Jonathan C. Detert
2006-Jan-18 21:20 UTC
[Samba] ADS valid users can't map a share to 3.0.21
I've got samba v3.0.21 on server 'RELIANT' with security=ADS
I want MsWin XP clients, that have logged into Microsoft AD domain
'MYDOMAIN' to be able to map a drive to 'RELIANT', and to do so
without
having to authenticate again. I haven't been able to do so. Here's
what happens:
the XP client doesn't prompt for authentication (which is good,
or at least what I want).
10 to 15 seconds later, it returns this error:
'Account is not authorized to login from this station'
If I try this from a dos cmd prompt via the
net use \\reliant\username
command, I get an error number:
'system error 1240'
and then the same verbage about not being authorized.
Any ideas what is wrong and/or what to try? Thanks
Here are some facts that might help shed light:
- wbinfo -u and -g show me the list of users and groups I expect to know
of from the MsAD domain MYDOMAIN.
- I can ssh into the samba box as a winbound user successfully (i.e.
winbind mapped the username's sid to a unix uid and gid; there is no
mention of the username in /etc/passwd or /etc/group).
- here's the global section of my smb.conf:
[global]
unix charset = LOCALE
workgroup = MSOE
realm = MSOE.EDU
server string = %h server (Samba %v)
security = ADS
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
preferred master = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-35000
idmap gid = 10000-35000
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
invalid users = root
- I set debuglevel=3 for smbd, nmbd, and winbindd.
When I try to map a drive from a MsXP client box that's logged into
the 'MYDOMAIN' MsAD domain, samba logs this for the client:
[2006/01/18 15:10:07, 3] smbd/oplock.c:init_oplocks(711)
open_oplock_ipc: opening loopback UDP socket.
[2006/01/18 15:10:07, 3] smbd/process.c:process_smb(1194)
Transaction 0 of length 137
[2006/01/18 15:10:07, 3] smbd/process.c:switch_message(993)
switch message SMBnegprot (pid 30682) conn 0x0
[2006/01/18 15:10:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [LANMAN1.0]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [Windows for Workgroups 3.1a]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [LM1.2X002]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [LANMAN2.1]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475)
Requested protocol [NT LM 0.12]
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_nt1(346)
using SPNEGO
[2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(568)
Selected protocol NT LM 0.12
[2006/01/18 15:10:07, 3] smbd/process.c:timeout_processing(1447)
timeout_processing: End of file from client (client has disconnected).
[2006/01/18 15:10:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/01/18 15:10:07, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/01/18 15:10:07, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/01/18 15:10:07, 3] smbd/server.c:exit_server(655)
Server exit (normal exit)
--
Happy Landings,
Jon Detert
IT Systems Administrator, Milwaukee School of Engineering
1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
> I want MsWin XP clients, that have logged into Microsoft AD domain > 'MYDOMAIN' to be able to map a drive to 'RELIANT', and to do so > without having to authenticate again. I haven't been able to do so.What happens if you go Start | Run, "\\reliant" - does that bring up a list of shares? That would at least tell you whether it's a global Samba problem, or just a problem with the permissions of an individual share. Cheers, Adam.