Norman Gaywood
2018-Mar-01 03:32 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
I've just updated my samba 2.4.6 to samba 2.4.7 via updating Fedora 26 to 27 System was working in F26. But in F27 users cannot connect to the service definitions: $ smbclient //turing/ngaywood Enter UNE\ngaywood's password: Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED The server system is configured as (testparm output): [global] auth methods = guest sam_ignoredomain winbind:ntdomain log file = /var/log/samba/log.%m max log size = 500 realm = AD.UNE.EDU.AU security = ADS server string = Science and Technology turing Samba Server Version %v wins server = 129.180.3.55 workgroup = UNE idmap config * : backend = tdb cups options = raw On the server, wbinfo lists all the users: # wbinfo -u | grep ngaywood UNE\ngaywood Perhaps something to do with this in log.smdb? [2018/03/01 14:22:26.232980, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 129.180.72.132 (129.180.72.132) [2018/03/01 14:22:30.456440, 3] ../source3/lib/util_procid.c:54(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory But I'm not sure what that means. Also have these messages generated by testparm: WARNING: The "auth methods" option is deprecated WARNING: The "profile acls" option is deprecated idmap range not specified for domain '*' ERROR: Invalid idmap range for domain *! Happy to provide additional information. -- Norman Gaywood, Computer Systems Officer School of Science and Technology University of New England Armidale NSW 2351, Australia ngaywood at une.edu.au http://turing.une.edu.au/~ngaywood Phone: +61 (0)2 6773 2412 Mobile: +61 (0)4 7862 0062 Please avoid sending me Word or Power Point attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Rowland Penny
2018-Mar-01 07:49 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On Thu, 1 Mar 2018 14:32:58 +1100 Norman Gaywood via samba <samba at lists.samba.org> wrote:> I've just updated my samba 2.4.6 to samba 2.4.7 via updating Fedora > 26 to 27I think you mean you have upgrade from 4.6.x to 4.7.x ;-)> > System was working in F26. But in F27 users cannot connect to the > service definitions: > > $ smbclient //turing/ngaywood > Enter UNE\ngaywood's password: > Anonymous login successful > tree connect failed: NT_STATUS_ACCESS_DENIED > > The server system is configured as (testparm output): > [global] > auth methods = guest sam_ignoredomain winbind:ntdomain > log file = /var/log/samba/log.%m > max log size = 500 > realm = AD.UNE.EDU.AU > security = ADS > server string = Science and Technology turing Samba Server > Version %v > wins server = 129.180.3.55 > workgroup = UNE > idmap config * : backend = tdb > cups options = raw > > On the server, wbinfo lists all the users: > > # wbinfo -u | grep ngaywood > UNE\ngaywood > > Perhaps something to do with this in log.smdb? > [2018/03/01 14:22:26.232980, > 3] ../lib/util/access.c:365(allow_access) Allowed connection from > 129.180.72.132 (129.180.72.132) [2018/03/01 14:22:30.456440, 3] > ../source3/lib/util_procid.c:54(pid_to_procid) > pid_to_procid: messaging_dgm_get_unique failed: No such file or > directory > > But I'm not sure what that means. > > Also have these messages generated by testparm: > > WARNING: The "auth methods" option is deprecated > WARNING: The "profile acls" option is deprecatedFairly obvious, both the parameters are deprecated, so you shouldn't use them ;-)> > idmap range not specified for domain '*' > ERROR: Invalid idmap range for domain *! >You haven't set the 'idmap config' lines correctly, which may mean you are using sssd instead. If this is the case, then you are asking in the wrong place, you need to ask on the sssd-users mailing list. If you aren't using sssd, can you post the smb.conf that is on disk i.e. the output of cat. Rowland
Norman Gaywood
2018-Mar-02 00:16 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
Thanks Rowland :-) On 1 March 2018 at 18:49, Rowland Penny <rpenny at samba.org> wrote:> On Thu, 1 Mar 2018 14:32:58 +1100 > Norman Gaywood via samba <samba at lists.samba.org> wrote: > > I've just updated my samba 2.4.6 to samba 2.4.7 via updating Fedora > > 26 to 27 > I think you mean you have upgrade from 4.6.x to 4.7.x ;-) >Oops yeah, 4.6.x to 4.7.x :-)> > System was working in F26. But in F27 users cannot connect to the > > service definitions: > > > > $ smbclient //turing/ngaywood > > Enter UNE\ngaywood's password: > > Anonymous login successful > > tree connect failed: NT_STATUS_ACCESS_DENIED > > > > The server system is configured as (testparm output): > > [global] > > auth methods = guest sam_ignoredomain winbind:ntdomain > > log file = /var/log/samba/log.%m > > max log size = 500 > > realm = AD.UNE.EDU.AU > > security = ADS > > server string = Science and Technology turing Samba Server > > Version %v > > wins server = 129.180.3.55 > > workgroup = UNE > > idmap config * : backend = tdb > > cups options = raw > > > > On the server, wbinfo lists all the users: > > > > # wbinfo -u | grep ngaywood > > UNE\ngaywood > > > > Perhaps something to do with this in log.smdb? > > [2018/03/01 14:22:26.232980, > > 3] ../lib/util/access.c:365(allow_access) Allowed connection from > > 129.180.72.132 (129.180.72.132) [2018/03/01 14:22:30.456440, 3] > > ../source3/lib/util_procid.c:54(pid_to_procid) > > pid_to_procid: messaging_dgm_get_unique failed: No such file or > > directory > > > > But I'm not sure what that means. > > > > Also have these messages generated by testparm: > > > > WARNING: The "auth methods" option is deprecated > > WARNING: The "profile acls" option is deprecated > > Fairly obvious, both the parameters are deprecated, so you shouldn't > use them ;-) > > idmap range not specified for domain '*' > > ERROR: Invalid idmap range for domain *! > > > > You haven't set the 'idmap config' lines correctly, which may mean you > are using sssd instead. If this is the case, then you are asking in the > wrong place, you need to ask on the sssd-users mailing list. >OK, I see now I need to setup the idmap. I've tried a few things