This is how to integrate the blastwave-provided samba 3.0.23 into a Windows 2003 Active Directory Primary Domain
Controller, using kerberos, ldap, nss, samba, winbind.
This gets you to the stage where you can access your samba shares passwordless, when logged in as an
authorized user to access them. This does not get you to login to your solaris server (ssh,telnet) with an
ActiveDirectory user+pass.
First, set your pkg-get repo by editing /opt/csw/etc/pkg-get.conf:
url=http://ibiblio.org/pub/packages/solaris/csw/unstable
Now, we must get these pkgs:
CSWkrb5user, CSWkrb5libdev, CSWsamba, CSWsambaclient, CSWsambacommon,CSWsambalib,
CSWsambalibdev, CSWsambawb
We do so by issuing:
# pkg-get -i krb5_user krb5_lib_dev samba samba_client samba_common samba_lib samba_libdev
samba_wb
Several dependencies will be installed automagically:
CSWsasl, CSWoldaprt, CSWlibpopt, CSWlibnet, CSWlibcups, CSWkrb5lib, CSWiconv, CSWgettext,
CSWfam, CSWcommon
After getting all packages make sure you have samba 3.0.23 by issuing:
# pkginfo -l CSWsambalibdev CSWsamba CSWsambalib CSWsambacommon CSWsambaclient | grep
VERSION
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
VERSION: 3.0.23,REV=2006.08.09b
It is very important that all versions above are equal and that you have 3.0.23.
We can now configure, we start by configuring kerberos at /etc/krb5.conf, and make an exact copy at
/opt/csw/etc/krb 5.conf
[libdefaults]
clockskew = 300
default_realm = AWW.COM
[realms]
AWW.COM = {
139/433
kdc = fwa-dc01.aww.com
default_domain = AWW
kpasswd_server = fwa-dc01.aww.com
}
[domain_realm]
.AWW = AWW.COM
[logging]
default = SYSLOG:NOTICE: DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
We now configure samba, the config file is at /opt/csw/etc/samba/smb.conf
[global]
realm = AWW.COM
workgroup = AWW
password server = fwa-dc01.aww.com
security = ADS
encrypt passwords = yes
map to guest = never
client use spnego = yes
idmap uid = 10000-60000
winbind gid = 10000-60000
winbind use default domain = yes
netbios name = netra
loglevel = 10
interfaces = 172.16.1.38
bind interfaces only = yes
[200gb]
comment = 200gb disk
path = /200gb
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
[htdocs]
comment = Apache htdocs
path = /usr/local/apache2/htdocs
read only = no
public = yes
browseable = yes
140/433
writeable = yes
create mode = 644
valid users = AWWbmahock
Our Windows 2003 ActiveDirectory PDC is called fwa-dc01. Our Solaris 10 server is called “netra” and it’s
fqdn is “netra.aww.com”, so we need to add that to /etc/hosts, please make sure the FQDN appears
FIRST!!!!!!!!!!! !!!!!
172.16.1.38 netra.aww.com netra loghost
172.16.1.55 fwa-dc01.aww.com fwa-dc01
We don’t need to edit /etc/resolv.conf to add any particular dns settings.
We need to add winbind to /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
We need to get libgroups in order for winbind to work, check http://www.blastwave.org/~fredrik/, and get
http://www.blast wave.org/~fredrik/libgroups.SPARC.so
I placed that at /usr/lib/libgroups.SPARC.so, and as stated at that url, added a line to the top of
/etc/init.d/cswsamba with:
LD_PRELOAD=/usr/lib/libgroups.SP ARC.so
Now we can join samba to the AD PDC and start rolling!
If not already there, set /opt/csw/* in the PATH
# export PATH=$PATH:/opt/csw/sbin:/opt/csw/bin
Kill any already running samba:
# pkill winbindd
# pkill smbd
# pkill nmbd
# /etc/init.d/cswsamba stop
Destroy any kerberos ticket we might have:
# /opt/csw/bin/kdestroy
Test ticket creation to the AD PDC, this will test if ur /etc/krb5.conf and /opt/csw/etc/krb5.conf is ok
# /opt/csw/bin/kinit Administrator@AWW.COM
Password for Administrator@AWW.COM:
Delete any previous instance of our server in the AD
# /opt/csw/bin/net ads leave -U Administrator
Administrator’s password:
Join our samba server to the AD
141/433
# /opt/csw/bin/net ads join -U Administrator
Administrator’s password:
Using short domain name — AWW
Joined ‘NETRA’ to realm ‘AWW.COM’
Start all samba daemons
# /etc/init.d/cswsamba start
Now test if all is ok:
Display samba status:
bash-3.00# /opt/csw/bin/smbclient -L netra -U%
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.23b]
Sharename Type Comment
——— —- ——-
200gb Disk 200gb disk
htdocs Disk Apache htdocs
IPC$ IPC IPC Service (Samba 3.0.23b)
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.23b]
Server Comment
——— ——-
NETRA Samba 3.0.23b
Workgroup Master
——— ——-
AWW
Check for Domains we belong to, this is very important!!! our domain (AWW) must be there!
