Hi everyone,
I have an issue with Samba agains Active Directory.
The authentication works just fine but when it comes to shares I've ran into
some problems.
If I use any group mapping from the AD it won't let me access it so I figure
that is where the problem lays.
If I comment out "valid users", "force user" and "force
group" then I have
no problems and it goes by the file system restrictions.
Does anyone ever run into the same problem?, is there a way to fix it?
Thanks in advanced.
Here is my smb.conf:
[global]
netbios name = filer
workgroup = MYCOMPANY
realm = MYCOMPANY.COM
preferred master = no
server string = mycompany Filer
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
password server = *
log level = 1 vfs:2
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins lmshosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 33
local master = no
domain master = no
wins server = 192.168.0.10
allow trusted domains = no
idmap backend = rid:MYCOMPANY=1000-11000
idmap uid = 1000-11000
idmap gid = 1000-11000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
winbind separator = |
winbind use default domain = Yes
winbind cache time = 30
use kerberos keytab = Yes
printcap name = /etc/printcap
unix extensions = no
[homes]
comment = Home Directories
valid users = %D|%S
path = %H
read only = no
security mask = 0640
directory security mask = 0750
browsable = no
vfs objects = recycle
recycle: keeptree = yes
recycle: maxsize = 52428800
[Internal]
comment = Internal Projects
path = /filer/internal
read only = yes
create mask = 0664
directory mask = 0775
browsable = yes
vfs object = recycle
recycle: keeptree = yes
recycle: maxsize = 52428800
valid users = @pm, @design
write list = @pm
force group = pm
force user = root
hide dot files = yes
msdfs root = yes
Here is the error from the workstation that is trying to get access to the
server.
The user is part of the Group PM.
Error from log.%m:
[2009/05/26 10:36:55, 1] smbd/service.c:close_cnum(1230)
traveller (192.168.0.71) closed connection to service Internal
[2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators
[2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/05/26 10:36:58,id max.leon
uid=2109(max.leon) gid=2216(mycompany)
groups=2216(mycompany),2152(browse),2108(remote),2190(macadmin),2146(developers),2204(flashdev),2140(qa),2141(design),2180(it-tech),1513(domain
users),2139(engineering),2177(pm),1512(domain admins)
1] smbd/service.c:make_connection_snum(1033)
traveller (192.168.0.71) connect to service Internal initially as user
MYCOMPANY|max.leon (uid=2109, gid=2216) (pid 14369)
Martin Terber
2009-May-27 18:50 UTC
[Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
Hi Max,
I have experienced something similar. First I considered this to be a
bug, but as it seems it was a wrong approach.
As I am relatively new to Samba also, please do not consider this to be
a perfect solution.
It just works ;):
* In the Samba config and in local UNIX right management (chmod)
give free access to all folders.
* I transformed all UNIX users to Samba users (including AD
users+groups)
* Make sure you have ACL installed.
* Then, modify the access rights for your shares via ACL regarding
to your AD groups and users.
* I configured it with the ACL module in Webmin - it's quite
comfortable.
You might consider broaden the idmap to fit to the imported user IDs
from AD:
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
Here is my complete smb.conf:
http://pastebin.com/f69fdd077
Here is one my Threads I posted in Ubuntuforums. It should make no
difference if you are using Centos:
http://ubuntuforums.org/showthread.php?t=1162457
Martin Terber
Krefelder Wall 5
50670 K?ln
0221 29873581
0174 4891653
www.jesuspresley.net
>
>
> ------------------------------------------------------------------------
>
> Betreff:
> [Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
> Von:
> Max Le?n <mleon@wirewatchers.com>
> Datum:
> Tue, 26 May 2009 11:20:53 -0600
> An:
> samba@lists.samba.org
>
> An:
> samba@lists.samba.org
>
>
> Hi everyone,
>
> I have an issue with Samba agains Active Directory.
> The authentication works just fine but when it comes to shares I've ran
into
> some problems.
>
> If I use any group mapping from the AD it won't let me access it so I
figure
> that is where the problem lays.
> If I comment out "valid users", "force user" and
"force group" then I have
> no problems and it goes by the file system restrictions.
> Does anyone ever run into the same problem?, is there a way to fix it?
>
> Thanks in advanced.
>
>
> Here is my smb.conf:
>
> [global]
> netbios name = filer
> workgroup = MYCOMPANY
> realm = MYCOMPANY.COM
> preferred master = no
> server string = mycompany Filer
> security = ADS
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> log level = 1 vfs:2
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins lmshosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> os level = 33
> local master = no
> domain master = no
> wins server = 192.168.0.10
> allow trusted domains = no
> idmap backend = rid:MYCOMPANY=1000-11000
> idmap uid = 1000-11000
> idmap gid = 1000-11000
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%U
> winbind separator = |
> winbind use default domain = Yes
> winbind cache time = 30
> use kerberos keytab = Yes
> printcap name = /etc/printcap
> unix extensions = no
>
> [homes]
> comment = Home Directories
> valid users = %D|%S
> path = %H
> read only = no
> security mask = 0640
> directory security mask = 0750
> browsable = no
> vfs objects = recycle
> recycle: keeptree = yes
> recycle: maxsize = 52428800
> [Internal]
> comment = Internal Projects
> path = /filer/internal
> read only = yes
> create mask = 0664
> directory mask = 0775
> browsable = yes
> vfs object = recycle
> recycle: keeptree = yes
> recycle: maxsize = 52428800
> valid users = @pm, @design
> write list = @pm
> force group = pm
> force user = root
> hide dot files = yes
> msdfs root = yes
>
>
> Here is the error from the workstation that is trying to get access to the
> server.
> The user is part of the Group PM.
>
> Error from log.%m:
>
> [2009/05/26 10:36:55, 1] smbd/service.c:close_cnum(1230)
> traveller (192.168.0.71) closed connection to service Internal
> [2009/05/26 10:36:58, 0]
auth/auth_util.c:create_builtin_administrators(844)
> create_builtin_administrators: Failed to create Administrators
> [2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_users(810)
> create_builtin_users: Failed to create Users
> [2009/05/26 10:36:58,id max.leon
> uid=2109(max.leon) gid=2216(mycompany)
>
groups=2216(mycompany),2152(browse),2108(remote),2190(macadmin),2146(developers),2204(flashdev),2140(qa),2141(design),2180(it-tech),1513(domain
> users),2139(engineering),2177(pm),1512(domain admins)
> 1] smbd/service.c:make_connection_snum(1033)
> traveller (192.168.0.71) connect to service Internal initially as user
> MYCOMPANY|max.leon (uid=2109, gid=2216) (pid 14369)
>
>
>
> ------------------------------------------------------------------------
>
> Betreff:
> Re: [Samba] empty authentication string sent so samba-server
> Von:
> Volker Schwicking <vos@bee.de>
> Datum:
> Wed, 27 May 2009 09:32:37 +0200
>
> CC:
> samba@lists.samba.org
>
>
> Come on, somebodys got to have an at least an idea :-)
>
> Volker Schwicking wrote:
>> Hi,
>>
>> for the last two weeks ive been trying, to authenticate against a
>> samba-domain using a win2k3-server. the server joined the domain
without
>> any problem and the basic login seems to work. but if i try to execute
>> programs from mapped network drive (mapped using a
domain-logon-skript),
>> it fails with a message telling me, that i dont have sufficient rights
>> to do so.
>>
>> the share has a forced user and group like this;
>>
>> ...
>> [programm]
>> comment = samba
>> guest ok = yes
>> path = /samba
>> public = yes
>> browseable = yes
>> writable = yes
>> force user = samba
>> force group = users
>> ...
>>
>> this only happens on the win2k3-server, all xp-workstations work just
>> fine with domain-logons, network-drives, logon-skripts, etc. in the
>> samba-logs for the win2k3-server i found this:
>>
>> ...
>> [2009/05/22 09:20:51, 3] auth/auth.c:check_ntlm_password(219)
>> check_ntlm_password: Checking password for unmapped user
>> []\[]@[SRV_NAME] with the new password interface
>> ...
>>
>> compared to logons from an xp-workstation its missing the user/domain
>> part that should look like this:
>>
>> ...
>> [2009/05/22 09:15:45, 3] auth/auth.c:check_ntlm_password(219)
>> check_ntlm_password: Checking password for unmapped user
>> [WORKGROUP]\[kappen]@[BUCHHALTUNG] with the new password interface
>> ...
>>
>> does anyone have an idea what seems to be the problem with win2k3?
>> mabye its a switch i have to (de)activate on the win2k3-side?
>>
>> regards
>> volker
>>
>
> Mit freundlichen Gr??en
> Volker Schwicking
> ------------------------------------------------------------------------
>
> _______________________________________________
> samba mailing list
> samba@lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba
>
Liutauras Adomaitis
2009-May-27 20:38 UTC
[Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
On Tue, May 26, 2009 at 8:20 PM, Max Le?n <mleon@wirewatchers.com> wrote:> Hi everyone, > > I have an issue with Samba agains Active Directory. > The authentication works just fine but when it comes to shares I've ran into > some problems. > > If I use any group mapping from the AD it won't let me access it so I figure > that is where the problem lays. > If I comment out "valid users", "force user" and "force group" then I have > no problems and it goes by the file system restrictions. > Does anyone ever run into the same problem?, is there a way to fix it? > > Thanks in advanced. >I guess this a problem with winbind. Is it running? does it show ADS users and groups with "wbinfo -u" and "wbinfo -g"? Are groups @pm and @design from AD? What do you mean "The authentication works just fine "? Once I had an issue, then valid users worked with user, but not groups. I didn't solve that, just replaced groups with list of users. I was lazy...