Jon Starbird
2005-Jan-11 20:11 UTC
[Samba] need some assistance - Samba 3.09 on FreeBSD 4.5
Hello, I've been able to get Samba up and running, it joins the ADS domain fine. It appears in the network browser on our Windows machines but when anyone attempts to access a restricted share it fails to authenticate them. I say restricted because if anyone accesses an open to everyone share it works. I'm trying to get the entire thing setup so that the Samba server is just a MEMBER of the Active Directory domain, running in Native mode. I do not want the Samba machine to be any kind of domain controller. I've run wbinfo and it does return all the info correctly. The log files, logging set to level 3, are showing the following when someone attempts to connect to a restricted share: From the log of the machine attempting to access Samba share: [2005/01/11 11:50:50, 2] smbd/service.c:make_connection_snum(314) user '[real username]' (from session setup) not permitted to access this share ([real share name]) [2005/01/11 11:50:50, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED From the log.smbd: [2005/01/11 11:50:50, 0] smbd/server.c:open_sockets_smbd(383) open_sockets_smbd: accept: Software caused connection abort From the log.winbindd: [2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261) [ 5472]: request interface version [2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297) [ 5472]: request location of privileged pipe [2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210) [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]] [2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210) [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]] [2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422) [ 5472]: gid to sid 1001 [2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422) [ 5472]: gid to sid 0 [2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422) [ 5472]: gid to sid 70 [2005/01/11 11:51:50, 3] nsswitch/winbindd_ads.c:trusted_domains(832) ads: trusted_domains [2005/01/11 11:51:50, 3] libads/ldap.c:ads_connect(247) Connected to LDAP server [correct IP to Domain Controllor] [2005/01/11 11:51:50, 3] libads/ldap.c:ads_server_info(2432) got ldap server name [correct_DC_NAME@correct_domain.com], using bind path: dc=[correct domain name],dc=COM [2005/01/11 11:51:50, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109) IPC$ connections done anonymously [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_start_connection(1382) Connecting to host=[correct dc name] [2005/01/11 11:51:50, 3] lib/util_sock.c:open_socket_out(752) Connecting to [correct dc ip] at port 445 [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713) Doing spnego session setup (blob length=115) [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 2 840 48018 1 2 2 [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 2 840 113554 1 2 2 [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 2 840 113554 1 2 2 3 [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738) got OID=1 3 6 1 4 1 311 2 2 10 [2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745) got principal=[correct dc name]$@[correct domain name.com] [2005/01/11 11:51:50, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(538) Doing kerberos session setup [2005/01/11 11:51:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319) Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Jan 2005 21:51:48 GMT [smb.conf] [global] workgroup = domain_name realm = realm_name.com server string = Samba Server netbios name = server_name hosts allow = [several IP ranges to allow from] security = ADS encrypt passwords = yes password server = DC_name.domainname.com #username map = /etc/samba/smbusers client signing = yes server signing = yes guest account = samba log level = 3 log file = /var/log/samba/log.%m max log size = 50 idmap uid = 10000-20000 idmap gid = 10000-20000 template primary group = "Domain Users" template shell = /bin/bash socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = fxp0 local master = no dns proxy = no winbind separator = _ #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no read only = No valid users = %S # A publicly accessible directory, but read only, except for people in # the "staff" group [public] comment = Public Stuff path = /home/samba browseable = yes public = yes read only = no printable = no valid users = @"domainname.com_Domain Users" # Processing share, contains processing files and tools. [share name] comment = Stuff path = /usr/local/stuff browseable = yes public = yes read only = no printable = no valid users = @"domainname.COM_Domain Users" create mask = 666 directory mask = 777 force user = mrjones force group = webheads Any help will be greatly apprecicated. Thanks, Jon
David Landgren
2005-Jan-12 07:54 UTC
[Samba] need some assistance - Samba 3.09 on FreeBSD 4.5
On Tue, 11 Jan 2005 12:10:12 -0800, Jon Starbird <jcstar@streamtheory.com> wrote:> Hello,You say you're running FreeBSD 4.5. That's a really *really* old version. And the 4.x series just doesn't do nsswitching. A consultant and I tried long and hard to get FreeBSD 4.8 or so to work just as Samba 3.0 was coming out but in the end gave up and switched to Linux. The lack of support for nss in the kernel just kills the idea dead. FreeBSD 5.2 more or less worked, but there were a few quirks that stopped it from happening for me. I built a box with 5.3-RELEASE the other day and I can confirm everything (ldap, nss, samba, pam) works perfectly.> Any help will be greatly apprecicated.Hate to break the news to you, but an upgrade of the box is your only solution. David
Jon Starbird
2005-Jan-12 20:17 UTC
[Samba] need some assistance - Samba 3.09 on FreeBSD 4.5
Well I did think of that. My biggest concern about upgrading though is that this system has about 1.5 Tb stored on it and I don't have the time to copy it all off and then restore it later, because of how it used within our company. I've never done a upgrade with freebsd so I'm not sure how reliable the entire process would be unless I completely wiped the system. When you say NSS support isn't good, wouldn't that also affect the machine joining the ADS domain? And shouldn't it also affect the winbind data getting returned correctly? Thanks, Jon