but I'm not sure what I'm doing yet. User logins are configured to use sssd which is configured to use an openldap server. Samba was configured to be a domain member of an AD server. The usernames are the same in both AD and openldap. There are also local users not in AD and openldap. However, the AD server does not contain unix uid/gid attributes. Previously (in samba 4.6.x) windows users were able to map their linux /home (and other shared accounts) to their windows system. samba was configured to use winbind. linux users use the nsswitch.conf: passwd: files nis sss systemd shadow: files nis sss group: files nis sss systemd> If you aren't using sssd, can you post the smb.conf that is on disk > i.e. the output of cat. > >So seems to me I'm not using sssd with samba. sssd is using our openldap, samba is using AD. Here is a redacted (removed some comments, share definitions and most usernames) smb.conf file [global] workgroup = UNE server string = Science and Technology turing Samba Server Version %v ; netbios name = MYSERVER ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 ; hosts allow = 127. 192.168.12. 192.168.13. ; max protocol = SMB2 # --------------------------- Logging Options ----------------------------- # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 500 log level = 3 passdb:5 auth:10 winbind:2 # log level = 1 passdb:2 auth:2 # log level = 1 passdb:1 auth:1 # ----------------------- Standalone Server Options ------------------------ ; security = user ; passdb backend = tdbsam # ----------------------- Domain Members Options ------------------------ # security = domain security = ads auth methods = guest sam_ignoredomain winbind:ntdomain # auth methods = guest sam_ignoredomain ntdomain passdb backend = tdbsam encrypt passwords = true ; realm = MY_REALM realm = ad.une.edu.au ; password server = <NT-Server-Name> # ----------------------- Domain Controller Options ------------------------ ; security = user ; passdb backend = tdbsam ; domain master = yes ; domain logons = yes # the following login script name is determined by the machine name # (%m): ; logon script = %m.bat # the following login script name is determined by the UNIX user used: ; logon script = %u.bat ; logon path = \\%L\Profiles\%u # use an empty path to disable profile support: ; logon path # various scripts can be used on a domain controller or a stand-alone # machine to add or delete corresponding UNIX accounts: ; add user script = /usr/sbin/useradd "%u" -n -g users ; add group script = /usr/sbin/groupadd "%g" ; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" ; delete user script = /usr/sbin/userdel "%u" ; delete user from group script = /usr/sbin/userdel "%u" "%g" ; delete group script = /usr/sbin/groupdel "%g" # ----------------------- Browser Control Options ---------------------------- ; local master = no ; os level = 33 ; preferred master = yes #----------------------------- Name Resolution ------------------------------- ; wins support = yes wins server = 129.180.3.55 ; wins proxy = yes ; dns proxy = yes # --------------------------- Printing Options ----------------------------- load printers = yes cups options = raw ; printcap name = /etc/printcap # obtain a list of printers automatically on UNIX System V systems: ; printcap name = lpstat ; printing = cups # --------------------------- File System Options --------------------------- ; map archive = no ; map hidden = no ; map read only = no ; map system = no ; store dos attributes = yes #============================ Share Definitions ============================= [homes] comment = Home Directories browseable = no writable = yes ; valid users = %S ; valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [Profiles] comment = Network Profiles Share path = /var/lib/samba/profiles #path = %H/samba/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = no guest ok = no force user = %U valid users = %U printable = no profile acls = yes csc policy = disable ##################################################################################### # turing shares [math101] path = %H volume = math101 read only = no force user = math101 valid users = math101 ngaywood auser2 auser3 -- Norman Gaywood, Computer Systems Officer School of Science and Technology University of New England Armidale NSW 2351, Australia ngaywood at une.edu.au http://turing.une.edu.au/~ngaywood Phone: +61 (0)2 6773 2412 Mobile: +61 (0)4 7862 0062 Please avoid sending me Word or Power Point attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Norman Gaywood
2018-Mar-02 03:32 UTC
[Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
On 1 March 2018 at 18:49, Rowland Penny <rpenny at samba.org> wrote:> > > idmap range not specified for domain '*' > > ERROR: Invalid idmap range for domain *! > > > > You haven't set the 'idmap config' lines correctly, which may mean you > are using sssd instead. If this is the case, then you are asking in the > wrong place, you need to ask on the sssd-users mailing list. >After reading a lot about idmap conf and idmap backends, I'm thinking that what I've been doing is not expressible with idmap. What I need is what is described, much better than I did, here: https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP That is: Samba will authenticate against AD, and then utilize the normal 'getent' system calls to gather the uid/gid numbers, and those will come from OpenLDAP, and/or the local system files as configured within the nsswitch.conf file. Is this type of setup still possible? -- Norman Gaywood, Computer Systems Officer School of Science and Technology University of New England Armidale NSW 2351, Australia ngaywood at une.edu.au http://turing.une.edu.au/~ngaywood Phone: +61 (0)2 6773 2412 Mobile: +61 (0)4 7862 0062 Please avoid sending me Word or Power Point attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Apparently Analagous Threads
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares
- reboot guest on panic
- samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares