samba - Apr 2010 - Can join AD 2003 domain; can't list shares from other servers

I set up an old laptop with Xubuntu 9.10. I configured Samba as to work 
with my Win2003 AD domain that has MS Services for Unix installed.

I can get a Kerberos ticket. I successfully added the laptop to the AD 
domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows 
me all groups. wbinfo -a user%password returns successfully. "getent 
passwd"  works as expected - I see local users, and domain users.

"net ads info" works correctly, returning info.

LDAP server: 10.0.0.60
LDAP server name: dim-win2300.DaCrib.local
Realm: DACRIB.LOCAL
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Fri, 23 Apr 2010 13:12:53 EDT
KDC server: 10.0.0.60
Server time offset: 1

And yet:

$ smbclient -L workhorse
Enter turgon's password:
session setup failed: NT_STATUS_ACCESS_DENIED

I have no idea why it's failing; I'm not seeing anything in the samba or
winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member 
server)

I can do the reverse; from "workhorse" I can see all the shares on the
laptop:

turgon at workhorse:~$ smbclient -L turgon-laptop
Enter turgon's password:
Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]

	Sharename       Type      Comment
	---------       ----      -------
	IPC$            IPC       IPC Service (turgon-laptop server (Samba
3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
	print$          Disk      Printer Drivers
Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]

	Server               Comment
	---------            -------
	TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain: , Ser

	Workgroup            Master
	---------            -------
	DACRIB

Hints as to where to go next? It must be something wrong on this 
specific laptop, since it works from my other server,
but I dunno where, since all the other tests work. Firewall is off, on
both machines.

==============================smb.conf:

[global]
         workgroup = DACRIB
         realm = DACRIB.LOCAL
         server string = %h server (Samba %v, Domain: %D, Server: %L - R)
         security = ads
         map to guest = Bad User

         client use spnego = true
         client ntlmv2 auth = yes

         eventlog list = Application System Security SyslogLinux

# PAM AUTH
         encrypt passwords = yes
         obey pam restrictions = Yes
         pam password change = true
         password server = dim-win2300.DaCrib.local
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         unix password sync = Yes

         log level = 3
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000

         domain master = No
         local master = No
         os level = 2

         dns proxy = No
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d

# WINBIND

         idmap config DACRIB: default = true
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         idmap config DACRIB:schema_mode = rfc2307

         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nested groups = Yes
         winbind refresh tickets = true
         winbind nss info = rfc2307
         winbind separator = +

         template homedir = /home/%D/%u
         template shell = /bin/bash

;       invalid users = root
         create mask = 0700
         directory mask = 0775
         writable = Yes
         enable privileges = Yes
         restrict anonymous = 2

         wide links = no

         socket options = TCP_NODELAY

On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com>
wrote:
> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> with my Win2003 AD domain that has MS Services for Unix installed.
>
> I can get a Kerberos ticket. I successfully added the laptop to the AD
> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me
> all groups. wbinfo -a user%password returns successfully. "getent
passwd"
>  works as expected - I see local users, and domain users.
>
> "net ads info" works correctly, returning info.
>
> LDAP server: 10.0.0.60
> LDAP server name: dim-win2300.DaCrib.local
> Realm: DACRIB.LOCAL
> Bind Path: dc=DACRIB,dc=LOCAL
> LDAP port: 389
> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> KDC server: 10.0.0.60
> Server time offset: 1
>
> And yet:
>
> $ smbclient -L workhorse
> Enter turgon's password:
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I have no idea why it's failing; I'm not seeing anything in the
samba or
> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> server)
>
> I can do the reverse; from "workhorse" I can see all the shares
on the
> laptop:
>
> turgon at workhorse:~$ smbclient -L turgon-laptop
> Enter turgon's password:
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
>        Sharename       Type      Comment
>        ---------       ----      -------
>        IPC$            IPC       IPC Service (turgon-laptop server (Samba
> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>        print$          Disk      Printer Drivers
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
>        Server               Comment
>        ---------            -------
>        TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain: ,
> Ser
>
>        Workgroup            Master
>        ---------            -------
>        DACRIB
>
> Hints as to where to go next? It must be something wrong on this specific
> laptop, since it works from my other server,
> but I dunno where, since all the other tests work. Firewall is off, on
> both machines.
>
> ==============================> smb.conf:
>
> [global]
>        workgroup = DACRIB
>        realm = DACRIB.LOCAL
>        server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>        security = ads
>        map to guest = Bad User
>
>        client use spnego = true
>        client ntlmv2 auth = yes
>
>        eventlog list = Application System Security SyslogLinux
>
> # PAM AUTH
>        encrypt passwords = yes
>        obey pam restrictions = Yes
>        pam password change = true
>        password server = dim-win2300.DaCrib.local
>        passwd program = /usr/bin/passwd %u
>        passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>        unix password sync = Yes
>
>        log level = 3
>        syslog = 0
>        log file = /var/log/samba/log.%m
>        max log size = 1000
>
>        domain master = No
>        local master = No
>        os level = 2
>
>        dns proxy = No
>        usershare allow guests = Yes
>        panic action = /usr/share/samba/panic-action %d
>
> # WINBIND
>
>        idmap config DACRIB: default = true
>        idmap uid = 10000-20000
>        idmap gid = 10000-20000
>        idmap config DACRIB:schema_mode = rfc2307
>
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = Yes
>        winbind nested groups = Yes
>        winbind refresh tickets = true
>        winbind nss info = rfc2307
>        winbind separator = +
>
>        template homedir = /home/%D/%u
>        template shell = /bin/bash
>
> ;       invalid users = root
>        create mask = 0700
>        directory mask = 0775
>        writable = Yes
>        enable privileges = Yes
>        restrict anonymous = 2
>
>        wide links = no
>
>        socket options = TCP_NODELAY
>
>
> --
>
> I get the exact same thing happening on my Ubuntu 9.10 currently running
3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)

