https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906829#M283902 I wrestled with this earlier this year and kept some notes on it, hopefully they help. Keep in mind that versions may have changed and your specific config may differ. Two of the main issues I had were trying to use recent version of non-HP Samba rather than the HP CIFS Server, and another pain was setting up Kerberos (the case sensitivity).<BR /><BR />Normally I remove any of our site specific info (domain name, etc) but I'm not in the mood.<BR /><BR />Geoff's thread was definitely a major reason I was successful though...so a long overdue thanks to Geoff for his thread.<BR /><BR /><BR />***from my notes***<BR /><BR />These are the steps that I needed to make to get CIFS to use ADS to authenticate users.<BR /><BR />Required Software:<BR />CIFS A.02.02 (released 1/06) or greater<BR />Kerberos v5 (1.3.5.03) Client<BR />(see Kerberos patch requirements, which include: PHNE_27796 and PHSS_33384)<BR />LDAP-UX Integration<BR /><BR />Steps (refer to- <A href="http://docs.hp.com/en/B8725-90093/ch05s01.html" target="_blank">http://docs.hp.com/en/B8725-90093/ch05s01.html</A> for HP version):<BR />- Install or verify installation of products listed above, Kerberos patches should be installed first.<BR />- Configure the /etc/krb5.conf file (the example below is from our test server), CASE SENSITIVE!<BR /><BR />root@dqvcord1 [ /etc ]<BR /># cat /etc/krb5.conf<BR />[libdefaults]<BR />default_realm = DENTAQUEST.COM<BR />default_tkt_enctypes = DES-CBC-CRC<BR />default_tgs_enctypes = DES-CBC-CRC<BR />ccache_type = 2<BR /><BR />[realms]<BR />DENTAQUEST.COM = {<BR />kdc = dqvdc03.dentaquest.com:88<BR />admin_server = dqvdc03.dentaquest.com<BR />}<BR /><BR />[domain_realm]<BR />dentaquest.com = DENTAQUEST.COM<BR />.dentaquest.com = DENTAQUEST.COM<BR /><BR />[logging]<BR />kdc = FILE:/var/adm/krb5kdc.log<BR />admin_server = FILE:/var/log/kadmin.log<BR />default = FILE:/var/log/krb5lib.log<BR /><BR /><BR />- As root run kinit and check Kerberos configuration<BR /># kinit jmallett or # kinit jmallett@DENTAQUEST.COM<BR /><YOU will="" be="" prompted="" for="" your="" windows="" password=""><BR /><BR />- Set up the /etc/opt/samba/smb.conf file manually (or run /opt/samba/bin/samba_setup<BR />Example:<BR /><BR /># Global parameters<BR />[global]<BR /> workgroup = DDPMA<BR /> realm = DENTAQUEST.COM<BR /> server string = DQVCORD1<BR /> security = ADS<BR /> client schannel = No<BR /> password server = dqvdc03, dqvdc02<BR /> log level = 2<BR /> log file = /var/opt/samba/log.%m<BR /> max log size = 10000<BR /> keepalive = 0<BR /> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<BR /> load printers = No<BR /> show add printer wizard = No<BR /> preferred master = No<BR /> local master = No<BR /> domain master = No<BR /> wins server = dqvdc02<BR /><BR />root@dqvcord1 [ /etc ]<BR /># cat /etc/opt/samba/smb.conf<BR /># Samba config file created using SWAT<BR /># from 10.10.1.43 (10.10.1.43)<BR /># Date: 2006/02/01 20:41:56<BR /><BR /># Global parameters<BR />[global]<BR /> workgroup = DDPMA<BR /> realm = DENTAQUEST.COM<BR /> server string = DQVCORD1<BR /> security = ADS<BR /> client schannel = No<BR /> password server = dqvdc03, dqvdc02<BR /> log level = 2<BR /> log file = /var/opt/samba/log.