samba - Oct 2009 - ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied

Hello all,

since some weeks I try to get the following configuration working

Windows 2003 AD (no R2!!) with SFU 3.5
Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
  Samba (samba-3.0.33-3.14.el5)
  nss_ldap (nss_ldap-253-21.el5)

So I wanted to implement the following setup:

http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783

The main reason using this combination is that I must maintain the 
UID/GID of users in the AD. The UIDs of the users must be the same on 
all UX systems. I have two samba servers and other UX only servers.

(let me know if you find a better way doing this type of integration)

I followed several manuals and howtos to get it running. It looks all 
working except that I can't mount shares within samba. From my point of 
view Samba returns me a strange error:

Here is the log (user tata -> UID 10000 from AD):

[2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 10000
   Primary group is 10003 and contains 3 supplementary groups
   Group[  0]: 603
   Group[  1]: 600
   Group[  2]: 602
[2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
   change_to_user uid=(10000,10000) gid=(0,10003)
[2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
   '/home/tata' does not exist or permission denied when connecting to 
[share1] Error was Permission denied

I checked the source code and it looks to me that samba does a 'stat 
/home/tata' running as user tata (uid 10000) but is getting a 
'Permission denied' from the OS. Ok I thought this is simply a 
permission issue .... no success :-(

Ok what I already did & what is working:

* /home/tata is existing and has 777 (for test ... I tried also 755)
* su - tata and stat /home/tata are ok
* I can log on with the AD users on ux / ssh etc.; I have access etc.
* 'getent passwd' is fine
* 'wbinfo -u' and 'wbinfo -g' is fine
* mounting a share tmp with /tmp 
(http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html) 
is working!!
* Kerberos and winbind look ok to me ...
* winbind authentication of the user seem to be fine (from the logs)
* all things I see with the 'net' command seem to be ok.

Here my samba conf:

[global]
    workgroup = W2K3
    password server = AD.W2K3.LOCAL
    realm = W2K3.LOCAL
    security = ads
    idmap uid = 600-33554431
    idmap gid = 600-33554431
    template shell = /bin/bash
    winbind use default domain = false
    winbind offline logon = false
    winbind nested groups = yes
    server string = Samba Server Version %v
    passdb backend = tdbsam
    load printers = yes
    cups options = raw

[homes] ; not working share
         comment = Home Directories
         browseable = no
         writable = yes

[printers]
         comment = All Printers
         path = /var/spool/samba
         browseable = no
         guest ok = no
         writable = no
         printable = yes

[share1] ; not working share
         comment = Share 1
         path = /home/tata
         read only = yes

[tmp] ; working share
         comment = temporary files
         path = /tmp
         read only = yes


/etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns



I'm unable to mount share1 or homes .... but I can mount tmp. If I 
change the path in share1 to /tmp I can mount share1 as well. I changed 
the permissions of /home/tata to the exact values as /tmp -> no luck

In the code I did not really found a reference to /tmp but I'm not a 
samba guru .... (btw. I like the code!!, easy to read :D )

Unfortunate I have to get this also running on HP-UX11iv3 .... any input 
if this is even possible?

I'm also happy to get any alternative solutions that enable me to manage 
the uid in AD and having the accounts only in AD ....

I would appreciate any help here.

thanks,
Andreas

P.S: of course I can provide much more details / logs. Just tell me ....

Hi,

in case I'm using Samba 3.0.22 based HP CIFS Server A.02.03.02 the setup 
works. I can mount the home dir without any issues. I used exactly the 
same smb.conf (except the line winbind offline logon = false).
Any idea why this does not work with RH 5.4 (and 5.3)?

thanks for any help

Andreas

P.S.: on hp ux I'm using ldapux ... not nss_ldap; but nsswitch.conf is 
the same and windbindd ist running.

