samba - Dec 2007 - Problems with Samba and Active Directory

Afternoon!

Let me apologize first if this is something soooo simple, but i have been
working on this for days and I'm still stuck on one part.

Where to start.  Small user environment (under 100 users) using Active
Directory on Win 2k3 server.  Running Fedora 8 on a server, and I am trying
to get it added to the domain, and to be able to access a share using
Windows usernames and passwords.

The server (known from here as fedoraftp) can kinit

[root@fedoraftp /]# kinit Administrator
Password for Administrator@DOMAIN.LOCAL:
[root@fedoraftp /]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN.LOCAL

Valid starting     Expires            Service principal
12/28/07 12:44:31  12/28/07 22:44:35  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
        renew until 12/29/07 12:44:31


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@fedoraftp /]#

It can join the domain
[root@fedoraftp /]# net ads join -U Administrator
Administrator's password:
Using short domain name -- DOMAIN
Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL'
[root@fedoraftp /]#

wbinfo -u, wbinfo -g, getent passwd and getent group both show correct
information (not going to show output).  I can also login locally on
fedoraftp using my windows username and password and not have any issues.
What i cannot get to work is accessing the share, as it wont take any
username/password thrown at it.

smb.conf
[global]
        log file = /var/log/samba/log.%m
        guest account = admin
        load printers = no
        show add printer wizard = No
        idmap gid = 10000-20000
        smb passwd file = /etc/samba/smbpasswd
        unix password sync = yes
        guest ok = yes
        encrypt passwords = yes
        realm = PIPFS.LOCAL
        template shell = /bin/bash
        netbios name = FEDORAFTP
        cups options = raw
        server string = Fedora Server Ver %v
        idmap uid = 10000-20000
        password server = 192.168.0.240
        winbind nested groups = yes
        workgroup = PIPFS
        dns proxy = no
        passwd program = /usr/bin/passwd %u
        obey pam restrictions = yes
        os level = 20
        security = ads
        preferred master = no
        max log size = 50
        winbind separator = #
        winbind cache time = 0
        log level = 3
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        passdb backend = tdbsam

[FTP]
        msdfs root = yes
        inherit permissions = yes
        writeable = yes
        admin users = @"domain users"
        path = /home/ftpshare/
        create mask = 700
        directory mask = 700
        valid users = admin,@"domain users",
        inherit acls = yes
        ; public=yes

Output of /var/log/samba/log.smbd

[2007/12/28 12:53:05, 0] smbd/server.c:main(944)
  smbd version 3.0.28-0.fc8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796)
  Processing section "[FTP]"
[2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711)
  adding IPC service
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
  reloading printcap cache
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
  reload status: ok
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
  reloading printcap cache
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
  reload status: ok
[2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.0.50 bcast=192.168.0.255 nmask=255.255.255.0
[2007/12/28 12:53:05, 3] smbd/server.c:main(982)
  loaded services
[2007/12/28 12:53:05, 3] smbd/server.c:main(997)
  Becoming a daemon.
[2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
  Registered MSG_REQ_POOL_USAGE
[2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
  store_gid_sid_cache: gid 0 in cache ->
S-1-5-21-3422581952-716862249-2814536807-1002
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
  store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
  store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-1-0]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-22-1-0
  se_access_check: also S-1-5-32-544
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489)
  get_dc_list: preferred server list: "192.168.0.240, 192.168.0.240"
[2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394)
  Connected to LDAP server 192.168.0.240
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = pipdc01$@DOMAIN.LOCAL
[2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
expiration Fri, 28 Dec 2007 22:53:05 CST
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
  store_gid_sid_cache: gid 10008 in cache ->
S-1-5-21-1220945662-682003330-839522115-513
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
  fetch gid from cache 10000 -> S-1-5-32-544
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
  fetch gid from cache 10001 -> S-1-5-32-545
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3422581952-716862249-2814536807-501]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID
[S-1-5-21-1220945662-682003330-839522115-513]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-10008]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-32-545]
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
  fetch gid from cache 10008 -> S-1-5-21-1220945662-682003330-839522115-513
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
  fetch gid from cache 10001 -> S-1-5-32-545
[2007/12/28 12:53:05, 3] printing/printing.c:start_background_queue(1388)
  start_background_queue: Starting background LPQ thread
[2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458)
  waiting for a connection


The main thing i see in the log from the computer trying to connect is (log
is huge...not going to post it all)

[2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616)
  user 'DOMAIN#redwards' (from session setup) not permitted to access
this
share (FTP)
[2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

redwards is part of the group "Domain Users"
Im at a HUGE loss right now how to go about this, as im still pretty green
to this whole type of setup.  Any advice would be helpful. If more info is
required, please ask and ill provide it as i would like to resolve this
issue.

Cheers!

Thanks, but now it throws a different error :(
>From log of computer tryin to connect to the share
[2007/12/28 13:40:54, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
  ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
  ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check
failed)
[2007/12/28 13:40:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
[2007/12/28 13:40:54, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2007/12/28 13:40:54, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).


noticed this in the log.smbd file


[2007/12/28 13:40:19, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
  ads_sasl_spnego_bind: got server principal name = pipdc01$@PIPFS.LOCAL
[2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
expiration Fri, 28 Dec 2007 23:40:19 CST


Any other thoughts? :)

Cheers!


On Dec 28, 2007 1:29 PM, Dale Schroeder <dale@briannassaladdressing.com>
wrote:
> Ryan,
>
> In your share try prefacing domain users and groups with the workgroup:
>
>    admin users = @"PIPFS#Domain Users"
>    valid users = @"PIPFS#Domain Users"
>
> This is required since Samba 3.0.23.
>
> Good luck,
> Dale
>
> Ryan wrote:
> > Afternoon!
> >
> > Let me apologize first if this is something soooo simple, but i have
> been
> > working on this for days and I'm still stuck on one part.
> >
> > Where to start.  Small user environment (under 100 users) using Active
> > Directory on Win 2k3 server.  Running Fedora 8 on a server, and I am
> trying
> > to get it added to the domain, and to be able to access a share using
> > Windows usernames and passwords.
> >
> > The server (known from here as fedoraftp) can kinit
> >
> > [root@fedoraftp /]# kinit Administrator
> > Password for Administrator@DOMAIN.LOCAL:
> > [root@fedoraftp /]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator@DOMAIN.LOCAL
> >
> > Valid starting     Expires            Service principal
> > 12/28/07 12:44:31  12/28/07 22:44:35  krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> >         renew until 12/29/07 12:44:31
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > [root@fedoraftp /]#
> >
> > It can join the domain
> > [root@fedoraftp /]# net ads join -U Administrator
> > Administrator's password:
> > Using short domain name -- DOMAIN
> > Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL'
> > [root@fedoraftp /]#
> >
> > wbinfo -u, wbinfo -g, getent passwd and getent group both show correct
> > information (not going to show output).  I can also login locally on
> > fedoraftp using my windows username and password and not have any
> issues.
> > What i cannot get to work is accessing the share, as it wont take any
> > username/password thrown at it.
> >
> > smb.conf
> > [global]
> >         log file = /var/log/samba/log.%m
> >         guest account = admin
> >         load printers = no
> >         show add printer wizard = No
> >         idmap gid = 10000-20000
> >         smb passwd file = /etc/samba/smbpasswd
> >         unix password sync = yes
> >         guest ok = yes
> >         encrypt passwords = yes
> >         realm = PIPFS.LOCAL
> >         template shell = /bin/bash
> >         netbios name = FEDORAFTP
> >         cups options = raw
> >         server string = Fedora Server Ver %v
> >         idmap uid = 10000-20000
> >         password server = 192.168.0.240
> >         winbind nested groups = yes
> >         workgroup = PIPFS
> >         dns proxy = no
> >         passwd program = /usr/bin/passwd %u
> >         obey pam restrictions = yes
> >         os level = 20
> >         security = ads
> >         preferred master = no
> >         max log size = 50
> >         winbind separator = #
> >         winbind cache time = 0
> >         log level = 3
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         winbind use default domain = yes
> >         passdb backend = tdbsam
> >
> > [FTP]
> >         msdfs root = yes
> >         inherit permissions = yes
> >         writeable = yes
> >         admin users = @"domain users"
> >         path = /home/ftpshare/
> >         create mask = 700
> >         directory mask = 700
> >         valid users = admin,@"domain users",
> >         inherit acls = yes
> >         ; public=yes
> >
> > Output of /var/log/samba/log.smbd
> >
> > [2007/12/28 12:53:05, 0] smbd/server.c:main(944)
> >   smbd version 3.0.28-0.fc8 started.
> >   Copyright Andrew Tridgell and the Samba Team 1992-2007
> > [2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796)
> >   Processing section "[FTP]"
> > [2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711)
> >   adding IPC service
> > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> >   reloading printcap cache
> > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> >   reload status: ok
> > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> >   reloading printcap cache
> > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> >   reload status: ok
> > [2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81)
> >   added interface ip=192.168.0.50 bcast=192.168.0.255 nmask>
255.255.255.0
> > [2007/12/28 12:53:05, 3] smbd/server.c:main(982)
> >   loaded services
> > [2007/12/28 12:53:05, 3] smbd/server.c:main(997)
> >   Becoming a daemon.
> > [2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
> >   Registered MSG_REQ_POOL_USAGE
> > [2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
> >   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >   store_gid_sid_cache: gid 0 in cache ->
> > S-1-5-21-3422581952-716862249-2814536807-1002
> > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >   store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544
> > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >   store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-22-1-0]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-5-2]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-5-11]
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> >   se_access_check: user sid is S-1-22-1-0
> >   se_access_check: also S-1-5-32-544
> >   se_access_check: also S-1-1-0
> >   se_access_check: also S-1-5-2
> >   se_access_check: also S-1-5-11
> > [2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489)
> >   get_dc_list: preferred server list: "192.168.0.240,
192.168.0.240"
> > [2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394)
> >   Connected to LDAP server 192.168.0.240
> > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> >   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> >   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> >   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> >   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
> >   ads_sasl_spnego_bind: got server principal name >
pipdc01$@DOMAIN.LOCAL
> > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
> >   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> > [2007/12/28 12:53:05, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
> >   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> > expiration Fri, 28 Dec 2007 22:53:05 CST
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >   store_gid_sid_cache: gid 10008 in cache ->
> > S-1-5-21-1220945662-682003330-839522115-513
> > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> >   fetch gid from cache 10000 -> S-1-5-32-544
> > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> >   fetch gid from cache 10001 -> S-1-5-32-545
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID
> > [S-1-5-21-3422581952-716862249-2814536807-501]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID
> > [S-1-5-21-1220945662-682003330-839522115-513]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-5-2]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-5-32-546]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-22-2-10008]
> > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> >   get_privileges: No privileges assigned to SID [S-1-5-32-545]
> > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> >   fetch gid from cache 10008 ->
> S-1-5-21-1220945662-682003330-839522115-513
> > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> >   fetch gid from cache 10001 -> S-1-5-32-545
> > [2007/12/28 12:53:05, 3]
> printing/printing.c:start_background_queue(1388)
> >   start_background_queue: Starting background LPQ thread
> > [2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458)
> >   waiting for a connection
> >
> >
> > The main thing i see in the log from the computer trying to connect is
> (log
> > is huge...not going to post it all)
> >
> > [2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616)
> >   user 'DOMAIN#redwards' (from session setup) not permitted to
access
> this
> > share (FTP)
> > [2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106)
> >   error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
> > NT_STATUS_ACCESS_DENIED
> >
> > redwards is part of the group "Domain Users"
> > Im at a HUGE loss right now how to go about this, as im still pretty
> green
> > to this whole type of setup.  Any advice would be helpful. If more
info
> is
> > required, please ask and ill provide it as i would like to resolve
this
> > issue.
> >
> > Cheers!
> >
>

I have version 5 installed, that was just the output of klist

Ya i have followed that and still no luck.  Accually, now im getting
different errors!  GAH!

When i try to connect after restarting the services, the logfile seems to
show its passing the domain FEDORAFTP.....which makes NO sence

[2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2007/12/28 14:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1]
PrimaryDomain=[]
[2007/12/28 14:14:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
  Got user=[redwards] domain=[FEDORAFTP] workstation=[PIP03572] len1=24
len2=24

now i have the WTF going on lol

On Dec 28, 2007 2:01 PM, Dale Schroeder <dale@briannassaladdressing.com>
wrote:
>  Maybe it was a typo, but you mentioned Kerberos 4 in the original post.
> Do you have version 5 installed?
>
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > [root@fedoraftp /]#
>
> Not knowing everything you've done, perhaps try comparing what you did
to
> the following two articles.  These are what I follow.
>
> http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
>
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
>
> They cover Samba/winbind/nsswitch/kerberos/pam - everything needed for ADS
> integration.
>
> Dale
>
> Ryan wrote:
>
> Thanks, but now it throws a different error :(
>
> From log of computer tryin to connect to the share
>
> [2007/12/28 13:40:54, 3]
> libads/kerberos_verify.c:ads_secrets_verify_ticket(279)
>   ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
> Decrypt integrity check failed
> [2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_verify_ticket(427)
>   ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check
> failed)
> [2007/12/28 13:40:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> [2007/12/28 13:40:54, 3] smbd/error.c:error_packet_set(106)
>   error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2007/12/28 13:40:54, 3] smbd/process.c:timeout_processing(1328)
>   timeout_processing: End of file from client (client has disconnected).
>
>
> noticed this in the log.smbd file
>
>
> [2007/12/28 13:40:19, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
>   ads_sasl_spnego_bind: got server principal name = pipdc01$@PIPFS.LOCAL
> [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> expiration Fri, 28 Dec 2007 23:40:19 CST
>
>
> Any other thoughts? :)
>
> Cheers!
>
>
> On Dec 28, 2007 1:29 PM, Dale Schroeder
<dale@briannassaladdressing.com>
> wrote:
>
> > Ryan,
> >
> > In your share try prefacing domain users and groups with the
workgroup:
> >
> >    admin users = @"PIPFS#Domain Users"
> >    valid users = @"PIPFS#Domain Users"
> >
> > This is required since Samba 3.0.23.
> >
> > Good luck,
> > Dale
> >
> > Ryan wrote:
> > > Afternoon!
> > >
> > > Let me apologize first if this is something soooo simple, but i
have
> > been
> > > working on this for days and I'm still stuck on one part.
> > >
> > > Where to start.  Small user environment (under 100 users) using
Active
> > > Directory on Win 2k3 server.  Running Fedora 8 on a server, and I
am
> > trying
> > > to get it added to the domain, and to be able to access a share
using
> > > Windows usernames and passwords.
> > >
> > > The server (known from here as fedoraftp) can kinit
> > >
> > > [root@fedoraftp /]# kinit Administrator
> > > Password for Administrator@DOMAIN.LOCAL:
> > > [root@fedoraftp /]# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: Administrator@DOMAIN.LOCAL
> > >
> > > Valid starting     Expires            Service principal
> > > 12/28/07 12:44:31  12/28/07 22:44:35 
krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> > >         renew until 12/29/07 12:44:31
> > >
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > > [root@fedoraftp /]#
> > >
> > > It can join the domain
> > > [root@fedoraftp /]# net ads join -U Administrator
> > > Administrator's password:
> > > Using short domain name -- DOMAIN
> > > Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL'
> > > [root@fedoraftp /]#
> > >
> > > wbinfo -u, wbinfo -g, getent passwd and getent group both show
correct
> > > information (not going to show output).  I can also login locally
on
> > > fedoraftp using my windows username and password and not have any
> > issues.
> > > What i cannot get to work is accessing the share, as it wont take
any
> > > username/password thrown at it.
> > >
> > > smb.conf
> > > [global]
> > >         log file = /var/log/samba/log.%m
> > >         guest account = admin
> > >         load printers = no
> > >         show add printer wizard = No
> > >         idmap gid = 10000-20000
> > >         smb passwd file = /etc/samba/smbpasswd
> > >         unix password sync = yes
> > >         guest ok = yes
> > >         encrypt passwords = yes
> > >         realm = PIPFS.LOCAL
> > >         template shell = /bin/bash
> > >         netbios name = FEDORAFTP
> > >         cups options = raw
> > >         server string = Fedora Server Ver %v
> > >         idmap uid = 10000-20000
> > >         password server = 192.168.0.240
> > >         winbind nested groups = yes
> > >         workgroup = PIPFS
> > >         dns proxy = no
> > >         passwd program = /usr/bin/passwd %u
> > >         obey pam restrictions = yes
> > >         os level = 20
> > >         security = ads
> > >         preferred master = no
> > >         max log size = 50
> > >         winbind separator = #
> > >         winbind cache time = 0
> > >         log level = 3
> > >         winbind enum users = yes
> > >         winbind enum groups = yes
> > >         winbind use default domain = yes
> > >         passdb backend = tdbsam
> > >
> > > [FTP]
> > >         msdfs root = yes
> > >         inherit permissions = yes
> > >         writeable = yes
> > >         admin users = @"domain users"
> > >         path = /home/ftpshare/
> > >         create mask = 700
