samba - Feb 2004 - group problem on NT4 domain

Hi,
 
Installed latest Samba3.0.2a on NT4 domain, security = domain and net rpc
join successfully.
 
everything work great, but group permission failed, error message is
"user_in_winbind_group_list: nametogid for group NTGROUP failed".  
 
smb.conf on shares as below:
====================omitted base configurations...
 
[shareA]
path = /public/shareA
valid users =  <mailto:'@NT\Domain> '@NT\Domain Users'
write list = NT\steven
 
 
the conf is simple but error occured.  No one can access to shareA, a login
prompted out for user/pass.  BTW, it has no problem at all if only use user
rather than group.  Please kindly help or advise, thankyou.
 
 
Best Regards,
Steven Tse

On Tue, 17 Feb 2004, steven.TSE wrote:
> Hi,
>
> Installed latest Samba3.0.2a on NT4 domain, security = domain and net rpc
> join successfully.
>
> everything work great, but group permission failed, error message is
> "user_in_winbind_group_list: nametogid for group NTGROUP failed".
Do you have winbindd running?
Is /etc/nsswitch.conf configured to use winbind?

- John T.
>
> smb.conf on shares as below:
> ====================> omitted base configurations...
>
> [shareA]
> path = /public/shareA
> valid users =  <mailto:'@NT\Domain> '@NT\Domain Users'
> write list = NT\steven
>
>
> the conf is simple but error occured.  No one can access to shareA, a login
> prompted out for user/pass.  BTW, it has no problem at all if only use user
> rather than group.  Please kindly help or advise, thankyou.
>
>
> Best Regards,
> Steven Tse
>
-- 
John H Terpstra
Email: jht@samba.org

Yes, winbindd is running and nsswitch.conf is configured as:

passwd: file winbind
shadow: file
group: file winbind

smb.conf
======[global]
	workgroup = NTDOM
	server string = Central File Server
	security = DOMAIN
	auth methods = winbind
	password server = bga peh pbe_filpn
	client lanman auth = No
	client plaintext auth = No
	log file = /var/log/samba/%m.log
	min protocol = LANMAN1
	local master = No
	wins server = 192.168.100.9, 192.168.100.55
	get quota command = /usr/bin/quota
	set quota command = /usr/sbin/setquota
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /public/home/%U
	template shell = /bin/bash
	winbind cache time = 5

[finance]
	comment = Finance Dept
	path = /public/finance
	valid users = '@NTDOM\Domain Users'
	write list = PBE\steven_tse
	force group = ntgroup
	create mask = 0666
	directory mask = 0777

I cannot access to shared folder "finance", it always prompt for user
login.
Please help, thankyou

Steve


-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org]
Sent: Tuesday, February 17, 2004 3:09 PM
To: steven.TSE
Cc: samba@lists.samba.org
Subject: Re: [Samba] group problem on NT4 domain


On Tue, 17 Feb 2004, steven.TSE wrote:
> Hi,
>
> Installed latest Samba3.0.2a on NT4 domain, security = domain and net rpc
> join successfully.
>
> everything work great, but group permission failed, error message is
> "user_in_winbind_group_list: nametogid for group NTGROUP failed".
Do you have winbindd running?
Is /etc/nsswitch.conf configured to use winbind?

- John T.
>
> smb.conf on shares as below:
> ====================> omitted base configurations...
>
> [shareA]
> path = /public/shareA
> valid users =  '@NT\Domain Users'
> write list = NT\steven
>
>
> the conf is simple but error occured.  No one can access to shareA, a
login
> prompted out for user/pass.  BTW, it has no problem at all if only use
user
> rather than group.  Please kindly help or advise, thankyou.
>
>
> Best Regards,
> Steven Tse
>
-- 
John H Terpstra
Email: jht@samba.org

Thankyou for the reply,

"getent passwd, getent group, wbinfo -u and wbinfo -g" are also
successfully
retrieved NTDOM user or group list,

removed all the highlighted, now the smb.conf:
===========[global]
	workgroup = NTDOM
	server string = Central File Server
	security = DOMAIN
	log file = /var/log/samba/%m.log
	wins server = 192.168.100.9, 192.168.100.55
	get quota command = /usr/bin/quota
	set quota command = /usr/sbin/setquota
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /public/home/%U
	template shell = /bin/bash
	winbind cache time = 5

[finance]
	comment = Finance Dept
	path = /public/finance
	valid users = @"NTDOM\Domain Users"
	write list = NTDOM\steven_tse
	force group = ntgroup
	create mask = 0666
	directory mask = 0777

I still no luck to make it work, all clients computer can not access to
"finance" but prompt for login.  

result of id "NTDOM\steven_tse"
uid=10204(NTDOM\steven_tse) gid=10000 groups=10000,10001,10004

I tried to use valid users = @10000, then it works!!

steve



-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org]
Sent: Tuesday, February 17, 2004 3:44 PM
To: steven.TSE
Cc: samba@lists.samba.org
Subject: RE: [Samba] group problem on NT4 domain


On Tue, 17 Feb 2004, steven.TSE wrote:
> Yes, winbindd is running and nsswitch.conf is configured as:
>
> passwd: file winbind
> shadow: file
> group: file winbind
What is the output of:

	getent passwd
	getent group

	wbinfo -u
	wbinfo -g

See further comments below.