%m<BR /> max log size = 10000<BR /> keepalive = 0<BR /> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<BR /> load printers = No<BR /> show add printer wizard = No<BR /> preferred master = No<BR /> local master = No<BR /> domain master = No<BR /> wins server = dqvdc02<BR /> idmap uid = 10000-30000<BR /> idmap gid = 10000-30000<BR /> template primary group = users<BR /> winbind separator = +<BR /> winbind enum users = No<BR /> winbind enum groups = No<BR /> read only = No<BR /> create mask = 0664<BR /> force create mode = 0664<BR /> directory mask = 0775<BR /> short preserve case = No<BR /> dos filetime resolution = Yes<BR /><BR />[Test]<BR /> path = /testing<BR /> valid users = DDPMA+jmallett<BR /><BR />[ECSPROD]<BR /> path = /download/ecsprod<BR /> valid users = DDPMA+ecsprod, DDPMA+jmallett<BR /><BR />[AP]<BR /> path = /download/AP<BR /> valid users = DDPMA+jmallett, DDPMA+unixadmin<BR /> read only = Yes<BR /><BR /><BR />- Join the ADS domain manually by running:<BR /># net ads join -U <ADMINISTRATOR_ACCT> or # net ads join -U administrator%password (use first to be prompted rather than typing pass in command line)<BR /><BR />- Depending on if you receive errors or not, you may want to update your /etc/nsswitch.conf file to include the following two lines:<BR />passwd: files winbind<BR />group: files winbind<BR /><BR />- Start Samba (multiple ways, but I use): /sbin/init.d/samba start<BR />You can 'ps -ef | grep samba' to be sure smdb, nmdb, and winbindd are running.<BR /><BR />If nothing else, this might provide some direction. Good luck.<BR /><BR />Jim</ADMINISTRATOR_ACCT></YOU> Fri, 01 Dec 2006 19:46:20 GMT Jim Mallett 2006-12-01T19:46:20Z https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906827#M283900 Can someone point me in to a Step-By-Step procedure on how to configure Samba to use AD authentication.<BR /> Fri, 01 Dec 2006 15:32:39 GMT https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906827#M283900 Kevin McNamara_1 2006-12-01T15:32:39Z https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906828#M283901 Certainly - look at my thread:<BR /><BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=949365</A><BR /><BR />Rgds...Geoff Fri, 01 Dec 2006 16:14:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906828#M283901 Geoff Wild 2006-12-01T16:14:47Z https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906829#M283902 I wrestled with this earlier this year and kept some notes on it, hopefully they help. Keep in mind that versions may have changed and your specific config may differ. Two of the main issues I had were trying to use recent version of non-HP Samba rather than the HP CIFS Server, and another pain was setting up Kerberos (the case sensitivity).<BR /><BR />Normally I remove any of our site specific info (domain name, etc) but I'm not in the mood.<BR /><BR />Geoff's thread was definitely a major reason I was successful though...so a long overdue thanks to Geoff for his thread.<BR /><BR /><BR />***from my notes***<BR /><BR />These are the steps that I needed to make to get CIFS to use ADS to authenticate users.<BR /><BR />Required Software:<BR />CIFS A.02.02 (released 1/06) or greater<BR />Kerberos v5 (1.3.5.03) Client<BR />(see Kerberos patch requirements, which include: PHNE_27796 and PHSS_33384)<BR />LDAP-UX Integration<BR /><BR />Steps (refer to- <A href="http://docs.hp.com/en/B8725-90093/ch05s01.html" target="_blank">http://docs.hp.com/en/B8725-90093/ch05s01.html</A> for HP version):<BR />- Install or verify installation of products listed above, Kerberos patches should be installed first.<BR />- Configure the /etc/krb5.conf file (the example below is from our test server), CASE SENSITIVE!