> > >         directory mask = 700
> > >         valid users = admin,@"domain users",
> > >         inherit acls = yes
> > >         ; public=yes
> > >
> > > Output of /var/log/samba/log.smbd
> > >
> > > [2007/12/28 12:53:05, 0] smbd/server.c:main(944)
> > >   smbd version 3.0.28-0.fc8 started.
> > >   Copyright Andrew Tridgell and the Samba Team 1992-2007
> > > [2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796)
> > >   Processing section "[FTP]"
> > > [2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711)
> > >   adding IPC service
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> > >   reloading printcap cache
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> > >   reload status: ok
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
> > >   reloading printcap cache
> > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
> > >   reload status: ok
> > > [2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81)
> > >   added interface ip=192.168.0.50 bcast=192.168.0.255 nmask>
> 255.255.255.0
> > > [2007/12/28 12:53:05, 3] smbd/server.c:main(982)
> > >   loaded services
> > > [2007/12/28 12:53:05, 3] smbd/server.c:main(997)
> > >   Becoming a daemon.
> > > [2007/12/28 12:53:05, 2]
lib/tallocmsg.c:register_msg_pool_usage(105)
> > >   Registered MSG_REQ_POOL_USAGE
> > > [2007/12/28 12:53:05, 2]
lib/dmallocmsg.c:register_dmalloc_msgs(75)
> > >   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:store_gid_sid_cache(1133)
> > >   store_gid_sid_cache: gid 0 in cache ->
> > > S-1-5-21-3422581952-716862249-2814536807-1002
> > > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >
> > >   store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544
> > > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:store_gid_sid_cache(1133)
> > >   store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-22-1-0]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-5-2]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-5-11]
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
> > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
> > >   se_access_check: user sid is S-1-22-1-0
> > >   se_access_check: also S-1-5-32-544
> > >   se_access_check: also S-1-1-0
> > >   se_access_check: also S-1-5-2
> > >   se_access_check: also S-1-5-11
> > > [2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489)
> > >   get_dc_list: preferred server list: "192.168.0.240,
192.168.0.240"
> > > [2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394)
> > >   Connected to LDAP server 192.168.0.240
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > >   ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > >   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > >   ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
> > >   ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
> > >   ads_sasl_spnego_bind: got server principal name > >
pipdc01$@DOMAIN.LOCAL
> > > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
> > >   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials
cache
> > found)
> > > [2007/12/28 12:53:05, 3]
> > libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
> > >   ads_cleanup_expired_creds: Ticket in
ccache[MEMORY:prtpub_cache]
> > > expiration Fri, 28 Dec 2007 22:53:05 CST
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3]
passdb/lookup_sid.c:store_gid_sid_cache(1133)
> >
> > >   store_gid_sid_cache: gid 10008 in cache ->
> > > S-1-5-21-1220945662-682003330-839522115-513
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > >   fetch gid from cache 10000 -> S-1-5-32-544
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > >   fetch gid from cache 10001 -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > >   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
> > >   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID
> > > [S-1-5-21-3422581952-716862249-2814536807-501]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID
> > > [S-1-5-21-1220945662-682003330-839522115-513]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-5-2]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-5-32-546]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-22-2-10008]
> > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
> > >   get_privileges: No privileges assigned to SID [S-1-5-32-545]
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > >   fetch gid from cache 10008 ->
> > S-1-5-21-1220945662-682003330-839522115-513
> > > [2007/12/28 12:53:05, 3]
> > passdb/lookup_sid.c:fetch_gid_from_cache(1089)
> > >   fetch gid from cache 10001 -> S-1-5-32-545
> > > [2007/12/28 12:53:05, 3]
> > printing/printing.c:start_background_queue(1388)
> > >   start_background_queue: Starting background LPQ thread
> > > [2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458)
> > >   waiting for a connection
> > >
> > >
> > > The main thing i see in the log from the computer trying to
connect is
> > (log
> > > is huge...not going to post it all)
> > >
> > > [2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616)
> > >   user 'DOMAIN#redwards' (from session setup) not
permitted to access
> > this
> > > share (FTP)
> > > [2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106)
> > >   error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
> > > NT_STATUS_ACCESS_DENIED
> > >
> > > redwards is part of the group "Domain Users"
> > > Im at a HUGE loss right now how to go about this, as im still
pretty
> > green
> > > to this whole type of setup.  Any advice would be helpful. If
more
> > info is
> > > required, please ask and ill provide it as i would like to
resolve
> > this
> > > issue.
> > >
> > > Cheers!
> > >
> >
>
> ------------------------------
>
> No virus found in this incoming message.
> Checked by AVG.
> Version: 7.5.516 / Virus Database: 269.17.11/1201 - Release Date:
12/28/2007 11:51 AM
>
>
>