samba - Jun 2008 - FreeBSD, Samba 3.0.28a joined to AD domain but prompts for login

Hi,

I am trying to connect a FreeBSD server running 7.0 Release and Samba 3.0.28a to
a
Windows 2003 AD Domain Controller. Has anyone had success with this combo? I
have joined
the domain and I can enumerate users, groups, etc.. 

humpty# getent passwd|wc -l
     105
humpty# wbinfo -u|wc -l
     165
humpty# wbinfo -g|wc -l
      59

humpty# wbinfo -t
checking the trust secret via RPC calls succeeded

humpty# getent group|wc -l
      84

humpty# net ads info
LDAP server: 128.143.xx.xxx
LDAP server name: pdc.mydomain.virginia.edu
Realm: MYDOMAIN.VIRGINIA.EDU
Bind Path: dc=MYDOMAIN,dc=VIRGINIA,dc=EDU
LDAP port: 389
Server time: Mon, 30 Jun 2008 11:29:56 EDT
KDC server: 128.143.xx.xxx
Server time offset: 1



When I try to access my home folder on the Samba server I'm prompted for a
user
name and password. Even after credentials are supplied the login box reappears
and I get no further. The client log from the machine I'm connecting with
has
the following error when I try to access my own home folder:

[2008/06/30 14:14:41, 2] smbd/service.c:make_connection_snum(616)
  user 'MYDOMAIN\mrg8n' (from session setup) not permitted to access
this share (mrg8n)
[2008/06/30 14:14:41, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

I've read other posts asking similar questions, but no replies that solved
the issue.




smbstatus shows my client machine connected:
Processing section "[homes]"
Processing section "[printers]"

Samba version 3.0.28a
PID     Username      Group         Machine                        
-------------------------------------------------------------------
78698   mrg8n         mrg8n         137.54.xxx.xxx (137.54.xxx.xxx)

Service      pid     machine       Connected at
-------------------------------------------------------
IPC$         78698   137.54.xxx.xxx  Mon Jun 30 11:21:12 2008

No locked files



nsswitch.conf:

group: files ldap winbind
hosts: files dns wins
networks: files
passwd: files ldap winbind
shells: files
services: files
protocols: files
rpc: files



My smb.conf:

#======================= Global Settings
====================================[global]

workgroup = MYDOMAIN
server string = HUMPTY
load printers = no
log file = /var/log/samba/log.%m
max log size = 50
log level = 3
syslog = 0

security = ADS
realm = MYDOMAIN.VIRGINIA.EDU
allow trusted domains = yes

idmap config MYDOMAIN:default = yes
idmap config MYDOMAIN:schema_mode = rfc2307
idmap uid = 10000-50000
idmap gid = 10000-50000

winbind use default domain = Yes
template homedir = /home/%D/%U
template shell = /bin/false
name resolve order = wins host bcast

password server = pdc.mydomain.virginia.edu
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
os level = 33
domain master = no
wins server = 128.143.3.199
dns proxy = no

#============================ Share Definitions
=============================[homes]
   comment = Home Directory for %U
   read only = no
   browseable = no
   writeable = yes
   valid users = %S
   create mode = 0664
   directory mode = 0770

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writeable = no
   printable = yes

-- 
Mike Galvez

Mike Galvez wrote:
> Hi,
>
> I am trying to connect a FreeBSD server running 7.0 Release and Samba
3.0.28a to a
> Windows 2003 AD Domain Controller. Has anyone had success with this combo?
I have joined
> the domain and I can enumerate users, groups, etc.. 
>   
Are you referring to Vista as the client? If so, upgrade to 3.0.30 as 
Vista SP1 brought in a bunch of changes that broke Samba (and probably a 
bunch of other things too... ;-)

Secondly, I see you have a "valid users" variable under
"[homes]", do
you explicitly need it? Try removing it and see if the problem disappears.



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

In addition to what Jason writes:
It is good practice to start with a share like "shared" in
"/export/shared" and not with the /homes folder, as the home-shares
pose additional problems (like access rights). If the user accounts are already
created as Unix local acounts, the domain users might not be able to access
them.
Make the /export/shared folder 777 and if this works continue towards the home
shares.
Important: Jason already indicated, that the valid users should be empty, when
this works, make valid users something like "MYDOMAIN\%S" and see if
you can make progress.

Have fun with Samba,

Jens

-------- Original-Nachricht --------
> Datum: Tue, 01 Jul 2008 12:04:41 +1200
> Von: Jason Haar <Jason.Haar@trimble.co.nz>
> An: Samba Questions <samba@lists.samba.org>
> Betreff: Re: [Samba] FreeBSD,	Samba 3.0.28a joined to AD domain but prompts
for login
> Mike Galvez wrote:
> > Hi,
> >
> > I am trying to connect a FreeBSD server running 7.0 Release and Samba
> 3.0.28a to a
> > Windows 2003 AD Domain Controller. Has anyone had success with this
> combo? I have joined
> > the domain and I can enumerate users, groups, etc.. 
> >   
> 
> Are you referring to Vista as the client? If so, upgrade to 3.0.30 as 
> Vista SP1 brought in a bunch of changes that broke Samba (and probably a 
> bunch of other things too... ;-)
> 
> Secondly, I see you have a "valid users" variable under
"[homes]", do
> you explicitly need it? Try removing it and see if the problem disappears.
> 
> 
> 
> -- 
> Cheers
> 
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! 
Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer