Tiucra-Popa Florin Catalin
2007-Apr-27 09:15 UTC
[Samba] Option valid user not expanded for groups
Hi, I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. In the log of the samba for that machine I found: [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) My smb.conf looks like: [global] unix charset = LOCALE workgroup = TPDCBR realm = TPDCBR.ROM netbios name = NODE05 dns proxy = No server string = NODE05 AIX security = ads password server = 10.99.0.4 encrypt passwords = yes name resolve order = host log level = 10 syslog = 0 username map = /samba/private/smbusers log file = /samba/var/log/%m max log size = 5000 ldap ssl = no winbind uid = 10000-59999 winbind gid = 10000-59999 idmap uid = 10000-60000 idmap gid = 10000-60000 template shell = /bin/ksh winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes winbind separator = + auth methods = winbind acl compatibility = win2k winbind cache time = 10 bind interfaces only = yes client use spnego = no socket address = 10.99.0.201 allow trusted domains = no #use kerberos keytab = yes socket options = TCP_NODELAY #map acl inherit = Yes [brom] comment = inhouse brom path = /u09/inhouse/brom read only = No browseable = yes #valid users =@"Computers", @"domain users" valid users = @"domain users" create mask = 0777 directory mask = 0777 force create mode = 0777 force directory mode = 0777 I also made a test with only one user valid like this: valid users = TPDCBR.ROM+node05 and this is working ok. Thank you. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
I believe this won't be possible via smb.conf. As far as I know, group names with spaces are invalid under *nix. Try to gather some more information about the use of the net command such as "net groupmap list". I guess you will have to try some ohter way. I've got small knowledge about ADS and SAMBA as BDC. Maybe this auth should be performed by the ADS server or should you try further help about "net ads". Mauricio Tiucra-Popa Florin Catalin wrote:> Hi, > > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). > > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. > > In the log of the samba for that machine I found: > > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) > > My smb.conf looks like: > > [global] > unix charset = LOCALE > workgroup = TPDCBR > realm = TPDCBR.ROM > netbios name = NODE05 > dns proxy = No > server string = NODE05 AIX > security = ads > password server = 10.99.0.4 > encrypt passwords = yes > name resolve order = host > log level = 10 > syslog = 0 > username map = /samba/private/smbusers > log file = /samba/var/log/%m > max log size = 5000 > ldap ssl = no > winbind uid = 10000-59999 > winbind gid = 10000-59999 > idmap uid = 10000-60000 > idmap gid = 10000-60000 > template shell = /bin/ksh > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind separator = + > auth methods = winbind > acl compatibility = win2k > winbind cache time = 10 > bind interfaces only = yes > client use spnego = no > socket address = 10.99.0.201 > allow trusted domains = no > #use kerberos keytab = yes > socket options = TCP_NODELAY > #map acl inherit = Yes > [brom] > comment = inhouse brom > path = /u09/inhouse/brom > read only = No > browseable = yes > #valid users =@"Computers", @"domain users" > valid users = @"domain users" > create mask = 0777 > directory mask = 0777 > force create mode = 0777 > force directory mode = 0777 > > > I also made a test with only one user valid like this: > valid users = TPDCBR.ROM+node05 > and this is working ok. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >
Tiucra-Popa Florin Catalin
2007-Apr-27 16:40 UTC
[Samba] Option valid user not expanded for groups
Good evening again, Increasing the log level I found that the expansion is not made because the empty user: [2007/04/27 19:26:57, 3] smbd/process.c:process_smb(1110) Transaction 89 of length 290 [2007/04/27 19:26:57, 3] smbd/process.c:switch_message(914) switch message SMBsesssetupX (pid 221358) conn 0x0 [2007/04/27 19:26:57, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849) wct=12 flg2=0xc807 [2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660) Doing spnego session setup [2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/04/27 19:26:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672) Got user=[] domain=[] workstation=[BROM900LMLY7HA] len1=1 len2=0 [2007/04/27 19:26:57, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user []\[]@[BROM900LMLY7HA] with the new password interface [2007/04/27 19:26:57, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [TPDCBR]\[]@[BROM900LMLY7HA] [2007/04/27 19:26:57, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/04/27 19:26:57, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/04/27 19:26:57, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/04/27 19:26:57, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/04/27 19:26:57, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER [2007/04/27 19:26:57, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2007/04/27 19:26:57, 3] smbd/process.c:process_smb(1110) Transaction 90 of length 90 Could it be a bug in the check_ntlm_password function? Thank you. FlorinT ----- Original Message ---- From: Mauricio Silveira <msilveira@linuxbr.com> To: Tiucra-Popa Florin Catalin <popa_c@yahoo.com> Cc: sambalist <samba@lists.samba.org> Sent: Friday, April 27, 2007 3:34:01 PM Subject: Re: [Samba] Option valid user not expanded for groups I believe this won't be possible via smb.conf. As far as I know, group names with spaces are invalid under *nix. Try to gather some more information about the use of the net command such as "net groupmap list". I guess you will have to try some ohter way. I've got small knowledge about ADS and SAMBA as BDC. Maybe this auth should be performed by the ADS server or should you try further help about "net ads". Mauricio Tiucra-Popa Florin Catalin wrote:> Hi, > > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). > > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. > > In the log of the samba for that machine I found: > > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) > > My smb.conf looks like: > > [global] > unix charset = LOCALE > workgroup = TPDCBR > realm = TPDCBR.ROM > netbios name = NODE05 > dns proxy = No > server string = NODE05 AIX > security = ads > password server = 10.99.0.4 > encrypt passwords = yes > name resolve order = host > log level = 10 > syslog = 0 > username map = /samba/private/smbusers > log file = /samba/var/log/%m > max log size = 5000 > ldap ssl = no > winbind uid = 10000-59999 > winbind gid = 10000-59999 > idmap uid = 10000-60000 > idmap gid = 10000-60000 > template shell = /bin/ksh > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind separator = + > auth methods = winbind > acl compatibility = win2k > winbind cache time = 10 > bind interfaces only = yes > client use spnego = no > socket address = 10.99.0.201 > allow trusted domains = no > #use kerberos keytab = yes > socket options = TCP_NODELAY > #map acl inherit = Yes > [brom] > comment = inhouse brom > path = /u09/inhouse/brom > read only = No > browseable = yes > #valid users =@"Computers", @"domain users" > valid users = @"domain users" > create mask = 0777 > directory mask = 0777 > force create mode = 0777 > force directory mode = 0777 > > > I also made a test with only one user valid like this: > valid users = TPDCBR.ROM+node05 > and this is working ok. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Cleber P. de Souza
2007-Apr-28 15:16 UTC
[Samba] Option valid user not expanded for groups
Is your 'net groupmap' set properly for this domain? On 4/27/07, Tiucra-Popa Florin Catalin <popa_c@yahoo.com> wrote:> Hi, > > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). > > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. > > In the log of the samba for that machine I found: > > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) > > My smb.conf looks like: > > [global] > unix charset = LOCALE > workgroup = TPDCBR > realm = TPDCBR.ROM > netbios name = NODE05 > dns proxy = No > server string = NODE05 AIX > security = ads > password server = 10.99.0.4 > encrypt passwords = yes > name resolve order = host > log level = 10 > syslog = 0 > username map = /samba/private/smbusers > log file = /samba/var/log/%m > max log size = 5000 > ldap ssl = no > winbind uid = 10000-59999 > winbind gid = 10000-59999 > idmap uid = 10000-60000 > idmap gid = 10000-60000 > template shell = /bin/ksh > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind separator = + > auth methods = winbind > acl compatibility = win2k > winbind cache time = 10 > bind interfaces only = yes > client use spnego = no > socket address = 10.99.0.201 > allow trusted domains = no > #use kerberos keytab = yes > socket options = TCP_NODELAY > #map acl inherit = Yes > [brom] > comment = inhouse brom > path = /u09/inhouse/brom > read only = No > browseable = yes > #valid users =@"Computers", @"domain users" > valid users = @"domain users" > create mask = 0777 > directory mask = 0777 > force create mode = 0777 > force directory mode = 0777 > > > I also made a test with only one user valid like this: > valid users = TPDCBR.ROM+node05 > and this is working ok. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- *** Cleber P. de Souza
Tiucra-Popa Florin Catalin
2007-Apr-29 20:59 UTC
[Samba] Option valid user not expanded for groups
Hi again, Command net groupam shows: root@node05 /samba/var/log #/samba/bin/net groupmap list Administrators (S-1-5-32-544) -> BUILTIN+administrators Users (S-1-5-32-545) -> BUILTIN+users The browsing is working ok for users, but is not workig for groups. FlorinT ----- Original Message ---- From: Cleber P. de Souza <cleberps@gmail.com> To: Tiucra-Popa Florin Catalin <popa_c@yahoo.com> Cc: sambalist <samba@lists.samba.org> Sent: Saturday, April 28, 2007 6:15:55 PM Subject: Re: [Samba] Option valid user not expanded for groups Is your 'net groupmap' set properly for this domain? On 4/27/07, Tiucra-Popa Florin Catalin <popa_c@yahoo.com> wrote:> Hi, > > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). > > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. > > In the log of the samba for that machine I found: > > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) > user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) > > My smb.conf looks like: > > [global] > unix charset = LOCALE > workgroup = TPDCBR > realm = TPDCBR.ROM > netbios name = NODE05 > dns proxy = No > server string = NODE05 AIX > security = ads > password server = 10.99.0.4 > encrypt passwords = yes > name resolve order = host > log level = 10 > syslog = 0 > username map = /samba/private/smbusers > log file = /samba/var/log/%m > max log size = 5000 > ldap ssl = no > winbind uid = 10000-59999 > winbind gid = 10000-59999 > idmap uid = 10000-60000 > idmap gid = 10000-60000 > template shell = /bin/ksh > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind separator = + > auth methods = winbind > acl compatibility = win2k > winbind cache time = 10 > bind interfaces only = yes > client use spnego = no > socket address = 10.99.0.201 > allow trusted domains = no > #use kerberos keytab = yes > socket options = TCP_NODELAY > #map acl inherit = Yes > [brom] > comment = inhouse brom > path = /u09/inhouse/brom > read only = No > browseable = yes > #valid users =@"Computers", @"domain users" > valid users = @"domain users" > create mask = 0777 > directory mask = 0777 > force create mode = 0777 > force directory mode = 0777 > > > I also made a test with only one user valid like this: > valid users = TPDCBR.ROM+node05 > and this is working ok. > > Thank you. > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- *** Cleber P. de Souza __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Tiucra-Popa Florin Catalin
2007-Apr-30 06:23 UTC
[Samba] Option valid user not expanded for groups
Hi Cleber, I joined an old version of SAMBA Version 3.0.20b(1 year ago) and it was no need to create/recreate mappings. Unfortunately the winbind_idmap.tdb for that machine is for another Domain Controller and I cannot populate the TPDCBR. Take a look at the old samba machine idmap: root@node01 / # /opt/freeware/samba/bin/net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Domain Admins (S-1-5-21-2871169248-3070897773-91520546-512) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-2871169248-3070897773-91520546-513) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Domain Guests (S-1-5-21-2871169248-3070897773-91520546-514) -> -1 Account Operators (S-1-5-32-548) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 To create manualy the groupmapping is not helpful because from time to time new groups are created on AD. Another way to map group/users exists? Thanx, FlorinT ----- Original Message ---- From: Cleber P. de Souza <cleberps@gmail.com> To: Tiucra-Popa Florin Catalin <popa_c@yahoo.com> Cc: sambalist <samba@lists.samba.org> Sent: Monday, April 30, 2007 5:49:13 AM Subject: Re: [Samba] Option valid user not expanded for groups You do need to create the ldap group for samba using the built-in SIDs for these internal groups or creating a new one for others and set the group mappings. On 4/29/07, Tiucra-Popa Florin Catalin <popa_c@yahoo.com> wrote:> Hi again, > > Command net groupam shows: > > root@node05 /samba/var/log #/samba/bin/net groupmap list > Administrators (S-1-5-32-544) -> BUILTIN+administrators > Users (S-1-5-32-545) -> BUILTIN+users > > The browsing is working ok for users, but is not workig for groups. > > FlorinT > > ----- Original Message ---- > From: Cleber P. de Souza <cleberps@gmail.com> > To: Tiucra-Popa Florin Catalin <popa_c@yahoo.com> > Cc: sambalist <samba@lists.samba.org> > Sent: Saturday, April 28, 2007 6:15:55 PM > Subject: Re: [Samba] Option valid user not expanded for groups > > > Is your 'net groupmap' set properly for this domain? > > > On 4/27/07, Tiucra-Popa Florin Catalin <popa_c@yahoo.com> wrote: > > Hi, > > > > I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK. > > I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap). > > > > When I want to acces the share \\node05\brom from one Windows station I receive a popup window password. > > > > In the log of the samba for that machine I found: > > > > [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319) > > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > > [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319) > > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_ST ATUS_NO_SUCH_USER > > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > > [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > > [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309) > > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+ node05] succeeded > > [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580) > > user 'TPDCBR+node05' (from session setup) not permitted to access this share ( brom) > > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319) > > check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER > > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > > [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799) > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. > > [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309) > > check_ntlm_password: authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded > > [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580) > > user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom) > > > > My smb.conf looks like: > > > > [global] > > unix charset = LOCALE > > workgroup = TPDCBR > > realm = TPDCBR.ROM > > netbios name = NODE05 > > dns proxy = No > > server string = NODE05 AIX > > security = ads > > password server = 10.99.0.4 > > encrypt passwords = yes > > name resolve order = host > > log level = 10 > > syslog = 0 > > username map = /samba/private/smbusers > > log file = /samba/var/log/%m > > max log size = 5000 > > ldap ssl = no > > winbind uid = 10000-59999 > > winbind gid = 10000-59999 > > idmap uid = 10000-60000 > > idmap gid = 10000-60000 > > template shell = /bin/ksh > > winbind use default domain = Yes > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind nested groups = Yes > > winbind separator = + > > auth methods = winbind > > acl compatibility = win2k > > winbind cache time = 10 > > bind interfaces only = yes > > client use spnego = no > > socket address = 10.99.0.201 > > allow trusted domains = no > > #use kerberos keytab = yes > > socket options = TCP_NODELAY > > #map acl inherit = Yes > > [brom] > > comment = inhouse brom > > path = /u09/inhouse/brom > > read only = No > > browseable = yes > > #valid users =@"Computers", @"domain users" > > valid users = @"domain users" > > create mask = 0777 > > directory mask = 0777 > > force create mode = 0777 > > force directory mode = 0777 > > > > > > I also made a test with only one user valid like this: > > valid users = TPDCBR.ROM+node05 > > and this is working ok. > > > > Thank you. > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam protection around > > http://mail.yahoo.com > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- > *** > Cleber P. de Souza > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com >-- *** Cleber P. de Souza __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com