasonably well documented by MS. c. I use winbind to get all of my user and group listings from Windows. I have seen it work with LDAP but never were and AD server was not the primary LDAP server. Even then you have to have pretty open trust relationships pushed through the forest or else it chokes up on you. This is just my experience, your mileage may very. d. If you are using winbind and samba, do not use any of the GUI's to join the server to the domain (I am sure this is not a problem for you ;) as you must issue a clean ADS join command or else it will join like some legacy win98 system and your domain permissions will not work correctly 2) Once you join correctly there is a matter of permissions. I use stander out of the box ACL's as I don't need much more then standard RWX, the 169 different permission combinations available to each user/group for ever file/folder in windows is just over kill for my small business. However I do need the ability for someone to have permission to /some/folder/that/lives/here/example.mpg without having permission to anything else in /some/. a. Mount partition with ACL support b. Set ACL's on the files c. Realize you just get just RWX d. Understand that you must trust your krb and acl and not smb to handle permissions. e. Know that RWX gives the windows user the right to give any one else in your domain RWX. f. mount smb shares and browse to them from windows network neighborhood. And yes I let my users handle their own permission settings from windows If some one is making six figures and is in charge of an entire department it is not my job to baby sit what permissions they give their people in their folders. -----Original Message----- From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Jeremy C. Reed Sent: Wednesday, April 18, 2007 6:28 AM To: Main PLUG discussion list Subject: Re: samba help > I'm trying to advertise shares from a RHEL3 box to an m$ domain. > > I gather one must first get the box to join the domain. The account that > joins the domain has to have administrator rights? > > I have been given a userid and password for the domain, but they're not > working. > > > $ smbclient -L $pdcname -U $username > Password: > session setup failed: NT_STATUS_LOGON_FAILURE What type of Microsoft server? Maybe in your smb.conf use: client ntlmv2 auth = yes Check your smb.conf(5) man page about what that breaks too. Or make changes on your Windows system for LMCompatibility. See http://www.microsoft.com/technet/community/columns/profwin/pw0203.mspx or http://support.microsoft.com/default.aspx?scid=KB;en-us;239869 Jeremy C. Reed --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss