Julian Pilfold-Bagwell
2007-Apr-18 00:22 UTC
[Samba] Samba / Winbind / LDAP - Can't access shares
Hi All, I have the following setup. Samba/LDAP PDC, Samba BDC, Samba member server, Win2K member server, 300 Win XP Client PCs. I can access the shares on the PDC from all Win XP clients. I can access the shares on the Win2K member server from all XP clients, I can't however access any of the shares on the Samba BDC or Samba member server from the XP clients. LDAP is working fine and PAM/LDAP/NSS are working fine. Getent works for users and groups on all samba servers and net groupmap list provides identical group mapping across all samba servers. I can do things like chmod user."Domain Admins" and it works. I can use setfacl and generate acls with Domain groups in them and it works but I cannot access the shares on the Samba servers from anywhere on the network. wbinfo works on the samba member server but cannot lookup users and groups when run on the PDC and BDC. OS's are Mandriva 2007 and Ubuntu Edgy. Samba version is 3.0.23d. All machines names are resolvable via nmblookup and nslookup and I've been through every document and howto I can find as well as loads of Google searches but have not managed to resolve it yet. All help gratefully received. Cheers, Jools SMB Conf's are as follows: PDC: [global] # General Options for domain workgroup = BGS netbios name = SMB5 server string = Samba Server %v log file = /var/log/samba/%m.log max log size = 50 # hosts allow = 172.20.0. 172.20.1. 172.20.2. 127. map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd # unix password sync = Yes # pam password change = yes # passwd program = /usr/bin/passwd '%u' # passwd chat = *Nadmin1*UNIX*password* %n\n *Re*ype*nadmin1*UNIX*password* %n\n \ # *passwd:*all*authentication*tokens*updated*successfully* # username map = /etc/samba/smbusers include = /etc/samba/smb.conf.%m wins support = yes # wins server = 127.0.0.1 dns proxy = no dos charset = 850 unix charset = ISO8859-1 admin users = BGS\admin3 BGS\admin1 BGS\admin2 +"BGS\Domain Admins" log level = 10 # winbind separator = + # winbind enum users = yes # winbind enum groups = yes idmap uid = 10000-20000 idmap gid = 10000-20000 # winbind use default domain =yes # Tune Samba and detrmine its priority in the Domain socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # remote announce = 172.20.0.255 172.20.1.255 172.20.2.255 172.20.3.255 local master = yes domain logons = yes wins support = yes os level = 254 domain master = yes preferred master = yes name resolve order = wins lmhosts bcast # Set the paths to the various resources on the Domain domain logons = yes logon script = %G.bat logon path = \\%L\Profiles\%U # Define the interaction between smbldap tools and the server's LDAP backend # ldap password sync = yes unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *Nadmin1*password* %n\n *Retype*nadmin1*password* %n\n add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}' delete group script = /usr/sbin/smbldap-groupdel '%g' add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false '%u' # Allow members of Domain Admins to add machine accounts enable privileges = yes # Define ID backend structure # passdb backend = smbpasswd guest # passdb backend = tdbsam:/etc/samba/passdb.tdb passdb backend = ldapsam:ldap://localhost # In case of compatibility issues # Use the samba2 LDAP schema: # passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest idmap backend = ldap:ldap://localhost ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk # ldap ssl = start_tls #ldap port = 389 ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk ldap machine suffix = ou=Hosts ldap user suffix = ou=People ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap # Example for AD-ish layout: # ldap machine suffix = cn=Computers # ldap user suffix = cn=Users # ldap group suffix = cn=Groups # ldap idmap suffix = cn=Idmap #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes veto files = /*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/ create mask = 0660 directory mask = 0770 preexec = /bin/echo \"%u logged in to %m at %T\" >> /var/log/samba/logons.log postexec = /bin/echo \"%u logged off of %m at %T\" >> /var/log/samba/logons.log # You can enable VFS recycle bin and on-access virus-scanning on a per # share basis: # Uncomment the next 2 lines (make sure you create a .recycle folder in # the base of the share and ensure all users will have write access to it. # For virus scanning, install samba-vscan-clamav and ensure the clamd service # is running # vfs objects = vscan-clamav recycle # vscan-clamav: config-file = /etc/samba/vscan-clamav.conf # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /spare/samba/netlogon guest ok = yes writable = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory [Profiles] path = /spare/samba/profiles browseable = no guest