Hello,
I am new to this list but I have been learning to use linux/bsd and samba for
the past year. so far I have been able to learn enough on my own to be able to
successfully set up a functional samba server on FreeBSD and Gentoo Linux boxes.
I am trying to learn how to integrate them into an Active Directory windows 2003
server domain. So far I have verified that Kerberos and ldap and winbind (I
think) are functioning correctly. I am able to do a 'kinit
administrator@DOMAIN.COM' command and not get a failure.
I am able to see all of the groups and users/systems in the domain from getent
commands.
My problem is that I cant access samba shares when permissions are set using
domain users.
I can access the /home/samba/public share is I DON'T specify a 'valid
users =' line in the smb.conf file, but not the other way around.
Here is what my smb.conf file looks like:
# Samba config file created using SWAT
# from 10.11.7.56 (10.11.7.56)
# Date: 2006/03/01 09:45:11
[global]
workgroup = MARKETSCAN
realm = MARKETSCAN.COM
server string = %h Samba Server
interfaces = lo, eth0
bind interfaces only = Yes
security = ADS
auth methods = winbind
password server = nostradmus, nostradamus_ii, nostradamus_cam
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
load printers = No
preferred master = No
dns proxy = No
wins proxy = No
wins server = 10.11.3.198
ldap ssl = no
passdb expand explicit = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
winbind separator = max log size = 50
winbind use default domain = Yes
[public]
comment = %h Public Share
path = /home/samba/public
read only = No
force create mode = 0777
force directory mode = 0777
guest ok = Yes
[homes]
comment = Home Directory for %U
path = /home/%D/%U
valid users = %S
read only = No
force create mode = 0777
force directory mode = 0777
browseable = No
I would greatly appreciate any help.
thanks,
Guillermo Gutierrez
Development Systems Engineer
Market Scan Information Systems
(818) 575-2000 x2427
ggutierrez@marketscan.com
a little more info on this, I can see the user's home directory via \\Solidus in explorer, but when I try to enter it I get a message saying that I dont have permission to access the folder or it doesn't exist and below that it says that the network location doesn't exist. I wonder, what is the correct syntax for the path to the users home folder in smb.conf? I have seen it specified as path=/home/%D/%U and I have seen some smb.conf files where it is not specified at all. p.s. I did setup pam.d/system-auth to use the pam_mkhomedir.so module. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 01, 2006 5:05 PM To: samba@lists.samba.org Subject: FW: [Samba] samba as a domain member whoops, forgot to copy the list on it. sorry. Well, an update. I can log in to the console using any domain profiles, but, I can not access the exposed home directory through NetBeui (My Network Places/Network Neighborhood). Also, how should I configure /etc/pam.d/sshd to allow domain users to authenticate and logon through an ssh client (PuTTY?, OpenSSH?) -----Original Message----- From: Guillermo Gutierrez Sent: Wednesday, March 01, 2006 12:47 PM To: 'David Shapiro' Subject: RE: [Samba] samba as a domain member yes, getent passwd returns users and what appears to be machine names as well. wbinfo -u returns user info and computer info. wbinfo -g returns domain groups . Since I sent this email a couple of things changed. the above commands no longer display the domain as part of the info. I cannot get into my home directory which is shared but with a valid user of "valid users = %S" in the smb.conf. -----Original Message----- From: David Shapiro [mailto:David.Shapiro@bcbsnc.com] Sent: Wednesday, March 01, 2006 12:32 PM To: Guillermo Gutierrez Subject: Re: [Samba] samba as a domain member Is the getent passwd returning users? Does wbinfo -u and wbinfo -g return users and groups? David David Shapiro Unix Team Lead 919-765-2011>>> "Guillermo Gutierrez" <ggutierrez@marketscan.com> 3/1/2006 1:09:26 PM >>>Hello, I am new to this list but I have been learning to use linux/bsd and samba for the past year. so far I have been able to learn enough on my own to be able to successfully set up a functional samba server on FreeBSD and Gentoo Linux boxes. I am trying to learn how to integrate them into an Active Directory windows 2003 server domain. So far I have verified that Kerberos and ldap and winbind (I think) are