Joel Therrien
2009-Aug-19 02:59 UTC
[Samba] How to get users from a second AD domain recognized by samba?
I have an issue with getting my students access to the samba shares for our lab's server. I am using authentication through our university's active directory. I followed the directions for getting this set up using winbind. I am using winbind for both samba authentication as well as user logins through pam. The trouble is this: I have no problems logging in and getting access to the samba shares. My students can log into shell accounts using their university credentials. But, they can not get into the samba shares. A few details: The university splits the users according to faculty/staff and students, so I log in as UMLADCO\username, while the students log in as STUDENT\username. If it matters, they are all using win XP machines with the latest service packs, while I am using windows 7 RC (though I did not have issues using an XP box either). below are the smb.conf file, user map, and a typical log file from when a student tries to log in through one of the machines in the lab. I made a lot of headway getting this thing to work, but this last part is just a brick wall that I can't get past. This is on a Debian Lenny install using kernel 2.6.18-5amd64 and Samba 3.2.5 Thanks in advance for any help! Joel Therrien # smb.conf # SAMBA CONFIG FILE [global] # netbios name netbios name = nanoelecfs # server string is the equivalent of the NT Description field server string = Samba Server nanoelecfs # realm = Kerberos realm realm = FS.UML.EDU # workgroup = NT-Domain-Name or Workgroup-Name workgroup = UMLADCO # Security mode. security = ADS # Password encryption encrypt passwords = true # this tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/%m.log ; log file = /var/log/samba/samba.log log level = 3 # Unix users can map to different SMB User names username map = /etc/samba/user.map # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # if you want to automatically load your printer list rather # than setting them up individually then you'll need this printcap name = /etc/printcap load printers = yes # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names # via DNS nslookups. The built-in default for versions 1.9.17 is yes, # this has been changed in version 1.9.18 to no. dns proxy = no # PAM-related obey pam restrictions = yes pam password change = yes # Winbind separator winbind separator = + # Winbind use default domain # This parameter specifies whether the winbindd daemon should # operate on users without domain component in their username. # Users without a domain component are treated as is part of # the winbindd server's own domain. While this does not benefit # Windows users, it makes SSH, FTP and e-mail function in a way # much closer to the way they would in a native unix system. # Default: winbind use default domain = no winbind use default domain = yes # RID to UID map idmap backend = rid:"BUILTIN=1000-9999,UMLADCO=10000-60000" idmap domains = UMLADCO, STUDENT idmap config UMLADCO:backend = rid idmap config UMLADCO:range = 10000-60000 idmap config BUILTIN:backend = rid idmap config BUILTIN:range = 1000-9999 # RID idmap does not work with trusted domains allow trusted domains = no # Domain user id range idmap uid = 1000-60000 # Domain group id range idmap gid = 1000-60000 # Allow enumeration of domain users and groups winbind enum users = no winbind enum groups = no # When filling out the user information for a Windows NT user, the # winbindd(8) daemon uses this parameter to fill in the home # directory for that user. If the string %D is present it is sub- # stituted with the user?EUR^(TM)s Windows NT domain name. If the string # %U is present it is substituted with the user?EUR^(TM)s Windows NT user # name. template homedir = /home/%U # When filling out the user information for a Windows NT user, the # winbindd(8) daemon uses this parameter to fill in the login # shell for that user. template shell = /bin/bash # This option defines the default primary group for each user cre- # ated by winbindd(8) local account management functions (simi- # lar to the add user script). ; template primary group = "UMLADCO/Domain Users" ; template primary group = "Domain Users" # Services default service = homes preload = global homes printers # Default share values valid users = @"UMLADCO/Domain Users" admin users = "UMLADCO/Admin's username" # Making samba play nice with vista # client ntlmv2 auth = yes #================= [Data] path = /home/data comment = Data browseable = yes writable = yes valid users = joel, tao, lian # valid users = @"UMLADCO+EG therrienlab",\ # STUDENT+Tao_Jiang,\ # STUDENT+Carlos_Hernandez,\ # STUDENT+Daniel_Emerson,\ # STUDENT+Malavika_Vashist,\ # STUDENT+Aaron_Bandremer,\ # STUDENT+Lian_Dai,\ # STUDENT+Kyle_Twarowski,\ # joel_therrien # admin users = Joel_Therrien # read list = Joel_Therrien # write list = Joel_Therrien [ipc$] path = /dev/null comment = some vodoo that does work valid users = joel # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes ;public = yes ;to allow user 'guest account' to print user.map file # user.map # SAMBA USERMAP FILE # Unix_name = SMB_name1 SMB_name2 ... joel = UMLADCO+Joel_Therrien tao = STUDENT+Tao_Jiang lian = STUDENT+Lian_Dai samba log file for a winXP machine [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 0 of length 137 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBnegprot (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [PC NETWORK PROGRAM 1.0] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN1.0] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [Windows for Workgroups 3.1a] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LM1.2X002] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN2.1] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [NT LM 0.12] [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_nt1(392) using SPNEGO [2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(673) Selected protocol NT LM 0.12 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 1 of