JonR
2004-Feb-24 19:31 UTC
[Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed
Slowly making progress with Active Directory integration. I have Samba 3.0.2
as an ADS member, and I can see shares, including user home directories. My
linux boxes run Debian unstable, and use the PAM and NSS LDAP backends,
against an Active Directory on Windows 2000 SP4, using the MS Services For
Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine,
although I did have to enable anonymous searches of the Active Directory on
the DC.
To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian
only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash
that stopped anything from working. I use a completely minimal krb5.conf:
[libdefaults]
default_realm = XXX.XXX.XXX.XXX
[realms]
XXX.XXX.XXX.XXX = {
kdc = 192.168.0.2
}
However, my final problem is that users cannot write to files in their home
directories. I gather the way to fix this is to use Luke's idmap_ad plugin
from PADL, so I built that (for Debian you also need to at least configure a
Samba source tree somewhere - I apt-get the source, and killed the build
after the configuration). Now, I have winbindd using the idmap-ad plugin,
and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and
wbinfo -S <sid> gets the uid).
BUT: I still get permission denied trying to create new files or delete
existing ones in user home directories from a Windows XP SP1 client:
[2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203)
change_to_user uid=(1001,1001) gid=(0,500)
[2004/02/24 13:42:50, 3] smbd/service.c:make_connection_snum(705)
192.168.0.5 (192.168.0.5) connect to service IPC$ initially as user jonr
(uid1001, gid=500) (pid 12428)
[2004/02/24 13:42:50, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/24 13:42:50, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/02/24 13:42:50, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/02/24 13:42:50, 5] smbd/uid.c:change_to_root_user(218)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/02/24 13:42:50, 3] smbd/reply.c:reply_tcon_and_X(326)
tconX service=IPC$
....
[2004/02/24 13:42:57, 3] smbd/process.c:switch_message(685)
switch message SMBntcreateX (pid 12428)
[2004/02/24 13:42:57, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(114)
unix_convert called on file "\New Text Document.txt"
[2004/02/24 13:42:57, 3] lib/util.c:unix_clean_name(580)
unix_clean_name [/New Text Document.txt]
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(188)
unix_convert begin: name = New Text Document.txt, dirpath = , start = New
Text
Document.txt
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(323)
New file New Text Document.txt
[2004/02/24 13:42:57, 3] smbd/dosmode.c:unix_mode(110)
unix_mode(New Text Document.txt) returning 0764
[2004/02/24 13:42:57, 5] smbd/files.c:file_new(122)
allocated file structure 4137, fnum = 8233 (2 used)
[2004/02/24 13:42:57, 3] lib/util.c:unix_clean_name(580)
unix_clean_name [New Text Document.txt]
[2004/02/24 13:42:57, 4] smbd/open.c:open_file_shared1(1004)
calling open_file with flags=0x2 flags2=0x80 mode=0764
[2004/02/24 13:42:57, 3] smbd/open.c:open_file(110)
Permission denied opening New Text Document.txt
[2004/02/24 13:42:57, 5] smbd/files.c:file_free(385)
freed files structure 8233 (1 used)
[2004/02/24 13:42:57, 3] smbd/error.c:error_packet(94)
error string = Operation not permitted
[2004/02/24 13:42:57, 3] smbd/error.c:error_packet(118)
error packet at smbd/trans2.c(1811) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DE
NIED
Any ideas? I can post full session logs if that helps (they're huge).
Jon.
Andrew Bartlett
2004-Feb-24 21:45 UTC
[Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed
On Wed, 2004-02-25 at 00:59, JonR wrote:> Slowly making progress with Active Directory integration. I have Samba 3.0.2 > as an ADS member, and I can see shares, including user home directories. My > linux boxes run Debian unstable, and use the PAM and NSS LDAP backends, > against an Active Directory on Windows 2000 SP4, using the MS Services For > Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine, > although I did have to enable anonymous searches of the Active Directory on > the DC. > > To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian > only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash > that stopped anything from working. I use a completely minimal krb5.conf: > > [libdefaults] > default_realm = XXX.XXX.XXX.XXX > > [realms] > XXX.XXX.XXX.XXX = { > kdc = 192.168.0.2 > } > > However, my final problem is that users cannot write to files in their home > directories. I gather the way to fix this is to use Luke's idmap_ad plugin > from PADL, so I built that (for Debian you also need to at least configure a > Samba source tree somewhere - I apt-get the source, and killed the build > after the configuration). Now, I have winbindd using the idmap-ad plugin, > and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and > wbinfo -S <sid> gets the uid). > > BUT: I still get permission denied trying to create new files or delete > existing ones in user home directories from a Windows XP SP1 client: > > [2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203) > change_to_user uid=(1001,1001) gid=(0,500)Is that the right user? If so, then this is just a matter of unix file permissions, or possibly smb.conf settings. (ie, it looks like you have IDMAP working) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040225/c552cf8a/attachment.bin