Authenticate win users with AD accounts to shares on Xserve

[macdavid1]

We have a Xserve, bounded to AD, with some shares on.
The mac users, can authenticate to the shares using AD accounts, but the windows users cannot (privileges on the shares are set with ACL´s).
The only way to let the windows users connect to the shares on the Xserve, is to create local users on the Xserve, and giving them rights to the shares.

Is there any solutions to let the win users connect with their AD accounts?

[themonkman]

First, are you running an Intel or PPC Xserve? I’ve encountered problems with the Intel build myself, but found some solutions in this thread: https://www.afp548.com/forum/viewtopic.php?showtopic=16099

Try reading my post near the end of this thread and see if it helps you.

[DSoderholm]

This is something I’m very interested in too, but I haven’t found any comprehensive guides. This is my scenario:

1x AD domain with Windows Server 2003 and a load of Windows XP clients
1x PowerPC XServe (10.4.9), operating as OD master/PDC on its own domain and sharing a load of files

The Windows computers on ADDOMAIN access shares on the XServe. Each user has an account on both services; when they authenticate to the XServe it’s just username/password when mapping network drives. After a reboot or two, especially for VPN workers, though Windows always tries to use ADDOMAIN\username, which is of course wrong. When this happens, they have to disconnect and remap network drives, which is a pain for the end user. I’ve tried tinkering with kerberos settings before but had no success. I *once* got a Windows PC to authenticate to the file share with its AD username/pw, after trying until 2am, but after an XServe reboot it was all gone again.

What I’d like is to set the permissions on the XServe’s file shares to accept users from the AD domain, so when a user logs in to Windows as ADDOMAIN\jsmith, those details are passed to the XServe when mapping file shares and accepted. To do this, though, I’m unsure what I need to do. I’ve got the AD bound in Directory Access, but I haven’t done anything with Kerberos yet. Do I need to set up a trust relationship? I looked at https://www.afp548.com/xrealm/, but I wasn’t sure if this was what I needed to do for my scenario. I want Windows clients to continue logging on as they are now to the Windows domain; all I need is for the XServe’s file sharing to accept the credentials from the AD domain. I’ve been trying to do this on and off for a year, so any help would be greatly appreciated!

Update:

Most recently I tried simply adding a user from the AD to the ACL for the relevant share in Workgroup Manager, which is probably totally wrong and way too easy. When I map the drive in Windows as ADDOMAIN\username, it actually accepts the mapping (it appears in My Computer without complaint), but when I try to open it I get ‘access denied’ errors. This appears in the SMB error log:

[2007/04/12 10:24:38, 1] /SourceCache/samba/samba-100.7/samba/source/smbd/service.c:make_connection_snum(648)
ibm033 (192.168.0.54) connect to service iris initially as user dsoderholm (uid=1025, gid=20) (pid 23475)
[2007/04/12 10:24:39, 0] /SourceCache/samba/samba-100.7/samba/source/smbd/service.c:set_current_service(51)
chdir (/Groups/shared) failed

[Author]

Posts