length 240 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 40 [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088207 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 2 of length 276 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[] domain=[] workstation=[UML-4F0C88A99EB] len1=1 len2=0 [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user []\[]@[UML-4F0C88A99EB] with the new password interface [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [UMLADCO]\[]@[UML-4F0C88A99EB] [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(269) check_ntlm_password: guest authentication for user [] succeeded [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-1671084997-507029419-2634510391-501] [2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] [2009/08/14 15:57:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337) NTLMSSP Sign/Seal - Initialising with flags: [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088205 [2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(314) register_existing_vuid: User name: nobody Real name: nobody [2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(326) register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be vuid 100 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 3 of length 90 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBtconX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/service.c:make_connection_snum(940) Connect path is '/tmp' for service [ipc$] [2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(249) [2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-1671084997-507029419-2634510391-501 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 [2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_default(96) Initialising default vfs hooks [2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_custom(130) Initialising custom vfs hooks from [/[Default VFS]/] [2009/08/14 15:57:05, 3] lib/util_sid.c:string_to_sid(228) string_to_sid: Sid joel does not start with 'S-'. [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 2] smbd/uid.c:change_to_user(192) change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share ipc$. [2009/08/14 15:57:05, 0] smbd/service.c:make_connection_snum(1082) Can't become connected user! [2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31) Yielding connection to ipc$ [2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(662) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 4 of length 43 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBulogoffX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/reply.c:reply_ulogoffX(1910) ulogoffX vuid=100 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 5 of length 240 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 40 [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088207 [2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549) Transaction 6 of length 358 (0 toread) [2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361) switch message SMBsesssetupX (pid 5608) conn 0x0 [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[lian_dai] domain=[STUDENT] workstation=[UML-4F0C88A99EB] len1=24 len2=24 [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user [STUDENT]\[lian_dai]@[UML-4F0C88A99EB] with the new password interface [2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [STUDENT]\[lian_dai]@[UML-4F0C88A99EB] [2009/08/14 15:57:05, 1] auth/auth.c:check_domain_match(171) check_domain_match: Attempt to connect as user lian_dai from domain STUDENT denied. [2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2009/08/14 15:57:05, 3] smbd/process.c:smbd_process(2035) receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting [2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31) Yielding connection to [2009/08/14 15:57:05, 3] smbd/server.c:exit_server_common(949) Server exit (normal exit)
Joel Therrien
2009-Aug-30 14:27 UTC
[Samba] How to get users from a second AD group recognized by samba?
Hello,
I tried sending this to the list a few weeks ago, but it never made
it through, so I'm giving it another try. This is an issue I have been
trying to solve fro some while. So far nothing I have seen in any of the
samba forums I searched had an answer... I'm guessing because it is
pretty specific.
I have an issue with getting my students access to the samba shares for
our lab's server. I am using authentication through our university's
active directory. I followed the directions for getting this set up
using winbind. I am using winbind for both samba authentication as well
as user logins through pam.
The trouble is this: I have no problems logging in and getting access to
the samba shares. My students can log into shell accounts using their
university credentials. But, they can not get into the samba shares.
A few details: The university splits the users according to
faculty/staff and students, so I log in as UMLADCO\username, while the
students log in as STUDENT\username. If it matters, they are all using
win XP machines with the latest service packs, while I am using windows
7 RC (though I did not have issues using an XP box either). below are
the smb.conf file, user map, and a typical log file from when a student
tries to log in through one of the machines in the lab.
I made a lot of headway getting this thing to work, but this last part
is just a brick wall that I can't get past.
This is on a Debian Lenny install using kernel 2.6.18-5amd64 and Samba 3.2.5
I think the key part to this is in the log file, I noticed the the
student was mistakenly associated with the UMLADCO domain, not STUDENT.
BTW, I have the enumerate groups and users turned off because the active
directory administrator requested that I not do anything that could put
a significant load on their server. We have more than 10,000 users in
the STUDENT and UMLADCO workgroups and I can only imagine that would
cause a slowdown if samba needs to index that often. If that thinking is
not correct let me know.
Thanks in advance for any help!
Joel Therrien
# smb.conf
# SAMBA CONFIG FILE
[global]
