john dooley
2005-Aug-07 23:45 UTC
[Samba] 2k3Srv ADS, debian member server, Ubuntu workstations and no write access to share (security =ADS mode, winbind, krb5)
Hi All, Im going nuts trying to get a mixed environment going. I have a couple of problems, one related to logons and passwords which I think is a pam.d/gdm config error on my part and one where I cant get write acccess from the Ubuntu clients to the domain member server share. This is the most critical....please help me fix this. In a nutshell: Single win 2003 Srv ADS (sp1) A single domain member server (Debian sarge box). Multiple Ubuntu/Debian workstations using gnome (hoary latest and debian sarge-stable) Using winbind kerberos method from the manual. Aiming for single sign on and having the ubuntu workstations write to (at this stage *any*) share on the debian box Basic problem is this: ubunutu boxes can see the share on the debian box but for the life of me I cannot get them write access to any of the directories (I cant get write access to files using Gedit or openoffice under gnome -I can apparently execute a logon as a domain user NEXUS+sci1 for example). Strangely I can create an empty file, rename it to .txt and then open it in Gedit (but only read only)! I am confused also because if I log on to the W2k3Server as Administrator and examine the share I have write permission and can alter files (I also have this user as an admin user in the smb.conf). I am not sure my pam.d/gdm and other pam files are right. I also get asked for auth to access the share after logging on as a domain user (which I need to fix) On the debian member server side I have set permissions on the share directory to rwx group, owner, world, chown the files to NEXUS+sci1 (my test user), chgrp to NEXUS+domain users. On the 2003ADS side I published the share and gave full control to Domain Users (I think successfully) Heres the directory thats being shared [sharefile]: drwxrwxrwx 6 sci1 NEXUS+domain users 4096 2005-08-08 09:12 tmp heres a test file on the share I can only open read only no matter what I do on the debian/ubuntu workstations with gnome/gedit. Looking at permissions from the gnome workstation I get 744 User rwx, group and other r only (which seems to match the behaviour but not the permissions on the actual file on the share -i manually set them onm the share just to be sure) -rwxrwxrwx 1 NEXUS+sci1 NEXUS+domain users 14 2005-08-08 09:28 krb5cc_0.txt Even more strangely I managed to open it with bluefish editor, change and SAVE it! But openoffice and gedit cant access it (openoffice gives a file does not exist error and gedit will only open it read only) As for authentication: I can join the boxes to the domain I think successfully ie - from both debian member server and ubuntu boxes execute a net ads join command, wbinfo -u,g, getent passwd and getent group okay and see all the AD users in the domain. The machines appear in the active directory computers section. Example on debian member server from getent passwd NEXUS+administrator:x:10000:10000:Administrator:/home/NEXUS/administrator:/bin/bash NEXUS+dl380$:x:10008:10003:dl380:/home/NEXUS/dl380_:/bin/bash NEXUS+ws1$:x:10009:10003:ws1:/home/NEXUS/ws1_:/bin/bash Im out of my depth (im on the steep part of the learning curve from windows peer to peer land)- its like there is still a block on authentication for the ubuntu boxes that I dont realise (I thought I had given appropriate access and permissions). I apologise for being pretty clueless. I have been thinking its a permissions issue relating to the ubuntu boxes not authing as the correct user or something (due to my pam.d/gdm hacking). I have posted the smb.conf from the debian member server. I can post log.smbd etc if that helps. If its too hard to fix me, can someone post a known good smb.conf and set of pam.d/ files for a debian box including (especially pam.d/gdm) else I will have to resort to two sets of users / linux and windoze....The windoze box runs a proprietary database app and will have TS sessions to that app only (plus run active directory and DNS). The linux boxes will be the workhorses for the users (openoffice etc) and open .rdp sesssions to the database as necessary. LDAP is too advanced for me. Thanks in advance: John Dooley SMB.conf # Samba config file created using SWAT <<< Im not using swat though # from 192.168.0.20 (192.168.0.20) # Date: 2005/07/22 08:34:10 # Global parameters [global] security = ads realm = INTRANET.NEXUSDOMAIN.COM encrypt passwords = yes password server = nexus01.intranet.nexusdomain.com workgroup = NEXUS winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes template homedir = /home/%D/%U template shell = /bin/bash obey pam restrictions = yes password server = * log level = 2 admin users = NEXUS+administrator nt acl support = Yes map acl inherit = Yes client use spnego = Yes [homes] comment = Home Directories [sharefile] comment = Temporary file space path = /tmp read only = no writeable = yes valid users = @"NEXUS+domain users" NEXUS+domainall public = yes # create mode = 0777 # directory mode =0777 [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers NSSWITCH.CONF # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files winbind group: files winbind shadow: files hosts: files dns hosts wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis KRB5.CONF logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = INTRANET.NEXUSDOMAIN.COM #default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc #default_tgt_enctypes = des3-hmac-sha1 des-cbc-crc [realms] INTRANET.NEXUSDOMAIN.COM = { # kdc=192.168.0.2:88 kdc = nexus01.intranet.nexusdomain.com:88 admin_server = nexus01.intranet.nexusdomain.com default_domain = INTRANET.NEXUSDOMAIN.COM } [domain_realm] .intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM dl380:/etc/pam.d# cat common-* # COMMON ACCOUNT # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # account required pam_unix.so # COMMON AUTH # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so nullok_secure # COMMON PASSWORD # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be #used to change user passwords. The default is pam_unix # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # (Add `md5' after the module name to enable MD5 passwords) # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. Also the "min" and "max" options enforce the length of the # new password. password required pam_unix.so nullok obscure min=4 max=8 md5 # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH') # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5 # COMMON SESSION # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). The default is pam_unix. # session required pam_unix.so UBUNTU/DEBIAN PAM.D/GDM dl380:/tmp# cat gdm #%PAM-1.0 auth sufficient pam_winbind.so auth requisite pam_nologin.so auth required pam_env.so account sufficient pam_winbind.so account sufficient pam_unix.so use_first_pass @include common-auth @include common-account session required pam_limits.so session sufficient pam_winbind.so @include common-session password sufficient pam_winbind.so @include common-password --