Jonathan C. Detert
2006-Jan-18 21:20 UTC
[Samba] ADS valid users can't map a share to 3.0.21
I've got samba v3.0.21 on server 'RELIANT' with security=ADS I want MsWin XP clients, that have logged into Microsoft AD domain 'MYDOMAIN' to be able to map a drive to 'RELIANT', and to do so without having to authenticate again. I haven't been able to do so. Here's what happens: the XP client doesn't prompt for authentication (which is good, or at least what I want). 10 to 15 seconds later, it returns this error: 'Account is not authorized to login from this station' If I try this from a dos cmd prompt via the net use \\reliant\username command, I get an error number: 'system error 1240' and then the same verbage about not being authorized. Any ideas what is wrong and/or what to try? Thanks Here are some facts that might help shed light: - wbinfo -u and -g show me the list of users and groups I expect to know of from the MsAD domain MYDOMAIN. - I can ssh into the samba box as a winbound user successfully (i.e. winbind mapped the username's sid to a unix uid and gid; there is no mention of the username in /etc/passwd or /etc/group). - here's the global section of my smb.conf: [global] unix charset = LOCALE workgroup = MSOE realm = MSOE.EDU server string = %h server (Samba %v) security = ADS log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 preferred master = No dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 10000-35000 idmap gid = 10000-35000 template shell = /bin/bash winbind separator = + winbind use default domain = Yes invalid users = root - I set debuglevel=3 for smbd, nmbd, and winbindd. When I try to map a drive from a MsXP client box that's logged into the 'MYDOMAIN' MsAD domain, samba logs this for the client: [2006/01/18 15:10:07, 3] smbd/oplock.c:init_oplocks(711) open_oplock_ipc: opening loopback UDP socket. [2006/01/18 15:10:07, 3] smbd/process.c:process_smb(1194) Transaction 0 of length 137 [2006/01/18 15:10:07, 3] smbd/process.c:switch_message(993) switch message SMBnegprot (pid 30682) conn 0x0 [2006/01/18 15:10:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [PC NETWORK PROGRAM 1.0] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [LANMAN1.0] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [Windows for Workgroups 3.1a] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [LM1.2X002] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [LANMAN2.1] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(475) Requested protocol [NT LM 0.12] [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_nt1(346) using SPNEGO [2006/01/18 15:10:07, 3] smbd/negprot.c:reply_negprot(568) Selected protocol NT LM 0.12 [2006/01/18 15:10:07, 3] smbd/process.c:timeout_processing(1447) timeout_processing: End of file from client (client has disconnected). [2006/01/18 15:10:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/01/18 15:10:07, 2] smbd/server.c:exit_server(614) Closing connections [2006/01/18 15:10:07, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/01/18 15:10:07, 3] smbd/server.c:exit_server(655) Server exit (normal exit) -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
> I want MsWin XP clients, that have logged into Microsoft AD domain > 'MYDOMAIN' to be able to map a drive to 'RELIANT', and to do so > without having to authenticate again. I haven't been able to do so.What happens if you go Start | Run, "\\reliant" - does that bring up a list of shares? That would at least tell you whether it's a global Samba problem, or just a problem with the permissions of an individual share. Cheers, Adam.