Andreas Zickner wrote:
> Hello all,
> 
> since some weeks I try to get the following configuration working
> 
> Windows 2003 AD (no R2!!) with SFU 3.5
> Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
>  Samba (samba-3.0.33-3.14.el5)
>  nss_ldap (nss_ldap-253-21.el5)
> 
> So I wanted to implement the following setup:
> 
>
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783
> 
> 
> The main reason using this combination is that I must maintain the 
> UID/GID of users in the AD. The UIDs of the users must be the same on 
> all UX systems. I have two samba servers and other UX only servers.
> 
> (let me know if you find a better way doing this type of integration)
> 
> I followed several manuals and howtos to get it running. It looks all 
> working except that I can't mount shares within samba. From my point of
> view Samba returns me a strange error:
> 
> Here is the log (user tata -> UID 10000 from AD):
> 
> [2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
>   UNIX token of user 10000
>   Primary group is 10003 and contains 3 supplementary groups
>   Group[  0]: 603
>   Group[  1]: 600
>   Group[  2]: 602
> [2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
>   change_to_user uid=(10000,10000) gid=(0,10003)
> [2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
>   '/home/tata' does not exist or permission denied when connecting
to
> [share1] Error was Permission denied
> 
> I checked the source code and it looks to me that samba does a 'stat 
> /home/tata' running as user tata (uid 10000) but is getting a 
> 'Permission denied' from the OS. Ok I thought this is simply a 
> permission issue .... no success :-(
> 
> Ok what I already did & what is working:
> 
> * /home/tata is existing and has 777 (for test ... I tried also 755)
> * su - tata and stat /home/tata are ok
> * I can log on with the AD users on ux / ssh etc.; I have access etc.
> * 'getent passwd' is fine
> * 'wbinfo -u' and 'wbinfo -g' is fine
> * mounting a share tmp with /tmp 
> (http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html)
> is working!!
> * Kerberos and winbind look ok to me ...
> * winbind authentication of the user seem to be fine (from the logs)
> * all things I see with the 'net' command seem to be ok.
> 
> Here my samba conf:
> 
> [global]
>    workgroup = W2K3
>    password server = AD.W2K3.LOCAL
>    realm = W2K3.LOCAL
>    security = ads
>    idmap uid = 600-33554431
>    idmap gid = 600-33554431
>    template shell = /bin/bash
>    winbind use default domain = false
>    winbind offline logon = false
>    winbind nested groups = yes
>    server string = Samba Server Version %v
>    passdb backend = tdbsam
>    load printers = yes
>    cups options = raw
> 
> [homes] ; not working share
>         comment = Home Directories
>         browseable = no
>         writable = yes
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         browseable = no
>         guest ok = no
>         writable = no
>         printable = yes
> 
> [share1] ; not working share
>         comment = Share 1
>         path = /home/tata
>         read only = yes
> 
> [tmp] ; working share
>         comment = temporary files
>         path = /tmp
>         read only = yes
> 
> 
> /etc/nsswitch.conf
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files dns
> 
> 
> 
> I'm unable to mount share1 or homes .... but I can mount tmp. If I 
> change the path in share1 to /tmp I can mount share1 as well. I changed 
> the permissions of /home/tata to the exact values as /tmp -> no luck
> 
> In the code I did not really found a reference to /tmp but I'm not a 
> samba guru .... (btw. I like the code!!, easy to read :D )
> 
> Unfortunate I have to get this also running on HP-UX11iv3 .... any input 
> if this is even possible?
> 
> I'm also happy to get any alternative solutions that enable me to
manage
> the uid in AD and having the accounts only in AD ....
> 
> I would appreciate any help here.
> 
> thanks,
> Andreas
> 
> P.S: of course I can provide much more details / logs. Just tell me ....
> 
-- 
Andreas Zickner
Gotenstr. 2 - 71065 Sindelfingen - andreas at zickner.de - 015771968553
=Es ist ein Unterschied ob man seinen Weg kennt ...
  ... oder ob man ihn beschreitet