I have seen this behaviour recently using Samba 3.4.5 from the Lucid
tree on Ubuntu 9.10
Try using domain\username for the username
To me, it appears to be a bug in winbind not using the default domain,
but I could be wrong.
Sent from my iPhone
On 20/02/2010, at 8:29 PM, grant little <grantliddle at gmail.com> wrote:
> Hello,
> having spent many hours scouring archives, docs, books and googling
> without
> finding an answer I need to ask your help on this.
>
> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users
> can login
> to the share from windows clients but the same users is denied
> access when
> connecting from OS X via GO/Connect To Server in format
> smb://fqdnofserver
>
> user authentication is to active directory using kerberos and LDAP
> and am
> not running winbind
>
> pam.d/samba is set to allow smb logins, that is shell logins are not
> permitted for active directory authenticated users. here's that
> snippet:
> # /etc/pam.d/samba
> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
> account sufficient pam_ldap.so use_first_pass
> session sufficient pam_ldap.so
>
>
> I have tested my configs on samba 3.0.33 on CENTOS and it works fine
> there
> for both OS X and windows
>
> the share is setup on
> /shares/asgs
> with these permissions:
> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares
> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs
>
> here's smb.conf:
> [global]
> unix extensions = no
> disable spoolss = Yes
> disable netbios = yes
> name resolve order = hosts
> workgroup = AD
> realm = AD.UCSD.EDU
> server string = %h server (Samba, Ubuntu)
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> log level = 3
> panic action = /usr/share/samba/panic-action %d
> security = ads
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> pam password change = no
> map to guest = bad user
> usershare allow guests = no
> [asgs]
> comment = ASGS
> path = /shares/asgs
> browsable = Yes
> valid users = @ad\ASGSFileUsers
> write list = @ad\ASGSFileUsers
> create mask = 2660
> directory mask = 2770
>
> The tail n20 of the log of the conecting ip shows this for an OS X
> attempt:
> [2010/02/20 00:56:16, 3] smbd/oplock_linux.c:219
> (linux_init_kernel_oplocks)
> Linux kernel oplocks enabled
> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb)
> Transaction 0 of length 51 (0 toread)
> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message)
> switch message SMBnegprot (pid 5658) conn 0x0
> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1)
> using SPNEGO
> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot)
> Selected protocol NT LM 0.12
> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection)
> Yielding connection to
> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common)
> Server exit (failed to receive smb request)
>
>
>
> Hope someone can give me a pointer where to look next or what to
> tweak. Let
> me know if you need other log snippets.
>
> Thanks,
> Grant
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba