thr3ads.net - samba - [Samba] Samba / Winbind / LDAP

If this information is useful, please help other people find it:
Share via:
Julian Pilfold-Bagwell
2007-Apr-18 00:22 UTC
[Samba] Samba / Winbind / LDAP - Can't access shares

Hi All,

I have the following setup. Samba/LDAP PDC, Samba BDC, Samba member 
server, Win2K member server, 300  Win XP Client PCs.

I can access the shares on the PDC from all  Win XP clients. I can 
access the shares on the Win2K member server from all XP clients, I 
can't however access any of the shares on the Samba BDC or Samba member  
server from the XP clients.

LDAP is working fine and PAM/LDAP/NSS are working fine. Getent  works 
for users and groups on all samba servers and net groupmap list provides 
identical group mapping  across all samba servers. I can do things like  
chmod  user."Domain Admins"  and it works. I can use setfacl and 
generate acls with Domain groups in them and it works but I cannot 
access the shares on the Samba servers from anywhere on the network. 
wbinfo works on the samba member server but  cannot lookup users and 
groups when run on the PDC and BDC.

OS's are Mandriva 2007 and Ubuntu Edgy. Samba version is 3.0.23d. All 
machines names are resolvable via nmblookup and nslookup and I've been 
through every document and howto I can find as well as loads of Google 
searches but have not managed to resolve it yet.

All help gratefully received. Cheers,

Jools

SMB Conf's are as follows:

PDC:

[global]

# General Options for domain
        workgroup = BGS
        netbios name = SMB5
        server string = Samba Server %v
        log file = /var/log/samba/%m.log
        max log size = 50
 #      hosts allow = 172.20.0. 172.20.1. 172.20.2. 127.
        map to guest = bad user
        security = user
        encrypt passwords = yes
        smb passwd file = /etc/samba/smbpasswd
#       unix password sync = Yes
#       pam password change = yes
#       passwd program = /usr/bin/passwd '%u'
#       passwd chat = *Nadmin1*UNIX*password* %n\n 
*Re*ype*nadmin1*UNIX*password* %n\n \
#       *passwd:*all*authentication*tokens*updated*successfully*
#       username map = /etc/samba/smbusers
        include = /etc/samba/smb.conf.%m
        wins support = yes
#       wins server = 127.0.0.1
        dns proxy = no
        dos charset = 850
        unix charset = ISO8859-1
        admin users = BGS\admin3 BGS\admin1 BGS\admin2 +"BGS\Domain
Admins"
        log level = 10
#       winbind separator = +
#       winbind enum users = yes
#       winbind enum groups = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
#       winbind use default domain =yes

# Tune Samba and detrmine its priority in the Domain
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#       remote announce = 172.20.0.255 172.20.1.255 172.20.2.255 
172.20.3.255
        local master = yes
        domain logons = yes
        wins support = yes
        os level = 254
        domain master = yes
        preferred master = yes
        name resolve order = wins lmhosts bcast
# Set the paths to the various resources on the Domain
        domain logons = yes
        logon script = %G.bat
        logon path = \\%L\Profiles\%U

# Define the interaction between smbldap tools and the server's LDAP backend
#       ldap password sync = yes
        unix password sync = Yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = *Nadmin1*password* %n\n *Retype*nadmin1*password* %n\n
        add user script = /usr/sbin/smbldap-useradd -m '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x 
'%u' '%g'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
        add group script = /usr/sbin/smbldap-groupadd '%g' && 
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null 
-c 'Machine Account' -s /bin/false '%u'

# Allow members of Domain Admins to add machine accounts
        enable privileges = yes

# Define ID backend structure
# passdb backend = smbpasswd guest
#       passdb backend = tdbsam:/etc/samba/passdb.tdb
        passdb backend = ldapsam:ldap://localhost
# In case of compatibility issues
# Use the samba2 LDAP schema:
# passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest
        idmap backend = ldap:ldap://localhost
        ldap admin dn = 
cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
#       ldap ssl = start_tls
#ldap port = 389
        ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
        ldap machine suffix = ou=Hosts
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
# Example for AD-ish layout:
# ldap machine suffix = cn=Computers
# ldap user suffix = cn=Users
# ldap group suffix = cn=Groups
# ldap idmap suffix = cn=Idmap

#============================ Share Definitions 
=============================[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    veto files = 
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/
    create mask = 0660
    directory mask = 0770
    preexec = /bin/echo \"%u logged in to %m at %T\" >> 
/var/log/samba/logons.log
    postexec = /bin/echo \"%u logged off of %m at %T\" >> 
/var/log/samba/logons.log

