Jonathan Tullett
2006-Mar-21 20:39 UTC
[Samba] [homes] access failing when security=domain
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello.
I'm having real difficulty in getting access to my [homes] shares on my
samba server using any method (smbclient, from any windows machines etc).
My setup:
Samba: 3.0.14a (Debian precompiled binaries)
Winbind: 3.0.14a (Debian precompiled binaries
Domain controller: Windows 2003 SP1
The machine's joined to the domain and users are authenticating via SSH
(/etc/nsswitch.conf is configured correctly) and to any of the
non-[homes] shares they're entitled to access (ie shares that are
specifically defined in smb.conf.)
Proof of this working setup:
officeserver:/home# wbinfo -t
checking the trust secret via RPC calls succeeded
officeserver:/home# wbinfo -u | head -2
adam
administrator
officeserver:/home# wbinfo -g | head -2
BUILTIN+system operators
BUILTIN+replicators
officeserver:/home# id tullettj
uid=15003(tullettj) gid=15001(domain users) groups=15001(domain
users),15000(domain admins)
The smb.conf file I'm using contains the following:
[global]
workgroup = DWPUB
server string = %h server (Samba %v)
security = DOMAIN
client schannel = No
obey pam restrictions = Yes
password server = opmaster1.dwpub.com
passdb backend = tdbsam, guest
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 15000-20000
idmap gid = 15000-20000
template homedir = /home/DWPUB/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
invalid users = root
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0600
directory mask = 0700
browseable = No
I've run the server with 'log level = 3' to see what's going on,
and the
relevant parts of the output debug are:
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[DWPUB]\[tullettj]@[OFFICESERVER] with the new password interface
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [DWPUB]\[tullettj]@[OFFICESERVER]
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: winbind authentication for user [tullettj] succeeded
[2006/03/21 20:05:29, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [tullettj] -> [tullettj]
- -> [DWPUB+tullettj] succeeded
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(222)
User name: DWPUB+tullettj Real name:
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(241)
UNIX uid 15003 is UNIX user DWPUB+tullettj, and will be vuid 100
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(270)
Adding homes service for user 'DWPUB+tullettj' using home directory:
'/home/DWPUB/tullettj'
[2006/03/21 20:05:29, 3] param/loadparm.c:lp_add_home(2368)
adding home's share [tullettj] for user 'DWPUB+tullettj' at
'/home/DWPUB/tullettj'
which all look great, but then it says:
[2006/03/21 20:05:29, 3] smbd/process.c:process_smb(1091)
Transaction 3 of length 102
[2006/03/21 20:05:29, 3] smbd/process.c:switch_message(886)
switch message SMBtconX (pid 10909) conn 0x0
[2006/03/21 20:05:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/21 20:05:29, 2] smbd/service.c:make_connection_snum(321)
user 'DWPUB+tullettj' (from session setup) not permitted to access
this share (tullettj)
[2006/03/21 20:05:29, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
The home directory has been created:
officeserver:/home/DWPUB# ls -tlrd tullettj
drwxr-xr-x 2 tullettj domain users 4096 Mar 21 20:05 tullettj
but I haven't been able to access it.
I've been trying different things, have read the news group and mailing
lists but have so far been unsuccessful. If anyone is able to shed some
light on this problem I would be _very_ greatful - this machine is
supposed to be in production in a week or so.
Many thanks in advance for any help you can provide,
Jonathan.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)
iD8DBQFEIF4CDxo//3ift0URAuFbAJ48St5ssNOhl/5bsWL3u1q2Om1o7wCeNoeH
Y1NRcLWtQboaqcFWVPuloVQ=V3EC
-----END PGP SIGNATURE-----
Jonathan Tullett
2006-Mar-22 12:34 UTC
[Samba] Re: [homes] access failing when security=domain
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Tullett wrote:> I'm having real difficulty in getting access to my [homes] shares on my > samba server using any method (smbclient, from any windows machines etc). > > My setup: > Samba: 3.0.14a (Debian precompiled binaries) > Winbind: 3.0.14a (Debian precompiled binaries > Domain controller: Windows 2003 SP1Following on from last night, I've just upgraded the server so it's running samba-3.0.21c and the problem still remains. If anyone can offer any help it would be greatly appreciated. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEIUJEDxo//3ift0URAmwYAJ0bThCGpMDHp2M64jvbJYs1WdzNSwCgn8OQ CbWg7r5Kwr0NDqeosT/g1C8=vsxD -----END PGP SIGNATURE----- ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________