functioning correctly. I am able to do a 'kinit administrator@DOMAIN.COM' command and not get a failure. I am able to see all of the groups and users/systems in the domain from getent commands. My problem is that I cant access samba shares when permissions are set using domain users. I can access the /home/samba/public share is I DON'T specify a 'valid users =' line in the smb.conf file, but not the other way around. Here is what my smb.conf file looks like: # Samba config file created using SWAT # from 10.11.7.56 (10.11.7.56) # Date: 2006/03/01 09:45:11 [global] workgroup = MARKETSCAN realm = MARKETSCAN.COM server string = %h Samba Server interfaces = lo, eth0 bind interfaces only = Yes security = ADS auth methods = winbind password server = nostradmus, nostradamus_ii, nostradamus_cam log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 load printers = No preferred master = No dns proxy = No wins proxy = No wins server = 10.11.3.198 ldap ssl = no passdb expand explicit = No idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = max log size = 50 winbind use default domain = Yes [public] comment = %h Public Share path = /home/samba/public read only = No force create mode = 0777 force directory mode = 0777 guest ok = Yes [homes] comment = Home Directory for %U path = /home/%D/%U valid users = %S read only = No force create mode = 0777 force directory mode = 0777 browseable = No I would greatly appreciate any help. thanks, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
The correct path is whatever is correct to you... The %D is not necessary, the %U is - as it designates the user. Tail your /var/log/messages file as you attempt to connect (ensure logging set to at least 2 or 3 in smb.conf)...this will tell you if it is a path error or a permissions error. The Windows errors are not that helpful. To look at a home directory with /home/%D/%U try to connect with \\server\username The same is for /home/%U you connect with \\server\username Good luck, MJ Barber -----Original Message----- From: samba-bounces+mjbarber=hearst.com@lists.samba.org [mailto:samba-bounces+mjbarber=hearst.com@lists.samba.org] On Behalf Of Guillermo Gutierrez Sent: Thursday, March 02, 2006 8:50 AM To: samba@lists.samba.org Subject: RE: [Samba] samba as a domain member a little more info on this, I can see the user's home directory via \\Solidus in explorer, but when I try to enter it I get a message saying that I dont have permission to access the folder or it doesn't exist and below that it says that the network location doesn't exist. I wonder, what is the correct syntax for the path to the users home folder in smb.conf? I have seen it specified as path=/home/%D/%U and I have seen some smb.conf files where it is not specified at all. p.s. I did setup pam.d/system-auth to use the pam_mkhomedir.so module. -----Original Message----- From: samba-bounces+ggutierrez=marketscan.com@lists.samba.org [mailto:samba-bounces+ggutierrez=marketscan.com@lists.samba.org]On Behalf Of Guillermo Gutierrez Sent: Wednesday, March 01, 2006 5:05 PM To: samba@lists.samba.org Subject: FW: [Samba] samba as a domain member whoops, forgot to copy the list on it. sorry. Well, an update. I can log in to the console using any domain profiles, but, I can not access the exposed home directory through NetBeui (My Network Places/Network Neighborhood). Also, how should I configure /etc/pam.d/sshd to allow domain users to authenticate and logon through an ssh client (PuTTY?, OpenSSH?) -----Original Message----- From: Guillermo Gutierrez Sent: Wednesday, March 01, 2006 12:47 PM To: 'David Shapiro' Subject: RE: [Samba] samba as a domain member yes, getent passwd returns users and what appears to be machine names as well. wbinfo -u returns user info and computer info. wbinfo -g returns domain groups . Since I sent this email a couple of things changed. the above commands no longer display the domain as part of the info. I cannot get into my home directory which is shared but with a valid user of "valid users = %S" in the smb.conf. -----Original Message----- From: David Shapiro [mailto:David.Shapiro@bcbsnc.com] Sent: Wednesday, March 01, 2006 12:32 PM To: Guillermo Gutierrez Subject: Re: [Samba] samba as a domain member Is the getent passwd returning users? Does wbinfo -u and wbinfo -g return users and groups? David David Shapiro Unix Team Lead 919-765-2011>>> "Guillermo Gutierrez" <ggutierrez@marketscan.com> 