However if I do
smbclient -L mysambaserver  -UanADuserthatcanlogintothisserver

it works just fine and returns the goods. So my guess is that
dim-win2300.DaCrib.local doesn't know who turgon is...

On 04/23/2010 12:14 PM, Mike Leone wrote:
> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> with my Win2003 AD domain that has MS Services for Unix installed.
> 
> I can get a Kerberos ticket. I successfully added the laptop to the AD
> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
> me all groups. wbinfo -a user%password returns successfully. "getent
> passwd"  works as expected - I see local users, and domain users.
> 
> "net ads info" works correctly, returning info.
> 
> LDAP server: 10.0.0.60
> LDAP server name: dim-win2300.DaCrib.local
> Realm: DACRIB.LOCAL
> Bind Path: dc=DACRIB,dc=LOCAL
> LDAP port: 389
> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> KDC server: 10.0.0.60
> Server time offset: 1
Looks good.

Please show us the content of /etc/nsswitch.conf.
> And yet:
> 
> $ smbclient -L workhorse
> Enter turgon's password:
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I have no idea why it's failing; I'm not seeing anything in the
samba or
> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> server)
OK. So in your smb.conf file add the following to the [global] stanza:
	log level = 5
	log file = /var/log/samba/%L-%m.log
	max log size = 0

Then try to connect using smbclient. This will generate a log file that
is rather detailed.  Check to see the reason it is failing.

- John T.
> I can do the reverse; from "workhorse" I can see all the shares
on the
> laptop:
> 
> turgon at workhorse:~$ smbclient -L turgon-laptop
> Enter turgon's password:
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> 
>     Sharename       Type      Comment
>     ---------       ----      -------
>     IPC$            IPC       IPC Service (turgon-laptop server (Samba
> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>     print$          Disk      Printer Drivers
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> 
>     Server               Comment
>     ---------            -------
>     TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain: , Ser
> 
>     Workgroup            Master
>     ---------            -------
>     DACRIB
> 
> Hints as to where to go next? It must be something wrong on this
> specific laptop, since it works from my other server,
> but I dunno where, since all the other tests work. Firewall is off, on
> both machines.
> 
> ==============================> smb.conf:
> 
> [global]
>         workgroup = DACRIB
>         realm = DACRIB.LOCAL
>         server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>         security = ads
>         map to guest = Bad User
> 
>         client use spnego = true
>         client ntlmv2 auth = yes
> 
>         eventlog list = Application System Security SyslogLinux
> 
> # PAM AUTH
>         encrypt passwords = yes
>         obey pam restrictions = Yes
>         pam password change = true
>         password server = dim-win2300.DaCrib.local
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         unix password sync = Yes
> 
>         log level = 3
>         syslog = 0
>         log file = /var/log/samba/log.%m
>         max log size = 1000
> 
>         domain master = No
>         local master = No
>         os level = 2
> 
>         dns proxy = No
>         usershare allow guests = Yes
>         panic action = /usr/share/samba/panic-action %d
> 
> # WINBIND
> 
>         idmap config DACRIB: default = true
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         idmap config DACRIB:schema_mode = rfc2307
> 
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind nested groups = Yes
>         winbind refresh tickets = true
>         winbind nss info = rfc2307
>         winbind separator = +
> 
>         template homedir = /home/%D/%u
>         template shell = /bin/bash
> 
> ;       invalid users = root
>         create mask = 0700
>         directory mask = 0775
>         writable = Yes
>         enable privileges = Yes
>         restrict anonymous = 2
> 
>         wide links = no
> 
>         socket options = TCP_NODELAY
> 
>