Michael Cesar
2004-Aug-27 19:17 UTC
[Samba] Can't login from Windows PC to Samba using ADS?
I hope this is the right place to post this.
I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I
installed samba 3.0.5 on it and followed the instructions in the online
book "Samba-3 by Example" for chapter 9 "Active Directory Domain
with
Samba Domain Member Server
<http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>"
to the tee (of course it is for 3.0.2) and have every thing working
except for W2K pc cannot authenticate? Oh yeah, I also went the steps in
the troubleshooting guide but couldn't get the step "net use x:
\\mysamba\web" to add.
I can 'net view \\mysamba' just fine and sambaclient -L
mysamba.xxx.com/mydomainloginname ok using my ADS password.
I can see mysamba in the Network Neighborhood.
But I just can't get access to the share from my PC. Oh yea, and I am
using encrypted passwords = yes.
I assume I must have missed something somewhere but for the life of me I
can' t see it. Anybody have any ideas?
Michael Cesar
***** my smb.conf file contents: ******
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2004/08/27 14:25:35
# Global parameters
[global]
workgroup = MBTMASTER
realm = MBTMASTER.COM
netbios name = SAMBA_TEST
security = ADS
map to guest = Bad User
log level = 1
syslog = 0
log file = /var/log/samba/%m
time server = Yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
os level = 2
ldap ssl = no
preload = global
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group template shell = /bin/bash
winbind separator = +
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0640
directory mask = 0750
browseable = No
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[web]
comment = Test Web Root
path = /srv/www/htdocs
valid users = michael.cesar, @Administrtors
admin users = michael.cesar
read only = No
Michael Cesar
2004-Aug-31 12:18 UTC
[Samba] Can't login from Windows PC to Samba using ADS?
Yang Xiao wrote:>On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <thecesars@comcast.net> wrote: > > >>I hope this is the right place to post this. >> >>I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I >>installed samba 3.0.5 on it and followed the instructions in the online >>book "Samba-3 by Example" for chapter 9 "Active Directory Domain with >>Samba Domain Member Server >><http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>" >>to the tee (of course it is for 3.0.2) and have every thing working >>except for W2K pc cannot authenticate? Oh yeah, I also went the steps in >>the troubleshooting guide but couldn't get the step "net use x: >>\\mysamba\web" to add. >> >>I can 'net view \\mysamba' just fine and sambaclient -L >>mysamba.xxx.com/mydomainloginname ok using my ADS password. >>I can see mysamba in the Network Neighborhood. >>But I just can't get access to the share from my PC. Oh yea, and I am >>using encrypted passwords = yes. >> >>I assume I must have missed something somewhere but for the life of me I >>can' t see it. Anybody have any ideas? >> >>Michael Cesar >> >>***** my smb.conf file contents: ****** >> >># Samba config file created using SWAT >># from 0.0.0.0 (0.0.0.0) >># Date: 2004/08/27 14:25:35 >> >># Global parameters >>[global] >> workgroup = MBTMASTER >> realm = MBTMASTER.COM >> netbios name = SAMBA_TEST >> security = ADS >> map to guest = Bad User >> log level = 1 >> syslog = 0 >> log file = /var/log/samba/%m >> time server = Yes >> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY >> os level = 2 >> ldap ssl = no >> preload = global >> idmap uid = 10000-20000 >> idmap gid = 10000-20000 >> template primary group >> template shell = /bin/bash >> winbind separator = + >> veto files = /*.eml/*.nws/riched20.dll/*.{*}/ >> >>[homes] >> comment = Home Directories >> valid users = %S >> read only = No >> create mask = 0640 >> directory mask = 0750 >> browseable = No >> >>[printers] >> comment = All Printers >> path = /var/tmp >> create mask = 0600 >> printable = Yes >> browseable = No >> >>[print$] >> comment = Printer Drivers >> path = /var/lib/samba/drivers >> write list = @ntadmin, root >> force group = ntadmin >> create mask = 0664 >> directory mask = 0775 >> >>[web] >> comment = Test Web Root >> path = /srv/www/htdocs >> valid users = michael.cesar, @Administrtors >> admin users = michael.cesar >> read only = No >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: http://lists.samba.org/mailman/listinfo/samba >> >> >> >Hi, >Is your winbind running? did you configure Kerboros correctly? try add >log level = 2 in the smb.conf and see if you can catch anything in the logs. > >Yang > > >Winbind appears to be running fine. My share definition for 'web' contains 'valid users' of 'michael.cesar' (my domain login) and '@Administrators' ( the domain group I belong to). I set the log level to 2 and am getting the following below. I don't understand why... 1) Why is winbind trying to create a user in the first place? I want it to validate an existing one. 2) When winbind fails to create the user it doesn't know the group Administrators and gives the error "cannot validate gid for group()"? 3) Why it is trying to validate 'mcesar' (a local login account not listed in any config file for samba etc)? and not michael.cesar (my domain login). I am using the command line "net use" so the apache logins my browser knows should not come into play - one would think) Michael Cesar [2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 [2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 [2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain MBTMASTER MBTMASTER.COM S-0-0 [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No such file or directory) [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain BUILTIN S-1-5-32 [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain SAMBA_TEST S-1-5-21-289385821-3664457749-2860223883 [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist [2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist [2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist
Michael Cesar
2004-Aug-31 12:58 UTC
[Samba] Can't login from Windows PC to Samba using ADS?