- John T.
>
> smb.conf
> ======> [global]
> 	workgroup = NTDOM
> 	server string = Central File Server
> 	security = DOMAIN
> 	auth methods = winbind
Get rid of "auth methods"
> 	password server = bga peh pbe_filpn
Why is it necessary to set "password server"? If possible remote this
too.
> 	client lanman auth = No
> 	client plaintext auth = No
Neither of these should be needed.
> 	log file = /var/log/samba/%m.log
> 	min protocol = LANMAN1
> 	local master = No
The above 2 should not be needed either.
> 	wins server = 192.168.100.9, 192.168.100.55
> 	get quota command = /usr/bin/quota
> 	set quota command = /usr/sbin/setquota
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	template homedir = /public/home/%U
> 	template shell = /bin/bash
> 	winbind cache time = 5
>
> [finance]
> 	comment = Finance Dept
> 	path = /public/finance
> 	valid users = '@NTDOM\Domain Users'
Try:
	valid users = @"NTDOM\Domain Users"
> 	write list = PBE\steven_tse
What do you get if you run as root on this server:

	id "PBE\steven_tse"

> 	force group = ntgroup
> 	create mask = 0666
> 	directory mask = 0777
>
> I cannot access to shared folder "finance", it always prompt for
user
login.
> Please help, thankyou
>
> Steve

even I can use gid to make it work, but is it possible to use group name
rather than gid?

Thankyou

-----Original Message-----
From: steven.TSE 
Sent: Tuesday, February 17, 2004 4:13 PM
To: John H Terpstra
Cc: samba@lists.samba.org
Subject: RE: [Samba] group problem on NT4 domain


Thankyou for the reply,

"getent passwd, getent group, wbinfo -u and wbinfo -g" are also
successfully
retrieved NTDOM user or group list,

removed all the highlighted, now the smb.conf:
===========[global]
	workgroup = NTDOM
	server string = Central File Server
	security = DOMAIN
	log file = /var/log/samba/%m.log
	wins server = 192.168.100.9, 192.168.100.55
	get quota command = /usr/bin/quota
	set quota command = /usr/sbin/setquota
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /public/home/%U
	template shell = /bin/bash
	winbind cache time = 5

[finance]
	comment = Finance Dept
	path = /public/finance
	valid users = @"NTDOM\Domain Users"
	write list = NTDOM\steven_tse
	force group = ntgroup
	create mask = 0666
	directory mask = 0777

I still no luck to make it work, all clients computer can not access to
"finance" but prompt for login.  

result of id "NTDOM\steven_tse"
uid=10204(NTDOM\steven_tse) gid=10000 groups=10000,10001,10004

I tried to use valid users = @10000, then it works!!

steve



-----Original Message-----
From: John H Terpstra [mailto:jht@samba.org]
Sent: Tuesday, February 17, 2004 3:44 PM
To: steven.TSE
Cc: samba@lists.samba.org
Subject: RE: [Samba] group problem on NT4 domain


On Tue, 17 Feb 2004, steven.TSE wrote:
> Yes, winbindd is running and nsswitch.conf is configured as:
>
> passwd: file winbind
> shadow: file
> group: file winbind
What is the output of:

	getent passwd
	getent group

	wbinfo -u
	wbinfo -g

See further comments below.

- John T.
>
> smb.conf
> ======> [global]
> 	workgroup = NTDOM
> 	server string = Central File Server
> 	security = DOMAIN
> 	auth methods = winbind
Get rid of "auth methods"
> 	password server = bga peh pbe_filpn
Why is it necessary to set "password server"? If possible remote this
too.
> 	client lanman auth = No
> 	client plaintext auth = No
Neither of these should be needed.
> 	log file = /var/log/samba/%m.log
> 	min protocol = LANMAN1
> 	local master = No
The above 2 should not be needed either.
> 	wins server = 192.168.100.9, 192.168.100.55
> 	get quota command = /usr/bin/quota
> 	set quota command = /usr/sbin/setquota
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	template homedir = /public/home/%U
> 	template shell = /bin/bash
> 	winbind cache time = 5
>
> [finance]
> 	comment = Finance Dept
> 	path = /public/finance
> 	valid users = '@NTDOM\Domain Users'
Try:
	valid users = @"NTDOM\Domain Users"
> 	write list = PBE\steven_tse
What do you get if you run as root on this server:

	id "PBE\steven_tse"

> 	force group = ntgroup
> 	create mask = 0666
> 	directory mask = 0777
>
> I cannot access to shared folder "finance", it always prompt for
user
login.
> Please help, thankyou
>
> Steve
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba