samba - Oct 2002 - samba and winbind issues

I know winbind (i think) is working fine. i can log into a unix box with my
NT userid but when i try to access shares on my samba server, i get these
errors:

 [2002/10/23 08:47:01, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 08:47:01, 0] lib/util.c:(1092)
  PANIC: failed to set gid

[2002/10/23 09:17:08, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 09:17:08, 0] lib/util.c:(1092)
  PANIC: failed to set gid

log.smbd: END

Here is a copy of my smb.conf

 

# Samba config file created using SWAT
# from ws09573.rb.net (10.27.52.177)
# Date: 2002/10/23 08:16:35

# Global parameters
[global]
	workgroup = domain1
	netbios name = ARES
	server string = ARES_SAMBA
	interfaces = lan4 127.0.0.1
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	password server = dc1
	wins server = 10.1.14.25
	winbind uid = 40000-49999
	winbind gid = 50000-59999
	template shell = /usr/bin/ksh
	winbind use default domain = Yes

[jf]
	path = /tmp/jfountain
	username = jfountain
	valid users = jfountain
	admin users = domain admins
	read only = No


what am i doing wrong?

any info would be greatly appreciated!
thanks!

1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your
domain controller

2. Do you have winbind entries in your nsswitch.conf file?  Have you made
your system re-read this info (the command is "nsadmin restart" on
irix,
don't know about other platforms).  

3. The windows box isn't caching any old login data is it?   (I've had
problems testing samba configuration changes because windows 2000 caches
some of the login stuff ... I'm not great on windows admin, don't know
how
to force the cache to clear without a reboot,  so I've had to reboot the
windows client to test...

4. One of the samba guys said that the winbind use default domain parameter
might not do what I originally hoped (help me  match NT username with UNIX
username without having to use a username map).  Recent tests seem to show
that my UID's only match if I turn that parameter off and use a username
map.  Of course,  testing has been very frustrating because I keep fighting
with windows caching ...  Have you tried using a username map?  

	Karen Wieprecht

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com] 
Sent: Wednesday, October 23, 2002 9:39 AM
To: samba@lists.samba.org
Subject: [Samba] samba and winbind issues


I know winbind (i think) is working fine. i can log into a unix box with my
NT userid but when i try to access shares on my samba server, i get these
errors:

 [2002/10/23 08:47:01, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 08:47:01, 0] lib/util.c:(1092)
  PANIC: failed to set gid

[2002/10/23 09:17:08, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 09:17:08, 0] lib/util.c:(1092)
  PANIC: failed to set gid

log.smbd: END

Here is a copy of my smb.conf

 

# Samba config file created using SWAT
# from ws09573.rb.net (10.27.52.177)
# Date: 2002/10/23 08:16:35

# Global parameters
[global]
	workgroup = domain1
	netbios name = ARES
	server string = ARES_SAMBA
	interfaces = lan4 127.0.0.1
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	password server = dc1
	wins server = 10.1.14.25
	winbind uid = 40000-49999
	winbind gid = 50000-59999
	template shell = /usr/bin/ksh
	winbind use default domain = Yes

[jf]
	path = /tmp/jfountain
	username = jfountain
	valid users = jfountain
	admin users = domain admins
	read only = No


what am i doing wrong?

any info would be greatly appreciated!
thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Are you talking about access rights (like write list = @group) ?

I found a few interesting things with groups and security=domain with
winbind:

1.  the @group syntax applies to the UNIX group names.  To give access to an
NT group,  you need to use something like this:

	write list = @"WALNETNT_Domain Users" 
	              
                   @"DomainnameWinbindseparatorNTgroupname"  

2.  If I specified an NT user,  it seemed that I had to prefix it with the
domain name and my winbind separator to get it to work correctly

	write list = WALNETNT_jmacs

3. If you want to grant access to more than one user/group, separate the
entries with commas:
	write list = WALNETNT_jmacs, @"WALNETNT_Domain Users" 

4. If you are using a username map file to make the user's UID assignment
match when he access files from either side,  it seems to cause his
membership to other NT groups to go un-noticed.  

	Example:  I had a read-only share that was writable by
@"WALNETNT_Domain Users" ,  but user karen  (NT) was being assigned
the UNIX
"karen" account UID and GID by the username mapping mechanism,  and
was no
longer recognized as a member of the NT Domain Users group ...   I was going
to play with adding other UNIX groups to the write list to see if I could
fix this problem.

Hope this answers your question.  

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com] 
Sent: Friday, October 25, 2002 5:22 PM
To: 'Wieprecht, Karen M.'
Subject: RE: [Samba] samba and winbind issues


Thanks for the email.  I finally got samba to work but now I am having
issues with groups.  When I do a groups jfountain, i get domain admins but
no other groups.  when i do a groups user1, i get nothing - and the user is
in a couple groups.

Any thoughts or ideas? what am i missing?

-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Thursday, October 24, 2002 9:04 AM
To: 'Jennifer Fountain'; 'samba@lists.samba.org'
Subject: RE: [Samba] samba and winbind issues


1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your
domain controller

2. Do you have winbind entries in your nsswitch.conf file?  Have you made
your system re-read this info (the command is "nsadmin restart" on
irix,
don't know about other platforms).  

3. The windows box isn't caching any old login data is it?   (I've had
problems testing samba configuration changes because windows 2000 caches
some of the login stuff ... I'm not great on windows admin, don't know
how
to force the cache to clear without a reboot,  so I've had to reboot the
windows client to test...

4. One of the samba guys said that the winbind use default domain parameter
might not do what I originally hoped (help me  match NT username with UNIX
username without having to use a username map).  Recent tests seem to show
that my UID's only match if I turn that parameter off and use a username
map.  Of course,  testing has been very frustrating because I keep fighting
with windows caching ...  Have you tried using a username map?  

	Karen Wieprecht

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com] 
Sent: Wednesday, October 23, 2002 9:39 AM
To: samba@lists.samba.org
Subject: [Samba] samba and winbind issues


I know winbind (i think) is working fine. i can log into a unix box with my
NT userid but when i try to access shares on my samba server, i get these
errors:

 [2002/10/23 08:47:01, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 08:47:01, 0] lib/util.c:(1092)
  PANIC: failed to set gid

[2002/10/23 09:17:08, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 09:17:08, 0] lib/util.c:(1092)
  PANIC: failed to set gid

log.smbd: END

Here is a copy of my smb.conf

 

# Samba config file created using SWAT
# from ws09573.rb.net (10.27.52.177)
# Date: 2002/10/23 08:16:35

# Global parameters
[global]
	workgroup = domain1
	netbios name = ARES
	server string = ARES_SAMBA
	interfaces = lan4 127.0.0.1
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	password server = dc1
	wins server = 10.1.14.25
	winbind uid = 40000-49999
	winbind gid = 50000-59999
	template shell = /usr/bin/ksh
	winbind use default domain = Yes

[jf]
	path = /tmp/jfountain
	username = jfountain
	valid users = jfountain
	admin users = domain admins
	read only = No


what am i doing wrong?

any info would be greatly appreciated!
thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Yes and No

When i get a getent groups or groups, I only get domain admins.  I am a
member of about 10 groups and they aren't being listed.

Does this matter:

winbind uid = 40000-49999
winbind gid = 50000-59999

for some reason i am not getting a list of the correct groups but when i
type wbinfo -g i get them all.

I have AD in mixed mode if that helps.
Thanks!

-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Monday, October 28, 2002 11:13 AM
To: 'Jennifer Fountain'; 'samba@lists.samba.org'
Subject: RE: [Samba] samba and winbind issues


Are you talking about access rights (like write list = @group) ?

I found a few interesting things with groups and security=domain with
winbind:

1.  the @group syntax applies to the UNIX group names.  To give access to an
NT group,  you need to use something like this:

	write list = @"WALNETNT_Domain Users" 
	              
                   @"DomainnameWinbindseparatorNTgroupname"  

2.  If I specified an NT user,  it seemed that I had to prefix it with the
domain name and my winbind separator to get it to work correctly

	write list = WALNETNT_jmacs

3. If you want to grant access to more than one user/group, separate the
entries with commas:
	write list = WALNETNT_jmacs, @"WALNETNT_Domain Users" 

4. If you are using a username map file to make the user's UID assignment
match when he access files from either side,  it seems to cause his
membership to other NT groups to go un-noticed.  