Yang Xiao wrote:>On Tue, 31 Aug 2004 08:17:56 -0400, Michael Cesar <thecesars@comcast.net> wrote: > > >>Yang Xiao wrote: >> >> >> >>>On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <thecesars@comcast.net> wrote: >>> >>> >>> >>> >>>>I hope this is the right place to post this. >>>> >>>>I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I >>>>installed samba 3.0.5 on it and followed the instructions in the online >>>>book "Samba-3 by Example" for chapter 9 "Active Directory Domain with >>>>Samba Domain Member Server >>>><http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>" >>>>to the tee (of course it is for 3.0.2) and have every thing working >>>>except for W2K pc cannot authenticate? Oh yeah, I also went the steps in >>>>the troubleshooting guide but couldn't get the step "net use x: >>>>\\mysamba\web" to add. >>>> >>>>I can 'net view \\mysamba' just fine and sambaclient -L >>>>mysamba.xxx.com/mydomainloginname ok using my ADS password. >>>>I can see mysamba in the Network Neighborhood. >>>>But I just can't get access to the share from my PC. Oh yea, and I am >>>>using encrypted passwords = yes. >>>> >>>>I assume I must have missed something somewhere but for the life of me I >>>>can' t see it. Anybody have any ideas? >>>> >>>>Michael Cesar >>>> >>>>***** my smb.conf file contents: ****** >>>> >>>># Samba config file created using SWAT >>>># from 0.0.0.0 (0.0.0.0) >>>># Date: 2004/08/27 14:25:35 >>>> >>>># Global parameters >>>>[global] >>>> workgroup = MBTMASTER >>>> realm = MBTMASTER.COM >>>> netbios name = SAMBA_TEST >>>> security = ADS >>>> map to guest = Bad User >>>> log level = 1 >>>> syslog = 0 >>>> log file = /var/log/samba/%m >>>> time server = Yes >>>> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY >>>> os level = 2 >>>> ldap ssl = no >>>> preload = global >>>> idmap uid = 10000-20000 >>>> idmap gid = 10000-20000 >>>> template primary group >>>> template shell = /bin/bash >>>> winbind separator = + >>>> veto files = /*.eml/*.nws/riched20.dll/*.{*}/ >>>> >>>>[homes] >>>> comment = Home Directories >>>> valid users = %S >>>> read only = No >>>> create mask = 0640 >>>> directory mask = 0750 >>>> browseable = No >>>> >>>>[printers] >>>> comment = All Printers >>>> path = /var/tmp >>>> create mask = 0600 >>>> printable = Yes >>>> browseable = No >>>> >>>>[print$] >>>> comment = Printer Drivers >>>> path = /var/lib/samba/drivers >>>> write list = @ntadmin, root >>>> force group = ntadmin >>>> create mask = 0664 >>>> directory mask = 0775 >>>> >>>>[web] >>>> comment = Test Web Root >>>> path = /srv/www/htdocs >>>> valid users = michael.cesar, @Administrtors >>>> admin users = michael.cesar >>>> read only = No >>>> >>>>-- >>>>To unsubscribe from this list go to the following URL and read the >>>>instructions: http://lists.samba.org/mailman/listinfo/samba >>>> >>>> >>>> >>>> >>>> >>>Hi, >>>Is your winbind running? did you configure Kerboros correctly? try add >>>log level = 2 in the smb.conf and see if you can catch anything in the logs. >>> >>>Yang >>> >>> >>> >>> >>> >>Winbind appears to be running fine. My share definition for 'web' >>contains 'valid users' of 'michael.cesar' (my domain login) and >>'@Administrators' ( the domain group I belong to). I set the log level >>to 2 and am getting the following below. I don't understand why... >>1) Why is winbind trying to create a user in the first place? I want it >>to validate an existing one. >>2) When winbind fails to create the user it doesn't know the group >>Administrators and gives the error "cannot validate gid for group()"? >>3) Why it is trying to validate 'mcesar' (a local login account not >>listed in any config file for samba etc)? and not michael.cesar (my >>domain login). I am using the command line "net use" so the apache >>logins my browser knows should not come into play - one would think) >> >>Michael Cesar >> >>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) >> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 >>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) >> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 >>[2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57) >> Registered MSG_REQ_POOL_USAGE >>[2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) >> Added domain MBTMASTER MBTMASTER.COM S-0-0 >>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) >> Doing kerberos session setup >>[2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) >> krb5_cc_get_principal failed (No such file or directory) >>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) >> Doing kerberos session setup >>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) >> Added domain BUILTIN S-1-5-32 >>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) >> Added domain SAMBA_TEST S-1-5-21-289385821-3664457749-2860223883 >>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) >> Doing kerberos session setup >>[2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) >> Doing kerberos session setup >>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) >> winbindd_create_user: Cannot validate gid for group () >>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) >> winbindd_create_user: Cannot validate gid for group () >>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) >> winbindd_create_user: Cannot validate gid for group () >>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) >> user 'mcesar' does not exist >>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) >> user 'mcesar' does not exist >>[2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) >> user 'root' does not exist >>[2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) >> Doing kerberos session setup >>[2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) >> user 'mcesar' does not exist >> >> >> >> >Sounds like you have not mapped the user groups, you need to use "net >groupmap" which allows you to map NT user groups to Linux user groups, >both have to be valid existing groups. Do a "net groupmap list" and >you will see. > >What is missing from the how-to is user group mapping. >Make sure you /etc/nsswitch.conf file uses winbind for user name resolution. > >Yang > > >Thanks Yang, for the tip on groupmap. As for the nsswitch.conf file...are us suggesting I add the 'network' and 'netgroup' keywords? The following, according to the how-to are the only services mapped to winbind... passwd: compat winbind group: compat winbind Michael Cesar
Michael Cesar
2004-Aug-31 17:16 UTC
[Samba] Can't login from Windows PC to Samba using ADS?
Wait a minute. I thought I read somewhere that with Samba 3, in order to have it authenticate a share as a member of an ADS domain one didn't need to setup any accounts on the Linux/Samba server box? I just read in another how-to that NSS is responsible for identity management and PAM is responsible for authentication of login credential. If those are both true and can be set to winbind, why do I need to consider NIS or installing Unix Services for Windows? Michael Cesar>> >> >Hi, >That looks fine as far as user name resolution is concerned. But this >will require you to maintan two sets of user database as well as the >mappings. >I'm currently using mapping NT users to NIS groups to make it easier, >so in the /etc/nsswitch.conf file I'm using nis instead of winbind, >because winbind actually results in file and dir being created with NT >userid and group ids like this Domain+User. Eventually I will want to >use the AD ldap infrastructure, even if it means that I have to >install Unix Services for Windows on the DCs. (Recommended) >Please correct me if I'm wrong on this if anyone think I misunderstood >the setup. > >Yang > > >
Michael Cesar
2004-Aug-31 18:59 UTC
[Samba] Can't login from Windows PC to Samba using ADS?
Can somebody help expain to me what is going on in the winbindd log? I set the log level to 5 and ran the following from my pc: net use * \\10.0.10.29\web /USER:MBTMASTER\michael.cesar This produced the following results (I omitted some lines because it didn't seem related): MY OBSERVATIONS: 1) winbind retruned the correct user name to samba. 2) winbind (getpwnam) couldn't find the name michael.cesar in ??? Why? 3) winbind (getgrnam) tried to create a user with group of ()? Why? Where does it get this infomation? 4) winbind failed to authenticate because it could not find the group (). Does anybody understand the inner workings of this? Thanks in advance. Michael Cesar Intranet Services [2004/08/31 14:43:32, 5] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612) NTLM CRAP authentication for user [MBTMASTER]\[michael.cesar] returned NT_STATUS_OK (PAM: 0) [2004/08/31 14:43:32, 3] nsswitch/winbindd_acct.c:winbindd_create_user(880) [31826]: create_user: user=>(michael.cesar), group=>() [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getpwnam(393) wb_getpwnam: Did not find user (michael.cesar) [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getgrnam(522) wb_getgrnam: Did not find group () [2004/08/31 14:43:32, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 14:43:32, 3] nsswitch/winbindd_acct.c:winbindd_create_user(880) [31826]: create_user: user=>(michael.cesar), group=>() [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getpwnam(393) wb_getpwnam: Did not find user (michael.cesar) [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getgrnam(522) wb_getgrnam: Did not find group () [2004/08/31 14:43:32, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 14:43:32, 3] nsswitch/winbindd_acct.c:winbindd_create_user(880) [31826]: create_user: user=>(michael.cesar), group=>() [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getpwnam(393) wb_getpwnam: Did not find user (michael.cesar) [2004/08/31 14:43:32, 5] nsswitch/winbindd_acct.c:wb_getgrnam(522) wb_getgrnam: Did not find group () [2004/08/31 14:43:32, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group ()
Reasonably Related Threads
- Samba 3.0.2 on HPUX 11i with winbind; Get_Pwnam_internals didn't find user + NT_STATUS_NO_SUCH_USER
- Getting Samba 3 to communicate with Win2k3 ADS
- winbindd_create_user: Refusing to create user that already exists
- winbind and Solaris 9 with AD
- SID-UID mapping issue on Samba 3.0.4 in an AD Domain