bash-3.00# wbinfo -m
AWW
Check for users in the domain:
bash-3.00# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
bmahock
tpsmith
quser
Check for groups in the domain:
bash-3.00# wbinfo -g
BUILTINadministrators
BUILTINDomain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
142/433
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy
Get information for a user, this would test that you configured /etc/nsswitch.conf ok with winbind, and that it is
using /lib/libnss_winbind.so
bash-3.00# getent passwd “bmahock”
bmahock:*:10004: 10002:Brian Mahocker:/home/AWW/bmahock:/bin/false
Now test if you did really join through ActiveDirectory, using “net ads” queries:
bash-3.00# net ads testjoin
Join is OK
bash-3.00# net ads info
LDAP server: 172.16.1.55
LDAP server name: fwa-dc01.aww.com
Realm: AWW.COM
Bind Path: dc=AWW,dc=COM
LDAP port: 389
Server time: Sat, 02 Feb 2008 11:13:52 CST
KDC server: 172.16.1.55
Server time offset: 76
Now get all ActiveDirectory properties for your computer:
bash-3.00# net ads status
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: netra
distinguishedName: CN=netra,CN=Computers,DC=aww, DC=com
instanceType: 4
whenCreated: 20080202171033.0 Z
whenChanged: 20080202171208.0 Z
uSNCreated: 45102
uSNChanged: 45137
name: netra
objectGUID: bea32ea2-8208-4119-9d4c-87186a3866c4
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 128464460293750000
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-875145104-1252384033-126309636-1125
143/433
accountExpires: 9223372036854775807
logonCount: 13
sAMAccountName: netra$
sAMAccountType: 805306369
dNSHostName: netra.aww.com
servicePrincipalName: HOST/netra.aww.com
servicePrincipalName: HOST/NETRA
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=aww,DC=com
isCriticalSystemObject: FALSE
————– Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-875145104-1252384033-126309636-512
group SID: S-1-5-21-875145104-1252384033-126309636-513
——- (system) ACL (revision: 4, size: 120, number of ACEs: 2)
——- ACE (type: 0x07, flags: 0x5a, size: 0x38, mask: 0x20, object flags: 0x3)
access SID: S-1-1-0
access type: AUDIT OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x07, flags: 0x5a, size: 0x38, mask: 0x20, object flags: 0x3)
access SID: S-1-1-0
access type: AUDIT OBJECT
Permissions:
[Write All Properties]
——- (user) ACL (revision: 4, size: 1908, number of ACEs: 39)
——- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID: S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID: S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[Delete Subtree]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
144/433
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID: S-1-5-11
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags: 0x1)
access SID: S-1-1-0
access type: ALLOWED OBJECT
Permissions:
[Change Password]
[Reset Password]
——- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID: S-1-5-10
access type: ALLOWED
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
——- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags: 0x1)
access SID: S-1-5-32-550
access type: ALLOWED OBJECT
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-517
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
145/433
——- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)
access SID: S-1-5-21-875145104-1252384033-126309636-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
——- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x10, object flags: 0x1)
access SID: S-1-5-32-560
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0xf01bd)
access SID: S-1-5-32-544
access type: ALLOWED
Permissions:
[Create All Child Objects]
[List Contents]
[All validate writes]
[Read All Properties]
[Write All Properties]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
[Modify Permissions]
[Modify Owner]
——- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-875145104-1252384033-126309636-519
access type: ALLOWED
Permissions: [Full Control]
——- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0x4)
access SID: S-1-5-32-554
access type: ALLOWED
146/433
Permissions:
[List Contents]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
147/433
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x3c, mask: 0x10, object flags: 0x3)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
——- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
——- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x10, object flags: 0x3)
access SID: S-1-5-9
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
————– End Of Security Descriptor
If all these tests are ok, your samba is joined correctly to the AD domain.
Slackware 12 Samba 3.0.28 bound to Windows 2003 Active Directory
This is how to get a Slackware 12 bound to a Windows 2003 Active Directory, using AD (kerberos/ldap).
First, you need a windows 2003 server, with Active Directory enabled, i assume you know how to do that
part, in my case this one is called fwa-dc01.
