Hi together,
we have a Windows 2003 Active Directory Server, working together with Samba
Version 3.0.2a-Debian. It seems
everything (Kerberos authentication and so on) works fine. All the
authentication is done by the windows 2003
server. My problem is, that I can't connect to a share via a windows xp
client, when the share has an option
"valid user" which defines a group of the domain. A simple user works
- but a group entry for the "valid user"
option doesn't.
I have read many articles and tried many different settings - but without
success. Perhaps can somebody help me.
Here are some outputs and configs from my system:
neptun:/etc/init.d# wbinfo -g
DomDomSchema-Admins
Organisations-Admins
DomDomDomRichtlinien-Ersteller-Besitzer
DnsUpdateProxy
GG_Entwicklung
GG_Controlling
GG_Geschaeftsfuehrung
GG_Vertrieb
GG_Sekretariat
GG_Personal
neptun:/etc/init.d# wbinfo -u
Administrator
Gast
SATURN$
krbtgt
host/neptun.amatec.local
HOST/neptun
testuser
So testuser is a member of the global group GG_Entwicklung on the Windows 2003
Server.
My smb.conf File:
[global]
log level = 2
workgroup = AMATEC
netbios name = neptun
server string = Fileserver Austausch
wins server = 192.168.42.252
# winbind configuration
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
# Activie directory joining
security = ads
encrypt passwords = true
password server = saturn.amatec.local
realm = AMATEC.LOCAL
[Austausch]
path = /austausch
read only = no
writable = yes
# doesn't work
#valid users = @AMATEC\"GG_Entwicklung"
# doesn't work
#valid users = @GG_Entwicklung
# this one works
valid users = testuser
As you see the settings for a group access doesn't work. When i enter as
user "testuser" everything works. Again - perhaps
anybody can help me.
Kind regards
Franz Gsell
Hi together,
we have a Windows 2003 Active Directory Server, working together with Samba
Version 3.0.2a-Debian. It seems
everything (Kerberos authentication and so on) works fine. All the
authentication is done by the windows 2003
server. My problem is, that I can't connect to a share via a windows xp
client, when the share has an option
"valid user" which defines a group of the domain. A simple user works
- but
a group entry for the "valid user"
option doesn't.
I have read many articles and tried many different settings - but without
success. Perhaps can somebody help me.
Here are some outputs and configs from my system:
neptun:/etc/init.d# wbinfo -g
DomDomSchema-Admins
Organisations-Admins
DomDomDomRichtlinien-Ersteller-Besitzer
DnsUpdateProxy
GG_Entwicklung
GG_Controlling
GG_Geschaeftsfuehrung
GG_Vertrieb
GG_Sekretariat
GG_Personal
neptun:/etc/init.d# wbinfo -u
Administrator
Gast
SATURN$
krbtgt
host/neptun.amatec.local
HOST/neptun
testuser
So testuser is a member of the global group GG_Entwicklung on the Windows
2003 Server.
My smb.conf File:
[global]
log level = 2
workgroup = AMATEC
netbios name = neptun
server string = Fileserver Austausch
wins server = 192.168.42.252
# winbind configuration
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
# Activie directory joining
security = ads
encrypt passwords = true
password server = saturn.amatec.local
realm = AMATEC.LOCAL
[Austausch]
path = /austausch
read only = no
writable = yes
# doesn't work
#valid users = @AMATEC\"GG_Entwicklung"
# doesn't work
#valid users = @GG_Entwicklung
# this one works
valid users = testuser
As you see the settings for a group access doesn't work. When i enter as
user "testuser" everything works. Again - perhaps
anybody can help me.
Kind regards
Franz Gsell
Your winbind separator is a "+". Either comment out the "winbind
separator" line in smb.conf or change your valid users entry to:
valid users = @AMATEC+"GG_Entwicklung"
Matt Perkins
-----Original Message-----
From: samba-bounces+mperkins=lbmc.com@lists.samba.org
[mailto:samba-bounces+mperkins=lbmc.com@lists.samba.org] On Behalf Of
Franz Gsell
Sent: Friday, April 23, 2004 2:13 AM
To: samba@lists.samba.org
Subject: [Samba] Windows 2003 Active Directory and Group Access
Hi together,
we have a Windows 2003 Active Directory Server, working together with
Samba Version 3.0.2a-Debian. It seems everything (Kerberos
authentication and so on) works fine. All the authentication is done by
the windows 2003
server. My problem is, that I can't connect to a share via a windows xp
client, when the share has an option "valid user" which defines a
group
of the domain. A simple user works - but a group entry for the "valid
user" option doesn't.
