Hello everyone,
I have setup Samba 3.0.28a on an Ubuntu 8.04 server. The setup that I
am working with is an exact copy (as far as I can tell) if an identical
installation that I did on a test box. Kerberos is setup and working
properly. I can use kinit to issue tickets. The box has been
successfully joined to the Active Directory domain. I can enumerate AD
users and groups. I can log into the Linux box with accounts from AD.
When browsing to the server over the network using the UNC, I can
connect to the server just fine.
The problem comes in when I try to connect to the share (\\<server
name>\<share name>). When attempting to connect to the share I am
prompted for authentication credentials. Neither valid AD credentials,
nor valid credentials for accounts on the local box work. I have set
the directory world readable/writeable (chmod 777).
I'm not sure what to do to further troubleshoot the issue. The exact
same configuration works fine on another box. I have included my
smb.conf file here for reference. Thanks in advance for any help and
insights.
[global]
security = ads
realm = <censored, ALL IN CAPS)
password server = <censored, FQDN to domain controller>
workgroup = 2CP
winbind separator = '\'
winbind refresh tickets = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
[test]
path = /home/2CP/darmstrong
valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin
write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin
read list
David Armstrong
Database Administrator
MOCA THE MUSEUM OF CONTEMPORARY ART
> [test] > > path = /home/2CP/darmstrong > > valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin > > write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin > > read list > >Try setting up your share like this, I am not sure that you need the quotes except of groups with spaces in them.> [faculty] > comment = CHE Faculty Share > path = /home/CHE-shares/faculty > browseable = yes > read only = yes > inherit permissions = yes > write list = @"CHEMENG+Domain Admins", @"CHEMENG+Faculty" > valid users = @"CHEMENG+Domain Admins", @"CHEMENG+Faculty" > admin users = @"CHEMENG+Domain Admins"-- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering 801.585.7170> >
Thanks for the replies. I have modified the share portion of my
smb.conf file as shown below. Still no luck.
[test]
path = /home/2CP/darmstrong
browseable = yes
read only = yes
inherit permissions = yes
valid users =
"2CP\darmstrong","buexec","test",itadmin
write list =
"2CP\darmstrong","buexec","test",itadmin
read list
When modifying file permissions for shares on Windows servers, I have to
log out and log back on again before the workstation recognizes them.
Does the same go for Samba shares?
-----Original Message-----
From: Gary Greene [mailto:ggreene@minervanetworks.com]
Sent: Thursday, July 09, 2009 2:38 PM
To: gregorcy; David Armstrong
Cc: samba@lists.samba.org
Subject: Re: [Samba] Active Directory Integration Problems
On 7/9/09 2:20 PM, "gregorcy" <brian.gregorcy@utah.edu>
wrote:>> [test]
>>
>> path = /home/2CP/darmstrong
>>
>> valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin
>>
>> write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin
>>
>> read list >>
>>
>
>
>
> Try setting up your share like this, I am not sure that you need the
quotes> except of groups with spaces in them.
>
>
>> [faculty]
>> comment = CHE Faculty Share
>> path = /home/CHE-shares/faculty
>> browseable = yes
>> read only = yes
>> inherit permissions = yes
>> write list = @"CHEMENG+Domain
Admins",
>> @"CHEMENG+Faculty"
>> valid users = @"CHEMENG+Domain
Admins",
>> @"CHEMENG+Faculty"
>> admin users = @"CHEMENG+Domain
Admins"
>
>
The domain portion of the user isn't needed if you have 'winbind use
default
domain = true' in your config. The quotes are however required since
Samba
and the NSS stack on Linux cannot (or at least not from my experience)
handle escapes.