<BR /><BR />root@dqvcord1 [ /etc ]<BR /># cat /etc/krb5.conf<BR />[libdefaults]<BR />default_realm = DENTAQUEST.COM<BR />default_tkt_enctypes = DES-CBC-CRC<BR />default_tgs_enctypes = DES-CBC-CRC<BR />ccache_type = 2<BR /><BR />[realms]<BR />DENTAQUEST.COM = {<BR />kdc = dqvdc03.dentaquest.com:88<BR />admin_server = dqvdc03.dentaquest.com<BR />}<BR /><BR />[domain_realm]<BR />dentaquest.com = DENTAQUEST.COM<BR />.dentaquest.com = DENTAQUEST.COM<BR /><BR />[logging]<BR />kdc = FILE:/var/adm/krb5kdc.log<BR />admin_server = FILE:/var/log/kadmin.log<BR />default = FILE:/var/log/krb5lib.log<BR /><BR /><BR />- As root run kinit and check Kerberos configuration<BR /># kinit jmallett or # kinit jmallett@DENTAQUEST.COM<BR /><YOU will="" be="" prompted="" for="" your="" windows="" password=""><BR /><BR />- Set up the /etc/opt/samba/smb.conf file manually (or run /opt/samba/bin/samba_setup<BR />Example:<BR /><BR /># Global parameters<BR />[global]<BR /> workgroup = DDPMA<BR /> realm = DENTAQUEST.COM<BR /> server string = DQVCORD1<BR /> security = ADS<BR /> client schannel = No<BR /> password server = dqvdc03, dqvdc02<BR /> log level = 2<BR /> log file = /var/opt/samba/log.%m<BR /> max log size = 10000<BR /> keepalive = 0<BR /> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<BR /> load printers = No<BR /> show add printer wizard = No<BR /> preferred master = No<BR /> local master = No<BR /> domain master = No<BR /> wins server = dqvdc02<BR /><BR />root@dqvcord1 [ /etc ]<BR /># cat /etc/opt/samba/smb.conf<BR /># Samba config file created using SWAT<BR /># from 10.10.1.43 (10.10.1.43)<BR /># Date: 2006/02/01 20:41:56<BR /><BR /># Global parameters<BR />[global]<BR /> workgroup = DDPMA<BR /> realm = DENTAQUEST.COM<BR /> server string = DQVCORD1<BR /> security = ADS<BR /> client schannel = No<BR /> password server = dqvdc03, dqvdc02<BR /> log level = 2<BR /> log file = /var/opt/samba/log.%m<BR /> max log size = 10000<BR /> keepalive = 0<BR /> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<BR /> load printers = No<BR /> show add printer wizard = No<BR /> preferred master = No<BR /> local master = No<BR /> domain master = No<BR /> wins server = dqvdc02<BR /> idmap uid = 10000-30000<BR /> idmap gid = 10000-30000<BR /> template primary group = users<BR /> winbind separator = +<BR /> winbind enum users = No<BR /> winbind enum groups = No<BR /> read only = No<BR /> create mask = 0664<BR /> force create mode = 0664<BR /> directory mask = 0775<BR /> short preserve case = No<BR /> dos filetime resolution = Yes<BR /><BR />[Test]<BR /> path = /testing<BR /> valid users = DDPMA+jmallett<BR /><BR />[ECSPROD]<BR /> path = /download/ecsprod<BR /> valid users = DDPMA+ecsprod, DDPMA+jmallett<BR /><BR />[AP]<BR /> path = /download/AP<BR /> valid users = DDPMA+jmallett, DDPMA+unixadmin<BR /> read only = Yes<BR /><BR /><BR />- Join the ADS domain manually by running:<BR /># net ads join -U <ADMINISTRATOR_ACCT> or # net ads join -U administrator%password (use first to be prompted rather than typing pass in command line)<BR /><BR />- Depending on if you receive errors or not, you may want to update your /etc/nsswitch.conf file to include the following two lines:<BR />passwd: files winbind<BR />group: files winbind<BR /><BR />- Start Samba (multiple ways, but I use): /sbin/init.d/samba start<BR />You can 'ps -ef | grep samba' to be sure smdb, nmdb, and winbindd are running.<BR /><BR />If nothing else, this might provide some direction. Good luck.<BR /><BR />Jim</ADMINISTRATOR_ACCT></YOU> Fri, 01 Dec 2006 19:46:20 GMT https://community.hpe.com/t5/operating-system-hp-ux/samba-install-with-ad-authentication/m-p/3906829#M283902 Jim Mallett 2006-12-01T19:46:20Z