3/1/2006 1:09:26 PM >>>Hello, I am new to this list but I have been learning to use linux/bsd and samba for the past year. so far I have been able to learn enough on my own to be able to successfully set up a functional samba server on FreeBSD and Gentoo Linux boxes. I am trying to learn how to integrate them into an Active Directory windows 2003 server domain. So far I have verified that Kerberos and ldap and winbind (I think) are functioning correctly. I am able to do a 'kinit administrator@DOMAIN.COM' command and not get a failure. I am able to see all of the groups and users/systems in the domain from getent commands. My problem is that I cant access samba shares when permissions are set using domain users. I can access the /home/samba/public share is I DON'T specify a 'valid users =' line in the smb.conf file, but not the other way around. Here is what my smb.conf file looks like: # Samba config file created using SWAT # from 10.11.7.56 (10.11.7.56) # Date: 2006/03/01 09:45:11 [global] workgroup = MARKETSCAN realm = MARKETSCAN.COM server string = %h Samba Server interfaces = lo, eth0 bind interfaces only = Yes security = ADS auth methods = winbind password server = nostradmus, nostradamus_ii, nostradamus_cam log file = /var/log/samba/log.%m socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 load printers = No preferred master = No dns proxy = No wins proxy = No wins server = 10.11.3.198 ldap ssl = no passdb expand explicit = No idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash winbind separator = max log size = 50 winbind use default domain = Yes [public] comment = %h Public Share path = /home/samba/public read only = No force create mode = 0777 force directory mode = 0777 guest ok = Yes [homes] comment = Home Directory for %U path = /home/%D/%U valid users = %S read only = No force create mode = 0777 force directory mode = 0777 browseable = No I would greatly appreciate any help. thanks, Guillermo Gutierrez Development Systems Engineer Market Scan Information Systems (818) 575-2000 x2427 ggutierrez@marketscan.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
this is what the samba by machine name log for my system looks like (log.<machinename>) : [2006/03/02 06:51:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 06:51:11, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 06:51:26, 0] lib/util_sock.c:write_data(557) write_data: write failure in writing to client 10.11.7.120. Error Connection reset by peer [2006/03/02 06:51:26, 0] lib/util_sock.c:send_smb(765) Error writing 4 bytes to client. -1. (Connection reset by peer) Here is the second samba log with IP appended to it instead of machine name( log. 10.11.7.120, why?) [ make_server_info_pac failed! [2006/03/02 05:27:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:53, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:27:55, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:28:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:28:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:28:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:35:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:33, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:36, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:41, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:42, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:45, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 05:36:51, 1] smbd/service.c:make_connection_snum(693) 10.11.7.120 (10.11.7.120) connect to service public initially as user MARKETSCANmggutierrez (uid=10740, gid=10001) (pid 7426) [2006/03/02 05:36:57, 1] smbd/service.c:close_cnum(885) 10.11.7.120 (10.11.7.120) closed connection to service public [2006/03/02 06:51:27, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [2006/03/02 06:52:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(322) make_server_info_pac failed! [...] (MJBarber@Hearst.com) The correct path is whatever is correct to you... The %D is not necessary, the %U is - as it designates the user. Tail your /var/log/messages file as you attempt to connect (ensure logging set to at least 2 or 3 in smb.conf)...this will tell you if it is a path error or a permissions error. The Windows errors are not that helpful. To look at a home directory with /home/%D/%U try to connect with \\server\username The same is for /home/%U you connect with \\server\username [...]