--
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell: (650) 704-6633
Phone: (408) 240-1239
HI:) what permission you used for the folder: /home/CHE-shares/faculty ? Thanks:) Gabi On Fri, Jul 10, 2009 at 12:20 AM, gregorcy<brian.gregorcy@utah.edu> wrote:>> [test] >> >> ? ? ? ?path = /home/2CP/darmstrong >> >> ? ? ? ?valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin >> >> ? ? ? ?write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin >> >> ? ? ? ?read list >> >> > > > > Try setting up your share like this, I am not sure that you need the quotes > except of groups with spaces in them. > > >> [faculty] >> ? ? ? ?comment ? ? ? ? ? ? ? ? ? ? ? ? = CHE Faculty Share >> ? ? ? ?path ? ? ? ? ? ? ? ? ? ? ? ? ? ?= /home/CHE-shares/faculty >> ? ? ? ?browseable ? ? ? ? ? ? ? ? ? ? ?= yes >> ? ? ? ?read only ? ? ? ? ? ? ? ? ? ? ? = yes >> ? ? ? ?inherit permissions ? ? ? ? ? ? = yes >> ? ? ? ?write list ? ? ? ? ? ? ? ? ? ? ?= @"CHEMENG+Domain Admins", >> @"CHEMENG+Faculty" >> ? ? ? ?valid users ? ? ? ? ? ? ? ? ? ? = @"CHEMENG+Domain Admins", >> @"CHEMENG+Faculty" >> ? ? ? ?admin users ? ? ? ? ? ? ? ? ? ? = @"CHEMENG+Domain Admins" > > > > -- > Brian Gregorcy > IT Manager > University of Utah > Department of Chemical Engineering > 801.585.7170 > > > > > > > > > > > > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >
David Armstrong wrote:> Thanks for the replies. I have modified the share portion of my > smb.conf file as shown below. Still no luck. > > [test] > path = /home/2CP/darmstrong > browseable = yes > read only = yes > inherit permissions = yes > valid users = "2CP\darmstrong","buexec","test",itadmin > write list = "2CP\darmstrong","buexec","test",itadmin > read list > > > When modifying file permissions for shares on Windows servers, I have to > log out and log back on again before the workstation recognizes them. > Does the same go for Samba shares? >Sounds like my first suggestion was wrong, maybe try uping the idmap setting.> idmap backend = rid:CHEMENG=500-100000000 > idmap uid = 500-100000000 > idmap gid = 500-100000000Is there anything in the logs? -- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering
Brian, Which logs should I be checking? The following output comes from the winbindd.log. I replaced the FQDN of the domain controller in the second to last line of the log file. It was in the format SERVERNAME.domain.name [2009/07/13 09:16:40, 0] lib/util_sock.c:write_data(564) write_data: write failure. Error = Connection reset by peer [2009/07/13 09:16:40, 0] libsmb/clientgen.c:write_socket(158) write_socket: Error writing 104 bytes to socket 17: ERRNO = Connection reset by peer [2009/07/13 09:16:40, 0] libsmb/clientgen.c:cli_send_smb(188) Error writing 104 bytes to client. -1 (Connection reset by peer) [2009/07/13 09:16:40, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223) cli_rpc_pipe_open: cli_nt_create failed on pipe \lsarpc to machine (FQDN to domain controller). Error was Write error: Connection reset by peer -----Original Message----- From: gregorcy [mailto:brian.gregorcy@utah.edu] Sent: Friday, July 10, 2009 12:56 PM To: David Armstrong Cc: samba@lists.samba.org Subject: Re: [Samba] Active Directory Integration Problems David Armstrong wrote:> Thanks for the replies. I have modified the share portion of my > smb.conf file as shown below. Still no luck. > > [test] > path = /home/2CP/darmstrong > browseable = yes > read only = yes > inherit permissions = yes > valid users = "2CP\darmstrong","buexec","test",itadmin > write list = "2CP\darmstrong","buexec","test",itadmin > read list > > > When modifying file permissions for shares on Windows servers, I haveto> log out and log back on again before the workstation recognizes them. > Does the same go for Samba shares? >Sounds like my first suggestion was wrong, maybe try uping the idmap setting.> idmap backend = rid:CHEMENG=500-100000000 > idmap uid = 500-100000000 > idmap gid = 500-100000000Is there anything in the logs? -- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering
Lets see if this help.
I have setup a server a couple of weeks before, windows 2k3 AD I
add my vm centos 5.3 machine to it, I share 1 folder and add the home
users folder.
Is running and have no issue with.
Windows 2k3 domain name: DOM.local
machine name: dompdc
IP: 192.168.2.2
Network: 192.168.2.0/24
Centos machine name: dom-vmcentos(DHCP)
Kerberos: /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DOM.LOCAL = {
admin_server = dompdc.DOM.local
default_domain = DOM.local
kdc = dompdc.DOM.local
}
[domain_realm]
.kerberos.server = DOM.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Winbind + samba running, lets go with samba:
[global]
syslog = 1
log level = 2 vfs:2
log file = /var/log/samba/%U.%m.log
utmp = Yes
load printers = no
socket options = TCP_NODELAY SO_RCVBUF=20480 SO_SNDBUF=20480
dns proxy = no
server string = vmCents 5.x Test Server
printing = cups
workgroup = DOM
netbios name = dom-vmcentos
security = ads
realm = DOM.LOCAL
allow trusted domains = Yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
password server = dompdc.DOM.local
encrypt passwords = Yes
printcap name = /etc/printcap
max log size = 100
interfaces = eth0
bind interfaces only = Yes
local master = no
domain master = no
preferred master = no
template homedir = /home/%D/%U
template shell = /bin/bash
#unix charset = UTF-8
[homes]
comment = Home Directories DOM
browseable = no
writable = yes
#valid users = %S
create mode = 0664
directory mode = 0775
[Test]
comment = Test Directories DOM
path = /opt/test
public = yes
browseable = yes
writable = yes
valid users = DOM+username
write list = DOM+username
create mode = 0770
/etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files winbind
services: files
netgroup: files winbind
publickey: nisplus
automount: files winbind
aliases: files nisplus
/etc/hostname:
# Do not remove the following line, or various programs
# that require network functionality willfail.
192.168.2.118 dom-vmcentos.DOM.local dom-vmcentos
#::1 localhost6.localdomain6 localhost6
192.168.2.2 dompdc.DOM.local dompdc
Here it suppose that we already add the machine account to AD and is
working as u say.
Now lets see our shares on linux:
[root@dom-vmcentos opt]# ll
total 16
-rw-r--r-- 1 root root 146 Sep 16 2008 File
drwx------ 2 root root 12288 Feb 22 2008 lost+found
drwxr-xr-x 3 psql pvsw 1024 Jun 12 2008 PSQLDATA
drwxr-xr-x 2 DOM+username root 1024 Jun 16 15:31 test
drwxr-xr-x 3 root root 1024 Jan 8 2009 zimbra
Lest test:
[root@dom-vmcentos opt]# smbclient -L ////dom-vmcentos -U username
Password:
Domain=[DOM] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (vmCents 5.x Test Server)
Test Disk Test Directories DOM
username Disk Home Directories DOM
Domain=[DOM] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]
Server Comment
--------- -------
DOM-VMCENTOS vmCents 5.x Test Server
DOMPDC
Workgroup Master
--------- -------
DOM DOMPDC
Now a mount command:
mount -t cifs //dom-vmcentos/Test -o username=username,password=passwd /mnt
[root@dom-vmcentos ~]# mount
//dom-vmcentos/Test on /mnt type cifs (rw,mand)
[root@dom-vmcentos ~]#
I can see the files inside this user home folder, create, modify, etc
even inside windows 2k3.
See u latter!!!
On Mon, Jul 13, 2009 at 9:21 AM, David Armstrong<darmstrong@moca.org>
wrote:> Brian,
>
> Which logs should I be checking?
>
> The following output comes from the winbindd.log. ?I replaced the FQDN
> of the domain controller in the second to last line of the log file. ?It
> was in the format SERVERNAME.domain.name
>
> [2009/07/13 09:16:40, 0] lib/util_sock.c:write_data(564)
> ?write_data: write failure. Error = Connection reset by peer
> [2009/07/13 09:16:40, 0] libsmb/clientgen.c:write_socket(158)
> ?write_socket: Error writing 104 bytes to socket 17: ERRNO = Connection
> reset by peer
> [2009/07/13 09:16:40, 0] libsmb/clientgen.c:cli_send_smb(188)
> ?Error writing 104 bytes to client. -1 (Connection reset by peer)
> [2009/07/13 09:16:40, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
> ?cli_rpc_pipe_open: cli_nt_create failed on pipe \lsarpc to machine
> (FQDN to domain controller). ?Error was Write error: Connection reset by
> peer
>
> -----Original Message-----
> From: gregorcy [mailto:brian.gregorcy@utah.edu]
> Sent: Friday, July 10, 2009 12:56 PM
> To: David Armstrong
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Active Directory Integration Problems
>
>
>
> David Armstrong wrote:
>> Thanks for the replies. ?I have modified the share portion of my
>> smb.conf file as shown below. ?Still no luck.
>>
>> [test]
>> ? ? ? ? path = /home/2CP/darmstrong
>> ? ? ? ? browseable = yes
>> ? ? ? ? read only = yes
>> ? ? ? ? inherit permissions = yes
>> ? ? ? ? valid users =
"2CP\darmstrong","buexec","test",itadmin
>> ? ? ? ? write list =
"2CP\darmstrong","buexec","test",itadmin
>> ? ? ? ? read list >>
>>
>> When modifying file permissions for shares on Windows servers, I have
> to
>> log out and log back on again before the workstation recognizes them.
>> Does the same go for Samba shares?
>>
>
>
> Sounds like my first suggestion was wrong, maybe try uping the idmap
> setting.
>
>> idmap backend ? ? ? ? ? ? ? ? ? = rid:CHEMENG=500-100000000
>> idmap uid ? ? ? ? ? ? ? ? ? ? ? = 500-100000000
>> idmap gid ? ? ? ? ? ? ? ? ? ? ? = 500-100000000
>
> Is there anything in the logs?
>
> --
> Brian Gregorcy
> IT Manager
> University of Utah
> Department of Chemical Engineering
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
--
LIving the dream...