	Example:  I had a read-only share that was writable by
@"WALNETNT_Domain Users" ,  but user karen  (NT) was being assigned
the UNIX
"karen" account UID and GID by the username mapping mechanism,  and
was no
longer recognized as a member of the NT Domain Users group ...   I was going
to play with adding other UNIX groups to the write list to see if I could
fix this problem.

Hope this answers your question.  

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com] 
Sent: Friday, October 25, 2002 5:22 PM
To: 'Wieprecht, Karen M.'
Subject: RE: [Samba] samba and winbind issues


Thanks for the email.  I finally got samba to work but now I am having
issues with groups.  When I do a groups jfountain, i get domain admins but
no other groups.  when i do a groups user1, i get nothing - and the user is
in a couple groups.

Any thoughts or ideas? what am i missing?

-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Thursday, October 24, 2002 9:04 AM
To: 'Jennifer Fountain'; 'samba@lists.samba.org'
Subject: RE: [Samba] samba and winbind issues


1. Run ~samba/bin/wbinfo -u and make sure you are actually talking to your
domain controller

2. Do you have winbind entries in your nsswitch.conf file?  Have you made
your system re-read this info (the command is "nsadmin restart" on
irix,
don't know about other platforms).  

3. The windows box isn't caching any old login data is it?   (I've had
problems testing samba configuration changes because windows 2000 caches
some of the login stuff ... I'm not great on windows admin, don't know
how
to force the cache to clear without a reboot,  so I've had to reboot the
windows client to test...

4. One of the samba guys said that the winbind use default domain parameter
might not do what I originally hoped (help me  match NT username with UNIX
username without having to use a username map).  Recent tests seem to show
that my UID's only match if I turn that parameter off and use a username
map.  Of course,  testing has been very frustrating because I keep fighting
with windows caching ...  Have you tried using a username map?  

	Karen Wieprecht

-----Original Message-----
From: Jennifer Fountain [mailto:JFountain@rbinc.com] 
Sent: Wednesday, October 23, 2002 9:39 AM
To: samba@lists.samba.org
Subject: [Samba] samba and winbind issues


I know winbind (i think) is working fine. i can log into a unix box with my
NT userid but when i try to access shares on my samba server, i get these
errors:

 [2002/10/23 08:47:01, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 08:47:01, 0] lib/util.c:(1092)
  PANIC: failed to set gid

[2002/10/23 09:17:08, 0] lib/util_sec.c:(111)
  Failed to set gid privileges to (-1,-2) now set to (0,0) uid=(0,0)
[2002/10/23 09:17:08, 0] lib/util.c:(1092)
  PANIC: failed to set gid

log.smbd: END

Here is a copy of my smb.conf

 

# Samba config file created using SWAT
# from ws09573.rb.net (10.27.52.177)
# Date: 2002/10/23 08:16:35

# Global parameters
[global]
	workgroup = domain1
	netbios name = ARES
	server string = ARES_SAMBA
	interfaces = lan4 127.0.0.1
	bind interfaces only = Yes
	security = DOMAIN
	encrypt passwords = Yes
	password server = dc1
	wins server = 10.1.14.25
	winbind uid = 40000-49999
	winbind gid = 50000-59999
	template shell = /usr/bin/ksh
	winbind use default domain = Yes

[jf]
	path = /tmp/jfountain
	username = jfountain
	valid users = jfountain
	admin users = domain admins
	read only = No


what am i doing wrong?

any info would be greatly appreciated!
thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Sorry,  I don't know any more,  hopefully one of the samba gurus might have
an explanation for the behavior. 

	Karen Wieprecht

Thanks for your help though! :)

-----Original Message-----
From: Wieprecht, Karen M. [mailto:Karen.Wieprecht@jhuapl.edu]
Sent: Monday, October 28, 2002 1:19 PM
To: 'Jennifer Fountain'; 'samba@lists.samba.org'
Subject: RE: [Samba] samba and winbind issues


Sorry,  I don't know any more,  hopefully one of the samba gurus might have
an explanation for the behavior. 

	Karen Wieprecht