I have read many articles and tried many different settings - but
without success. Perhaps can somebody help me.
Here are some outputs and configs from my system:
neptun:/etc/init.d# wbinfo -g
DomDomSchema-Admins
Organisations-Admins
DomDomDomRichtlinien-Ersteller-Besitzer
DnsUpdateProxy
GG_Entwicklung
GG_Controlling
GG_Geschaeftsfuehrung
GG_Vertrieb
GG_Sekretariat
GG_Personal
neptun:/etc/init.d# wbinfo -u
Administrator
Gast
SATURN$
krbtgt
host/neptun.amatec.local
HOST/neptun
testuser
So testuser is a member of the global group GG_Entwicklung on the
Windows 2003 Server.
My smb.conf File:
[global]
log level = 2
workgroup = AMATEC
netbios name = neptun
server string = Fileserver Austausch
wins server = 192.168.42.252
# winbind configuration
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
# Activie directory joining
security = ads
encrypt passwords = true
password server = saturn.amatec.local
realm = AMATEC.LOCAL
[Austausch]
path = /austausch
read only = no
writable = yes
# doesn't work
#valid users = @AMATEC\"GG_Entwicklung"
# doesn't work
#valid users = @GG_Entwicklung
# this one works
valid users = testuser
As you see the settings for a group access doesn't work. When i enter as
user "testuser" everything works. Again - perhaps anybody can help me.
Kind regards
Franz Gsell
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Ok my version is 1.2.2-10. But I think this couldn't be a problem of
kerberos or could it be? I think - if it is working with a windows 2000
client and not with a XP Client the problem must be located somewhere else?
But I can try a newer version.
Is there nobody who has the same problem - it's so strange
Kind regards
Franz Gsell
-----Urspr?ngliche Nachricht-----
Von: brad smith [mailto:brad.smith1@comcast.net]
Gesendet: Sonntag, 25. April 2004 09:38
An: Franz Gsell
Betreff: Re: [Samba] Windows 2003 Active Directory and Group Access
What version of Kerberos are you using on the linux side? Try v1.3.1, if
you are not already using it (just a shot in the dark).
----- Original Message -----
From: "Franz Gsell" <vl950t@freenet.de>
Newsgroups: linux.samba
Sent: Saturday, April 24, 2004 2:50 PM
Subject: RE: [Samba] Windows 2003 Active Directory and Group Access
Hi,
first - thanks for your answer your are right. I have tested it now with a
windows 2000 client and everything is fine. But the problem is - that the
same test with a Windows XP Client fails. What's wrong? The Windows XP
Client is also a member off the domain and the same user is logged on as on
the windows 2000 client. But on the Windows XP Client I get the prompt to
enter a username and a password to open the share of the samba server.
And I have tested it on many XP Clients - always with the same result -> a
Prompt to enter the username and the password (but I think the currently
username should be used, because I am logged on at the domain).
Perhaps can anybody help me - it's confusing
Kind regards
Franz Gsell
-----Urspr?ngliche Nachricht-----
Von: Matt Perkins [mailto:mperkins@lbmc.com]
Gesendet: Freitag, 23. April 2004 15:36
An: Franz Gsell; samba@lists.samba.org
Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access
Your winbind separator is a "+". Either comment out the "winbind
separator" line in smb.conf or change your valid users entry to:
valid users = @AMATEC+"GG_Entwicklung"
Matt Perkins
-----Original Message-----
From: samba-bounces+mperkins=lbmc.com@lists.samba.org
[mailto:samba-bounces+mperkins=lbmc.com@lists.samba.org] On Behalf Of
Franz Gsell
Sent: Friday, April 23, 2004 2:13 AM
To: samba@lists.samba.org
Subject: [Samba] Windows 2003 Active Directory and Group Access
Hi together,
we have a Windows 2003 Active Directory Server, working together with
Samba Version 3.0.2a-Debian. It seems everything (Kerberos
authentication and so on) works fine. All the authentication is done by
the windows 2003
server. My problem is, that I can't connect to a share via a windows xp
client, when the share has an option "valid user" which defines a
group
of the domain. A simple user works - but a group entry for the "valid
user" option doesn't.
