samba - Jan 2005 - need some assistance - Samba 3.09 on FreeBSD 4.5

Hello,
	I've been able to get Samba up and running, it joins the ADS domain 
fine. It appears in the network browser on our Windows machines but when 
anyone attempts to access a restricted share it fails to authenticate 
them. I say restricted because if anyone accesses an open to everyone 
share it works.

I'm trying to get the entire thing setup so that the Samba server is 
just a MEMBER of the Active Directory domain, running in Native mode. I 
do not want the Samba machine to be any kind of domain controller.

I've run wbinfo and it does return all the info correctly.

The log files, logging set to level 3, are showing the following when 
someone attempts to connect to a restricted share:

 From the log of the machine attempting to access Samba share:

[2005/01/11 11:50:50, 2] smbd/service.c:make_connection_snum(314)
   user '[real username]' (from session setup) not permitted to access 
this share ([real share name])
[2005/01/11 11:50:50, 3] smbd/error.c:error_packet(129)
   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

 From the log.smbd:

[2005/01/11 11:50:50, 0] smbd/server.c:open_sockets_smbd(383)
   open_sockets_smbd: accept: Software caused connection abort

 From the log.winbindd:

[2005/01/11 11:50:50, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
   [ 5472]: request interface version
[2005/01/11 11:50:50, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
   [ 5472]: request location of privileged pipe
[2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210)
   [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]]
[2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210)
   [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]]
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 1001
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 0
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 70
[2005/01/11 11:51:50, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
   ads: trusted_domains
[2005/01/11 11:51:50, 3] libads/ldap.c:ads_connect(247)
   Connected to LDAP server [correct IP to Domain Controllor]
[2005/01/11 11:51:50, 3] libads/ldap.c:ads_server_info(2432)
   got ldap server name [correct_DC_NAME@correct_domain.com], using bind 
path: dc=[correct domain name],dc=COM
[2005/01/11 11:51:50, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
   IPC$ connections done anonymously
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_start_connection(1382)
   Connecting to host=[correct dc name]
[2005/01/11 11:51:50, 3] lib/util_sock.c:open_socket_out(752)
   Connecting to [correct dc ip] at port 445
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713)
   Doing spnego session setup (blob length=115)
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 48018 1 2 2
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 113554 1 2 2
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 113554 1 2 2 3
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 3 6 1 4 1 311 2 2 10
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
   got principal=[correct dc name]$@[correct domain name.com]
[2005/01/11 11:51:50, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(538)
   Doing kerberos session setup
[2005/01/11 11:51:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
   Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Jan 2005 
21:51:48 GMT


[smb.conf]

[global]
   workgroup = domain_name
   realm = realm_name.com
   server string = Samba Server
   netbios name = server_name
   hosts allow = [several IP ranges to allow from]
   security = ADS
   encrypt passwords = yes
   password server = DC_name.domainname.com
   #username map = /etc/samba/smbusers
   client signing = yes
   server signing = yes
   guest account = samba
   log level = 3
   log file = /var/log/samba/log.%m
   max log size = 50
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template primary group = "Domain Users"
   template shell = /bin/bash
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192
   interfaces = fxp0
   local master = no
   dns proxy = no
   winbind separator = _

#============================ Share Definitions 
=============================[homes]
    comment = Home Directories
    browseable = no
    read only = No
    valid users = %S

# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
    comment = Public Stuff
    path = /home/samba
    browseable = yes
    public = yes
    read only = no
    printable = no
    valid users = @"domainname.com_Domain Users"

# Processing share, contains processing files and tools.
[share name]
    comment = Stuff
    path = /usr/local/stuff
    browseable = yes
    public = yes
    read only = no
    printable = no
    valid users = @"domainname.COM_Domain Users"
    create mask = 666
    directory mask = 777
    force user = mrjones
    force group = webheads



Any help will be greatly apprecicated.


Thanks,
Jon

On Tue, 11 Jan 2005 12:10:12 -0800, Jon Starbird
<jcstar@streamtheory.com> wrote:
> Hello,
You say you're running FreeBSD 4.5. That's a really *really* old
version. And the 4.x series just doesn't do nsswitching. A consultant
and I tried long and hard to get FreeBSD 4.8 or so to work just as
Samba 3.0 was coming out but in the end gave up and switched to Linux.
The lack of support for nss in the kernel just kills the idea dead.

FreeBSD 5.2 more or less worked, but there were a few quirks that
stopped it from happening for me. I built a box with 5.3-RELEASE the
other day and I can confirm everything (ldap, nss, samba, pam) works
perfectly.
> Any help will be greatly apprecicated.

Hate to break the news to you, but an upgrade of the box is your only solution. 

David

Well I did think of that. My biggest concern about upgrading though is 
that this system has about 1.5 Tb stored on it and I don't have the time 
to copy it all off and then restore it later, because of how it used 
within our company.
I've never done a upgrade with freebsd so I'm not sure how reliable the 
entire process would be unless I completely wiped the system.

When you say NSS support isn't good, wouldn't that also affect the 
machine joining the ADS domain? And shouldn't it also affect the winbind 
  data getting returned correctly?



Thanks,
Jon