# netbios name
netbios name = nanoelecfs
# server string is the equivalent of the NT Description field
server string = Samba Server nanoelecfs
# realm = Kerberos realm
realm = FS.UML.EDU
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = UMLADCO
# Security mode.
security = ADS
# Password encryption
encrypt passwords = true
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
; log file = /var/log/samba/samba.log
log level = 3
# Unix users can map to different SMB User names
username map = /etc/samba/user.map
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# PAM-related
obey pam restrictions = yes
pam password change = yes
# Winbind separator
winbind separator = +
# Winbind use default domain
# This parameter specifies whether the winbindd daemon should
# operate on users without domain component in their username.
# Users without a domain component are treated as is part of
# the winbindd server's own domain. While this does not benefit
# Windows users, it makes SSH, FTP and e-mail function in a way
# much closer to the way they would in a native unix system.
# Default: winbind use default domain = no
winbind use default domain = yes
# RID to UID map
idmap backend = rid:"BUILTIN=1000-9999,UMLADCO=10000-60000"
idmap domains = UMLADCO, STUDENT
idmap config UMLADCO:backend = rid
idmap config UMLADCO:range = 10000-60000
idmap config BUILTIN:backend = rid
idmap config BUILTIN:range = 1000-9999
# RID idmap does not work with trusted domains
allow trusted domains = no
# Domain user id range
idmap uid = 1000-60000
# Domain group id range
idmap gid = 1000-60000
# Allow enumeration of domain users and groups
winbind enum users = no
winbind enum groups = no
# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the home
# directory for that user. If the string %D is present it is sub-
# stituted with the user?EUR^(TM)s Windows NT domain name. If the string
# %U is present it is substituted with the user?EUR^(TM)s Windows NT user
# name.
template homedir = /home/%U
# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the login
# shell for that user.
template shell = /bin/bash
# This option defines the default primary group for each user cre-
# ated by winbindd(8) local account management functions (simi-
# lar to the add user script).
; template primary group = "UMLADCO/Domain Users"
; template primary group = "Domain Users"
# Services
default service = homes
preload = global homes printers
# Default share values
valid users = @"UMLADCO/Domain Users"
admin users = "UMLADCO/Admin's username"
# Making samba play nice with vista
# client ntlmv2 auth = yes
#=================
[Data]
path = /home/data
comment = Data
browseable = yes
writable = yes
valid users = joel, tao, lian
# valid users = @"UMLADCO+EG therrienlab",\
# STUDENT+Tao_Jiang,\
# STUDENT+Carlos_Hernandez,\
# STUDENT+Daniel_Emerson,\
# STUDENT+Malavika_Vashist,\
# STUDENT+Aaron_Bandremer,\
# STUDENT+Lian_Dai,\
# STUDENT+Kyle_Twarowski,\
# joel_therrien
# admin users = Joel_Therrien
# read list = Joel_Therrien
# write list = Joel_Therrien
[ipc$]
path = /dev/null
comment = some vodoo that does work
valid users = joel
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
;public = yes
;to allow user 'guest account' to print
user.map file
# user.map
# SAMBA USERMAP FILE
# Unix_name = SMB_name1 SMB_name2 ...
joel = UMLADCO+Joel_Therrien
tao = STUDENT+Tao_Jiang
lian = STUDENT+Lian_Dai
samba log file for a winXP machine
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 0 of length 137 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBnegprot (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN1.0]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [Windows for Workgroups 3.1a]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LM1.2X002]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN2.1]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [NT LM 0.12]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_nt1(392)
using SPNEGO
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(673)
Selected protocol NT LM 0.12
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 1 of length 240 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 40
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088207
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 2 of length 276 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
Got user=[] domain=[] workstation=[UML-4F0C88A99EB] len1=1 len2=0
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user
[]\[]@[UML-4F0C88A99EB] with the new password interface
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [UMLADCO]\[]@[UML-4F0C88A99EB]
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(269)
check_ntlm_password: guest authentication for user [] succeeded
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-1671084997-507029419-2634510391-501]
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088205
[2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(314)
register_existing_vuid: User name: nobody Real name: nobody
[2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(326)
register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be
vuid 100
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 3 of length 90 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBtconX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/service.c:make_connection_snum(940)
Connect path is '/tmp' for service [ipc$]
[2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(249)
[2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-1671084997-507029419-2634510391-501
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
[2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_default(96)
Initialising default vfs hooks
[2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_custom(130)
Initialising custom vfs hooks from [/[Default VFS]/]
[2009/08/14 15:57:05, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid joel does not start with 'S-'.
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 2] smbd/uid.c:change_to_user(192)
change_to_user: SMB user (unix user nobody, vuid 100) not permitted
access to share ipc$.
[2009/08/14 15:57:05, 0] smbd/service.c:make_connection_snum(1082)
Can't become connected user!
[2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31)
Yielding connection to ipc$
[2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/reply.c(662) cmd=117 (SMBtconX)
NT_STATUS_LOGON_FAILURE
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 4 of length 43 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBulogoffX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/reply.c:reply_ulogoffX(1910)
ulogoffX vuid=100
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 5 of length 240 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 40
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088207
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 6 of length 358 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
Got user=[lian_dai] domain=[STUDENT] workstation=[UML-4F0C88A99EB]
len1=24 len2=24
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user
[STUDENT]\[lian_dai]@[UML-4F0C88A99EB] with the new password interface
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [STUDENT]\[lian_dai]@[UML-4F0C88A99EB]
[2009/08/14 15:57:05, 1] auth/auth.c:check_domain_match(171)
check_domain_match: Attempt to connect as user lian_dai from domain
STUDENT denied.
[2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2009/08/14 15:57:05, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2009/08/14 15:57:05, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
Asst. Prof. Joel M. Therrien
Ph: 978-934-3324
Fax: 978-934-3027
Joel_Therrien at uml.edu
Dept. of Electrical & Computer Engineering
U. Massachusetts-Lowell
1 University Ave
Lowell, MA 01854