ok = yes writable = yes #vfs objects = fake_perms # A share allowing administrators to set ACLs on, or access for backup purposes # all files (as root). [admin] path = / admin users = +"BGS\Domain Admins" valid users = +"BGS\Domain Admins" browseable = no writeable = yes BDC: [global] workgroup = BGS passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk domain master = no domain logons = yes wins server = SMB5 ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk ldap user suffix = ou=People ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap idmap suffix = ou=Idmap ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk idmap backend = ldap:ldap://smb5.bordnegrammar.kent.sch.uk idmap uid = 10000-20000 idmap gid = 10000-20000 [netlogon] comment = Network Logon Service path = /spare/samba/netlogon guest ok = yes writable = no Member Server: [global] workgroup = BGS passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk domain master = no domain logons = no wins server = 172.20.0.105 security = domain ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk ldap user suffix = ou=People ldap group suffix = ou=Group ldap machine suffix = ou=Hosts ldap idmap suffix = ou=Idmap ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk idmap backend = ldap:ldap://smb5.bordengrammar.kent.sch.uk idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes # winbind separator = + # winbind use default domain = yes [Apps] comment = old P-drive structure path = /share/apps browseable = yes read list = +"BGS\Domain Admins" +"BGS\Domain Users" +BGS\teachers BGS\pupils write list = +"BGS\Domain Admins" +"BGS\Domain Users" +BGS\teachers create mask = 744 directory mask = 755 force group = users [odrive] comment = odrive path = /share/odrive browseable = yes read list = +BGS\teachers @"Domain Admins" write list = +BGS\teachers @"Domain Admins" create mask = 660 directory mask = 770 [staff] comment = Shared Directory for Staff Access Only path = /share/staff browseable = yes read list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin write list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin valid users = +"BGS\Domain Admins" +BGS\teachers +BGS\admin invalid users = +BGS\pupils create mask = 660 directory mask = 770 force group = teachers vfs objects = recycle recycle:repository = .recycle recycle:keeptree = 1 recycle:noversions = 1 [Departmental] comment = Shared Directory for Pupils path = /share/Departmental-Files browseable = yes read list = +"BGS\Domain Admins" +BGS\teachers write list = +"BGS\Domain Admins" +BGS\teachers valid users = +"BGS\Domain Admins" +BGS\teachers invalid users = +BGS\pupils create mask = 0660 directory mask = 770 force user = %U force group = %G [pupils] comment = Shared Directory for Pupils path = /share/pupils browseable = yes read list = +"BGS\Domain Admins" +BGS\"Domain Users" +BGS\pupils +BGS\teachers +BGS\miscreants write list = +"BGS\Domain Admins" +BGS\"Domain Users" +BGS\pupils +BGS\teachers +BGS\miscreants create mask = 660 directory mask =770 force user = %U force group = +BGS\teachers veto files = /*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.wmv/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/ vfs objects = recycle recycle:repository = .recycle recycle:keeptree = 1 recycle:noversions = 1 [coursadmin1ork] comment = Read-Write for Teachers Read only for Pupils path = /share/coursadmin1ork browseable = yes #read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils #write list = +"BGS\Domain Admins" +BGS\teachers #create mask = 0664 #directory mask = 0775 [admins] comment = Access for Admins Only path = /share/admins browseable = yes read list = +"BGS\Domain Admins" admin3 admin1 admin2 write list = +"BGS\Domain Admins" admin3 admin1 admin2 create mask = 660 directory mask = 770 [resources] comment = Open Share for Distribution path = /share/resources browseable = yes read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils +BGS\"Domain Users" write list = +"BGS\Domain Admins" create mask = 440 directory mask = 770 [library] browseable = yes read list = +"BGS\Domain Admins",@@"Domain Users",@+BGS\teachers,@+BGS\pupils,+BGS\librarians write list = jfj,gpc,+"BGS\Domain Admins",+BGS\librarians path = /share/library force group = +BGS\librarians force user = +BGS\gpc comment = Library Share create mode = 660 directory mode = 770 [free-software] comment = Open Share for Distribution path = /share/free-software browseable = yes read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils write list = +"BGS\Domain Admins" create mask = 640 directory mask = 770 [mcafee] comment = Updates for McAfee path = /share/mcafee browseable = yes write list = BGS\admin2 BGS\admin3 BGS\admin1 BGS\updater +BGS\updaters +"BGS\Domain Admins" @"Domain Users" create mask = 660 directory mask = 770 # force user = admin1 # force group = +"BGS\Domain Admins"