I have read many articles and tried many different settings - but
without success. Perhaps can somebody help me.
Here are some outputs and configs from my system:
neptun:/etc/init.d# wbinfo -g
DomDomSchema-Admins
Organisations-Admins
DomDomDomRichtlinien-Ersteller-Besitzer
DnsUpdateProxy
GG_Entwicklung
GG_Controlling
GG_Geschaeftsfuehrung
GG_Vertrieb
GG_Sekretariat
GG_Personal
neptun:/etc/init.d# wbinfo -u
Administrator
Gast
SATURN$
krbtgt
host/neptun.amatec.local
HOST/neptun
testuser
So testuser is a member of the global group GG_Entwicklung on the
Windows 2003 Server.
My smb.conf File:
[global]
log level = 2
workgroup = AMATEC
netbios name = neptun
server string = Fileserver Austausch
wins server = 192.168.42.252
# winbind configuration
winbind separator = +
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
# Activie directory joining
security = ads
encrypt passwords = true
password server = saturn.amatec.local
realm = AMATEC.LOCAL
[Austausch]
path = /austausch
read only = no
writable = yes
# doesn't work
#valid users = @AMATEC\"GG_Entwicklung"
# doesn't work
#valid users = @GG_Entwicklung
# this one works
valid users = testuser
As you see the settings for a group access doesn't work. When i enter as
user "testuser" everything works. Again - perhaps anybody can help me.
Kind regards
Franz Gsell
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Hi, thanks for your help - now it works :-))))))) But there is a new problem. We log on to the linux machine for email and ssh and so on. So the new problem is that a user is now AMATEC+testuser instead simple testuser (for the pam module). But I think we can make a hack to the pam_winbind.so file to add "AMATEC+" to the entered username (so a user has not to enter AMATEC+testuser but only testuser). Or is there a better way? Kind regards -----Urspr?ngliche Nachricht----- Von: Alex de Vaal [mailto:A.Vaal@nh-hotels.com] Gesendet: Montag, 26. April 2004 10:40 An: vl950t@freenet.de Betreff: [Samba] Windows 2003 Active Directory and Group Access Hello Franz, I had the same problem with Wk3 groups as valid users on my shares; remove "winbind use default domain = yes" or set it to "winbind use default domain = no" Because "winbind separator = +" your valid group will be "valid users @AMATEC.LOCAL+"GG_Entwicklung" If you remove "winbind separator = +" your valid group will be "valid users = @AMATEC.LOCAL\"GG_Entwicklung" I prefer the last one, because my ADS users don't have to logon on the Linux server. My Samba server just acts as a Windows domain member server in ADS. -- Regards, Alex de Vaal.
Hi Alex, Yes I have already tried this settings: "winbind use default domain = yes" and "valid users = @AMATEC.LOCAL+GG_Entwicklung" But this only works for windows 2000 Clients and not for Windows XP Clients. As you have written before everything works without "winbind use default domain = yes" but then a user has to login e.g. for ssh with AMATEC+username. I don't think it's a good idea to hack the pam module too, perhaps is there another possibility - perhaps any of the developer team has a workaround? Kind regards Franz -----Urspr?ngliche Nachricht----- Von: Alex de Vaal [mailto:A.Vaal@nh-hotels.com] Gesendet: Mittwoch, 5. Mai 2004 12:22 An: 'Franz Gsell' Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access Hello Franz, You can try to set "winbind use default domain = yes" again and use as valid users: "valid users = @AMATEC.LOCAL+GG_Entwicklung" I've found in a faq the following: Q: I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory Domain Member server. Has this been fixed now? A: The use of this parameter has always required the full specification of the Domain account, for example, valid users = @"MEGANET2\Domain Admins". You can always try if this work, while hacking pam_winbind.so seems not to be a good idea to me. Best regards, Alex. -----Original Message----- From: Franz Gsell [mailto:vl950t@freenet.de] Sent: Monday 26 April 2004 18:43 To: samba@lists.samba.org Cc: 'Alex de Vaal' Subject: RE: [Samba] Windows 2003 Active Directory and Group Access Hi, thanks for your help - now it works :-))))))) But there is a new problem. We log on to the linux machine for email and ssh and so on. So the new problem is that a user is now AMATEC+testuser instead simple testuser (for the pam module). But I think we can make a hack to the pam_winbind.so file to add "AMATEC+" to the entered username (so a user has not to enter AMATEC+testuser but only testuser). Or is there a better way? Kind regards
