SAMBA again

[Aaron Grewell]

> I am not really after anyone logging in in the sense they can run
> commands. I only want to authenticate user access to various shares the
> SAMBA server has. Using the authentication from the PDC.

> Your link is an example of incomplete or inconsistent docs (from my
> POV):
> 
> Is the user in the "kinit USERNAME at REALM" command the same user as the
> one in the later "net ads join -U Administrator%password" command. If
> not, who is the one in the kinit command? If he IS the admin, won't the
> first use of the name in the earlier kinit command mess up the later use
> in the 'net' command?

Here's what happens from the Kerb side: When you 'net ads join' a
computer account is created in the domain.  Your computer is now part of
the Kerberos realm, and can then authenticate users against the KDC (the
PDC in this case).  When you use kinit you're authenticating a normal
user to test the Kerberos authentication and make sure it's working at
all.  If it does, then Kerb isn't what's causing your problem.  If all
you want from this machine is for it to be a Samba server then there's
no need to worry about PAM, but I believe you'll still need Winbind in
order to resolve the users from AD.

> If an administrator account has already logged in and things did not
> work, nothing can be done until that admin's account is somehow reset.
> During testing this will happen many times. How does one reset the
> Admin's account to allow this virigin state? Can it be done from the
> Linux 'net' command? 

I'm not sure what you mean here.  If the administrative account is
getting locked out that usually means a failed password attempt.  If the
computer account is getting locked out that's something different.

> Keep in mind that through all this I have very limited access to the
> Windows server. Just what I can get the IT guy to do.
> 

Argh.  That's a pain.