I'm trying to do an ADS share. With a sane nsswitch.conf, that is with these
settings:
passwd: compat winbind
group: compat winbind
I get this as the result:
# smbclient //no3/ftp -Uwhit
Password:
Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a]
tree connect failed: NT_STATUS_ACCESS_DENIED
Yet with an insane nsswitch.conf, this is with these settings:
passwd: winbind
group: winbind
I get a valid connection:
# smbclient //no3/ftp -Uwhit
Password:
Domain=[ABC] OS=[Unix] Server=[Samba 3.0.26a]
smb: \> quit
So what's going on? It makes no difference if 'whit' is a UNIX user
or not
in this. The ADS part of the login goes through either way. But with
'compat' there (or 'files') it runs through a bunch of extra
stuff that
shows in the log for the connection, beginning with:
[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user [ABC]\[whit]@[FTP]
with the new password interface
[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [ABC]\[whit]@[FTP]
and including:
[2008/02/16 20:31:58, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: winbind authentication for user [whit] succeeded
and:
[2008/02/16 20:31:58, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [whit] -> [whit] -> [whit]
succeeded
and:
[2008/02/16 20:31:58, 3] groupdb/mapping.c:pdb_create_builtin_alias(723)
pdb_create_builtin_alias: Could not get a gid out of winbind
[2008/02/16 20:31:58, 0] auth/auth_util.c:create_builtin_administrators(792)
create_builtin_administrators: Failed to create Administrators
[2008/02/16 20:31:58, 2] auth/auth_util.c:create_local_nt_token(914)
create_local_nt_token: Failed to create BUILTIN\Administrators group!
and the same for BUILTIN\users and lots of other stuff up to:
[2008/02/16 20:31:58, 2] smbd/service.c:make_connection_snum(616)
user 'whit' (from session setup) not permitted to access this share
(FTP)
[2008/02/16 20:31:58, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
Now, I'm not wanting any of whatever winbind is doing here beyond
authenticating against the ADS for the SMB shares on the Linux box. There
are no home directories desired for the SMB users, just the shared shares,
and no sort of login to the box for them outside of Samba.
So what do I do to turn off this crap that looks like it must have to do
with home directories and mapping the UNIX accounts (I'm guessing), that
winbind does only if nsswitch gives it access to 'compat' or
'files,' and
that denies users access to shares that without all this garbage they can
get to just fine. Pardon my English.
Regards,
Whit