# You can enable VFS recycle bin and on-access virus-scanning on a per
# share basis:
# Uncomment the next 2 lines (make sure you create a .recycle folder in
# the base of the share and ensure all users will have write access to it.
# For virus scanning, install samba-vscan-clamav and ensure the clamd 
service
# is running
#   vfs objects = vscan-clamav recycle
#   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# Un-comment the following and create the netlogon directory for Domain 
Logons
[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /spare/samba/profiles
browseable = no
guest ok = yes
writable = yes
#vfs objects = fake_perms

# A share allowing administrators to set ACLs on, or access for backup 
purposes
# all files (as root).
[admin]
path = /
admin users = +"BGS\Domain Admins"
valid users = +"BGS\Domain Admins"
browseable = no
writeable = yes


BDC:

[global]
workgroup = BGS
  passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
  domain master = no
  domain logons = yes
  wins server = SMB5
  ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
  ldap user suffix = ou=People
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Hosts
  ldap idmap suffix = ou=Idmap
  ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
  idmap backend = ldap:ldap://smb5.bordnegrammar.kent.sch.uk
  idmap uid = 10000-20000
  idmap gid = 10000-20000

[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no

Member Server:

[global]
workgroup = BGS
  passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
  domain master = no
  domain logons = no
  wins server = 172.20.0.105
  security = domain
  ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
  ldap user suffix = ou=People
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Hosts
  ldap idmap suffix = ou=Idmap
  ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
  idmap backend = ldap:ldap://smb5.bordengrammar.kent.sch.uk
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
#  winbind separator = +
#  winbind use default domain = yes

[Apps]
comment = old P-drive structure
path = /share/apps
browseable = yes
read list = +"BGS\Domain Admins" +"BGS\Domain Users"
+BGS\teachers
BGS\pupils
write list = +"BGS\Domain Admins" +"BGS\Domain Users"
+BGS\teachers
create mask = 744
directory mask = 755
force group = users

[odrive]
comment = odrive
path = /share/odrive
browseable = yes
read list = +BGS\teachers @"Domain Admins"
write list = +BGS\teachers @"Domain Admins"
create mask = 660
directory mask = 770

[staff]
comment = Shared Directory for Staff Access Only
path = /share/staff
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
write list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
valid users = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
invalid users = +BGS\pupils
create mask = 660
directory mask = 770
force group = teachers
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1

[Departmental]
comment = Shared Directory for Pupils
path = /share/Departmental-Files
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers
write list = +"BGS\Domain Admins" +BGS\teachers
valid users = +"BGS\Domain Admins" +BGS\teachers
invalid users = +BGS\pupils
create mask = 0660
directory mask = 770
force user = %U
force group = %G

[pupils]
comment = Shared Directory for Pupils
path = /share/pupils
browseable = yes
read list = +"BGS\Domain Admins" +BGS\"Domain Users"
+BGS\pupils
+BGS\teachers +BGS\miscreants
write list = +"BGS\Domain Admins" +BGS\"Domain Users"
+BGS\pupils
+BGS\teachers +BGS\miscreants
create mask = 660
directory mask =770
force user = %U
force group = +BGS\teachers
veto files = 
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.wmv/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1

[coursadmin1ork]
comment = Read-Write for Teachers Read only for Pupils
path = /share/coursadmin1ork
browseable = yes
#read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils
#write list = +"BGS\Domain Admins" +BGS\teachers
#create mask = 0664
#directory mask = 0775

[admins]
comment = Access for Admins Only
path = /share/admins
browseable =  yes
read list = +"BGS\Domain Admins" admin3 admin1 admin2
write list = +"BGS\Domain Admins" admin3 admin1 admin2
create mask = 660
directory mask = 770

[resources]
comment = Open Share for Distribution
path = /share/resources
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils
+BGS\"Domain
Users"
write list = +"BGS\Domain Admins"
create mask = 440
directory mask = 770

[library]
        browseable = yes
        read list = +"BGS\Domain Admins",@@"Domain 
Users",@+BGS\teachers,@+BGS\pupils,+BGS\librarians
        write list = jfj,gpc,+"BGS\Domain Admins",+BGS\librarians
        path = /share/library
        force group = +BGS\librarians
        force user = +BGS\gpc
        comment = Library Share
        create mode = 660
        directory mode = 770

[free-software]
comment = Open Share for Distribution
path = /share/free-software
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils
write list = +"BGS\Domain Admins"
create mask = 640
directory mask = 770

[mcafee]
comment = Updates for McAfee
path = /share/mcafee
browseable = yes
write list = BGS\admin2 BGS\admin3 BGS\admin1 BGS\updater +BGS\updaters 
+"BGS\Domain Admins" @"Domain Users"
create mask = 660
directory mask = 770
# force user = admin1
# force group = +"BGS\Domain Admins"
Apparently Analagous Threads

Search for more possibly parallel threads
samba - Apr 2007 - Samba / Winbind / LDAP - Can't access shares

[Samba] Samba / Winbind / LDAP - Can't access shares

Apparently Analagous Threads

Wisdom of the Ancients