As I have written - this is NO solution. And this has nothing to do with Permissions. I must be able to use the "winbind use default domain = yes" option. But when I use this option all users have to enter the Domain suffix on they usernames like DOMAIN+testuser for pop3 and ssh. This is a bad thing to tell 100 users that they have to enter anoter username for pop3 or ssh - but simple testuser for the share. I still need help ?? Kind regards Franz -----Urspr?ngliche Nachricht----- Von: Kevin Kallsen [mailto:kallsen@e101.com] Gesendet: Montag, 10. Mai 2004 00:31 An: 'Franz Gsell' Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access I had this problem too. The solution was to chmod the directory/folder with readable/writable access. Also chgrp for the directory -----Original Message----- From: samba-bounces+kallsen=e101.com@lists.samba.org [mailto:samba-bounces+kallsen=e101.com@lists.samba.org] On Behalf Of Franz Gsell Sent: Sunday, May 09, 2004 11:03 AM To: samba@lists.samba.org Subject: RE: [Samba] Windows 2003 Active Directory and Group Access Hi together, I have still the problems I have mentioned below. Is there any developer who can help me? If it is not possible to find a workaround, I have to enter every user explicitly in the "valid users" option, and there are about 100 users who are trying to access the share. It would be great if a developer can tell me more - perhaps I can make a hack by myself - but it's very difficult to understand all source files and how they work together. Kind regars Franz -----Urspr?ngliche Nachricht----- Von: samba-bounces+vl950t=freenet.de@lists.samba.org [mailto:samba-bounces+vl950t=freenet.de@lists.samba.org] Im Auftrag von Franz Gsell Gesendet: Mittwoch, 5. Mai 2004 21:20 An: samba@lists.samba.org Cc: 'Alex de Vaal' Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access Hi Alex, Yes I have already tried this settings: "winbind use default domain = yes" and "valid users = @AMATEC.LOCAL+GG_Entwicklung" But this only works for windows 2000 Clients and not for Windows XP Clients. As you have written before everything works without "winbind use default domain = yes" but then a user has to login e.g. for ssh with AMATEC+username. I don't think it's a good idea to hack the pam module too, perhaps is there another possibility - perhaps any of the developer team has a workaround? Kind regards Franz -----Urspr?ngliche Nachricht----- Von: Alex de Vaal [mailto:A.Vaal@nh-hotels.com] Gesendet: Mittwoch, 5. Mai 2004 12:22 An: 'Franz Gsell' Betreff: RE: [Samba] Windows 2003 Active Directory and Group Access Hello Franz, You can try to set "winbind use default domain = yes" again and use as valid users: "valid users = @AMATEC.LOCAL+GG_Entwicklung" I've found in a faq the following: Q: I tried to set valid users = @Engineers, but it does not work. My Samba server is an Active Directory Domain Member server. Has this been fixed now? A: The use of this parameter has always required the full specification of the Domain account, for example, valid users = @"MEGANET2\Domain Admins". You can always try if this work, while hacking pam_winbind.so seems not to be a good idea to me. Best regards, Alex. -----Original Message----- From: Franz Gsell [mailto:vl950t@freenet.de] Sent: Monday 26 April 2004 18:43 To: samba@lists.samba.org Cc: 'Alex de Vaal' Subject: RE: [Samba] Windows 2003 Active Directory and Group Access Hi, thanks for your help - now it works :-))))))) But there is a new problem. We log on to the linux machine for email and ssh and so on. So the new problem is that a user is now AMATEC+testuser instead simple testuser (for the pam module). But I think we can make a hack to the pam_winbind.so file to add "AMATEC+" to the entered username (so a user has not to enter AMATEC+testuser but only testuser). Or is there a better way? Kind regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba