Matt Anderson
2007-Jun-04 21:17 UTC
[Samba] Unable to set/authenticate to correct domain...
Dear Help,I am running Samba 3.0.25 on AIX 5.3 (installed from the binaries
available on samba.org including the base install -- openldap, etc.) and have
set it up to authenticate to LDAP directories on two different servers (one of
them set up as a samba PDC and the other as a samba BDC) in the usual
way:[global]workgroup = mydomaindomain master = no...passdb backend =
ldapsam:"ldaps://...security = domainnetbios name = p505...And I have a
share set up like the following:[shared] comment = shared files path =
/tmp/shares/testshare valid users = test read only = no write list =
test browseable = Yes(It will be good to note that user 'test'
belongs to group 'testers'. Both 'test' and 'testers'
are in the LDAP directory)The problem I am having is that I get an "Access
is denied" error when I try to connect as user test. However, if I change
the share to the following:[shared]
comment = shared files
path = /tmp/shares/testshare
valid users = +testers
read only = no
write list = +testers
browseable = YesI can log in as user 'test' just fine. So,
naturally, I went digging into the log file and found the following issues:1) It
is successfully authenticating user 'test' and getting the correct SID
values for the user and group 'testers', but they don't have any
privileges:...get_privileges: No privileges assigned to SID
[insert-test-SID-here]...get_privileges: No privileges assigned to SID
[insert-testers-SID-here]...User test with invalid SID [insert-test-SID-here] in
passdb...user 'test' (from session setup_ not permitted to access this
share (shared)...NT_STATUS_ACCESS_DENIEDSo, I then went on to run the smbd
process in interactive mode (with the -i option) to see what was going on there
and discovered the following:...smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=P505))]...I think that this
is where the problem is. For some reason it is searching for sambaDomainName
P505 (which is the host name of the machine, and specified as netbios name in
smb.conf) instead of sambaDomainName mydomain (which is the domain that the
machine belongs to, and is specified as the workgroup name in smb.conf).Is there
a way to set what domain it is searching for? If so, where and when does that
happen?On a side note, when I start smbd, it is currently creating a P505 domain
object in the LDAP directory if it doesn't already exist. So, if I delete
it, it just keeps recreating it. My guess is that if I can get this samba
installation to look at the mydomain object instead, things will start
working.Any thoughts, help, wisdom or insight would be greatly appreciated.
Thanks!-Matt
_________________________________________________________________
Hotmail to go? Get your Hotmail, news, sports and much more! Check out the New
MSN Mobile!
http://mobile.msn.com
Matt Anderson <sokkerstud_11 <at> hotmail.com> writes: Updated to be readable...> Dear Help,I am running Samba 3.0.25 on AIX 5.3 (installed from the binaries available on samba.org including the base install -- openldap, etc.) and have set it up to authenticate to LDAP directories on two different servers (one of them set up as a samba PDC and the other as a samba BDC) in the usual way: [global] workgroup = mydomain domain master = no ... passdb backend = ldapsam:"ldaps://... security = domain netbios name = p505 ... And I have a share set up like the following: [shared] comment = shared files path = /tmp/shares/testshare valid users = test read only = no write list = test browseable = Yes (It will be good to note that user 'test' belongs to group 'testers'. Both 'test' and 'testers' are in the LDAP directory)The problem I am having is that I get an "Access is denied" error when I try to connect as user test. However, if I change the share to the following: [shared] comment = shared files path = /tmp/shares/testshare valid users = +testers read only = no write list = +testers browseable = Yes I can log in as user 'test' just fine. So, naturally, I went digging into the log file and found the following issues: 1) It is successfully authenticating user 'test' and getting the correct SID values for the user and group 'testers', but they don't have any privileges: ... get_privileges: No privileges assigned to SID [insert-test-SID-here] ... get_privileges: No privileges assigned to SID [insert-testers-SID-here] ... User test with invalid SID [insert-test-SID-here] in passdb ... user 'test' (from session setup_ not permitted to access this share (shared) ... NT_STATUS_ACCESS_DENIED So, I then went on to run the smbd process in interactive mode (with the -i option) to see what was going on there and discovered following: ... smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=P505))] ... I think that this is where the problem is. For some reason it is searching for sambaDomainName P505 (which is the host name of the machine, and specified as netbios name in smb.conf) instead of sambaDomainName mydomain (which is the domain that the machine belongs to, and is specified as the workgroup name in smb.conf).Is there a way to set what domain it is searching for? If so, where and when does that happen? On a side note, when I start smbd, it is currently creating a P505 domain object in the LDAP directory if it doesn't already exist. So, if I delete it, it just keeps recreating it. My guess is that if I can get this samba installation to look at the mydomain object instead, things will start working.Any thoughts, help, wisdom or insight would be greatly appreciated. Thanks! -Matt
Matt Anderson
2007-Jun-05 19:55 UTC
[Samba] Unable to set/authenticate to correct domain...
Dear Help,I am currently running Samba 3.0.25 on AIX 5.3 (installed from the
downloaded binaries from samba.org). I have configured Samba to authenticate to
an LDAP backend on different servers (Two other samba configurations, one set up
as PDC the other as BDC) in the usual way: workgroup = mydomain...passdb =
ldapsam:"ldaps://...security = domaindomain master = nonetbios name =
p505...I have a share set up like the following:[shared] comment = shared
files path = /tmp/shares/testshare valid users = test read only = no
write list = test browseable = Yes(It will be good to note that user
'test' belongs to a group called 'testers'. Both 'test'
and 'testers' are in the LDAP directory)The main problem is that if I
try to connect to the "shared" share, it fails with an access is
denied message. However, if I change the configuration to look like the
following:[shared]
comment = shared files
path = /tmp/shares/testshare
valid users = +testers
read only = no
write list = +testers
browseable = YesI can log in as 'test' and everything works
fine.Based on the log files (running smbd with the -i option), I've come up
with the following issues:1) It correctly gets the user's SID and group SID
but goes on to say that it authenticates successfully, but that the SIDs have no
privileges:"get_privileges: No privileges assigned to SID
[insert-test-SID-here]"..."get_privileges: No privileges assigned to
SID [insert-testers-SID-here]"..."User test with invalid SID
[insert-test-SID-here] in passdb"..."user 'test (from session
setup) not permitted to access this share (shared)"2) smbd doesn't seem
to be searching for the correct domain object in the LDAP directory when it
starts up. Note the following from when I ran smbd -i -d
3:...smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=p505))]...My guess is this
is where the problem is. Instead of searching for the domain
"mydomain" (which is the value set for workgroup in smb.conf and the
machine is joined to the mydomain domain) it is searching for sambaDomainName
p505 -- which is the hostname of the machine (as specified in the value set for
netbios name in smb.conf).Is there a way to change what domain
smbldap_search_domain_info is looking for? If so, when and where does that need
to take place? Also, if I delete the p505 domain object from the LDAP
directory, the smbd process just creates it again every time it is started since
it can't find it.Any help, insight, wisdom or guidance would be most
appreciated. If there's any other information I can provide, just let me
know. Thanks!-Matt
_________________________________________________________________
Make every IM count. Download Windows Live Messenger and join the i?m Initiative
now. It?s free.??
http://im.live.com/messenger/im/home/?source=TAGWL_June07