148/433
172.16.1.55 fwa-dc01 fwa-dc01.aww.com
Now with our slackware 12… This one is called “kraftek”
172.16.1.50 kraftek kraftek.aww.com
We will use all slack12 included packages except samba, so please make sure these pkgs are at
/var/log/packages:
krb5-1.6.1-i686-2dl
cyrus-sasl-2.1.22-i486-1
openldap-client-2.3.36-i686-1dl
openssl-0.9.8e-i 486-3
openssl-solibs-0.9.8e-i486-3
db42-4.2.52-i486-3
db44-4.4.20-i486-2
Then we should get the latest samba sources, we need to build SAMBA, since the slackware 12 included
samba does not support ActiveDirectory. The release i got is samba 3.0.28, from
http://us4.samba.org/samba/ftp/stable/samba-3.0.28.tar.gz
after uncompressing, it all fell into /builds/samba-3.0.28, so i did:
# cd /builds/samba-3.0.28/source
# ./configure –with-ads –with-winbind –with-smbmount –prefix=/usr/samba_ad –with-pam
# make && make install
This builds it all and places samba at /usr/samba_ad
We also need to install the nss helpers to our system default directories:
# cp /builds/samba-3.0.28/source/nsswitch/libnss_winbind.so /lib
# cp /builds/samba-3.0.28/source/nsswitch/libnss_wins.so /lib
# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
# ln -s /lib/libnss_wins.so /lib/libnss_wins.so.2
Then, we need to configure Kerberos ;), i placed this in /etc/krb5.conf:
[libdefaults]
clockskew = 300
default_realm = AWW.COM
[realms]
AWW.COM = {
kdc = fwa-dc01.aww.com
default_domain = AWW
kpasswd_server = fwa-dc01.aww.com
}
[domain_realm]
.AWW = AWW.COM
[logging]
default = SYSLOG:NOTICE: DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
149/433
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
Of course we need to edit /etc/hosts and add our Active Directory PDC there, and our server name with a
fqdn, both belonging to aww.com(our AD domain):
172.16.1.55 fwa-dc01 fwa-dc01.aww.com
172.16.1.50 kraftek kraftek.aww.com
We do not really need to do much at /etc/resolv.conf, we don’t need DNS lookups to AD here.
We need to modify /etc/nsswitch.conf, and add “winbind” as an option to passwd and group:
passwd: files compat winbind
group: files compat winbind
Notice that for this to work you REALLY have to have /lib/libnss_winbind.so in place!!!
Now we configure SAMBA, the SAMBA we compiled looks for its smb.conf at /usr/samba_ad/lib/smb.conf, so
that’s where we place it, and it has:
[global]
realm = AWW.COM
workgroup = AWW
password server = fwa-dc01.aww.com
security = ADS
encrypt passwords = yes
map to guest = never
client use spnego = yes
idmap uid = 10000-60000
winbind gid = 10000-60000
winbind use default domain = yes
netbios name = kraftek
loglevel = 10
interfaces = 172.16.1.50
bind interfaces only = yes
[200gb]
comment = 200gb disk
path = /200gb
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
[htdocs]
comment = Apache htdocs
path = /usr/local/apache2/htdocs
150/433
read only = no
public = yes
browseable = yes
writeable = yes
create mode = 644
valid users = AWWbmahock
Good, notice we’re using security=ADS and we specify the realm and workgroup, and our windows 2003
server is fwa-dc01.aww. com, just as in /etc/hosts
Now it is time to make the machinery move!!!!!!!
Get our PATH set up to use our samba
# export PATH=$PATH:/usr/samba_ad/sbin:/usr/samba_ad/bin
Kill any existing samba
# pkill winbindd
# pkill smbd
# pkill nmbd
Destroy all kerberos tickets we have
# kdestroy
Get a kerberos ticket from our windows 2003 PDC, this reads /etc/krb5.conf
# kinit Administrator@AWW.COM
Password for Administrator@AWW.COM:
Join our windows 2003 AD domain
# /usr/samba_ad/bin/net ads join -U Administrator
Administrator’s password:
Using short domain name — AWW
Joined ‘KRAFTEK’ to realm ‘AWW.COM’
Start our samba deamons
# /usr/samba_ad/sbin/winbindd -B
# /usr/samba_ad/sbin/smbd -D
# /usr/samba_ad/sbin/nmbd -D
Test our config
# /usr/samba_ad/bin/smbclient -L kraftek -U%
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.28]
Sharename Type Comment
——— —- ——-
200gb Disk 200gb disk
htdocs Disk Apache htdocs
IPC$ IPC IPC Service (Samba 3.0.28)
deskjet Printer Hp deskjet 845c at Home
Domain=[AWW] OS=[Unix] Server=[Samba 3.0.28]
151/433
Server Comment
——— ——-
KRAFTEK Samba 3.0.28
Workgroup Master
——— ——-
AWW
Check what are our trusted users, a list should appear, including users at our Windows 2003 PDC
# /usr/samba_ad/bin/wbinfo -u
administrator
guest
support_388945a0
krbtgt
bmahock
tpsmith
quser
Check our known groups, this should list our windows 2003 groups
# /usr/samba_ad/bin/wbinfo -g
BUILTINadministrators
BUILTINusers
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
Check our trusted domains, this is extra important!!!, our windows 2003 domain (AWW) should be there!
# /usr/samba_ad/bin/wbinfo -m
AWW
Getent should give us details of any Windows 2003 user, this passes thru /etc/nsswitch.conf, then uses
/lib/libnss_winbind.so, connects to the running winbind daemon and queries the windows pdc
# getent passwd “AWWbmahock”
bmahock:*:10000: 10006:Brian Mahocker:/home/AWW/bmahock:/bin/false
Finally , do a test authentication with wbinfo, if this, and all previous tests work, you have a single sign on
Samba, bound to a Windows 2003 Active Directory
# wbinfo -a “bmahock%R3515t0l1”
plaintext password authentication succeeded
challenge/response password authentication succeeded
Enjoy
152/433
153/433