samba - May 2010 - Problems using multiple Samba servers in a Win2003 AD domain

I've been at this for days, and making no headway. It's very
discouraging. I have a Win2003 domain, that has the Services for Unix
extensions installed. I am trying to have multiple Samba servers as
domain members. (in my case, one desktop sharing files, and one laptop,
accessing the shares). And at the moment, it doesn't (fully) work.

Each Samba server can see shares from the other. Windows clients can see
and mount shares from each Samba server. Each Samba server can mount
shares from Windows clients on the domain. What they can't do ... is
mount shares from each other. I get

mount error(13): Permission denied

no matter what I try, I find various pages on how to do this, half of
which conflict with each other, or are outdated, none of which work.

I am using virtually the same smb.conf on both machines.

Domain name = DCRIB.LOCAL (short name DACRIB)
Win2003 DC = dim-win2300.dacrib.local
2 Ubuntu 9.10 members (Samba 3.4.0)
Desktop = workhorse (with various shares)
Laptop = Dual-Booter (which will access the shares on workhorse and
elsewhere)

So, can anyone point out what's wrong with these configs? Dual-Booter
can see the shares on workhorse, and workhorse can see the share on
Dual-Booter. Each can (and is) mounting shares from a WinXP machine. I
can get Kerberos tickets on each Samba server. Each Samba server can
mount a share from a WinXP desktop called "p4-desktop", altho I seem
to
have to specify the username as "turgon at DACRIB" in the credentials;
it
doesn't work any other way. I can't mount shares from the other Samba
regardless of how I specify the user, however.

testparm output - Dual-Booter:


[global]
	workgroup = DACRIB
	realm = DACRIB.LOCAL
	server string = %h server (Samba %v, Domain: %D, Server: %L - %R)
	security = ADS
	auth methods = winbind
	map to guest = Bad User
	obey pam restrictions = Yes
	password server = dim-win2300.DaCrib.local
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	client NTLMv2 auth = Yes
	log level = 3
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	server signing = auto
	socket options = TCP_NODELAY  SO_RCVBUF=8192 SO_SNDBUF=8192
	os level = 2
	local master = No
	domain master = No
	dns proxy = No
	eventlog list = Application, System, Security, SyslogLinux
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	template shell = /bin/bash
	winbind separator = +
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	idmap config DACRIB:range = 10000 - 20000
	idmap config DACRIB:backend = rid
	idmap config DACRIB:schema_mode = rfc2307
	hide dot files = No

[TestShare]
	path = /TestShare

testparm output - Dual-Booter:

[global]
	workgroup = DACRIB
	realm = DACRIB.LOCAL
	server string = %h server (Samba %v, Domain: %D, Server: %L - %R)
	security = ADS
	auth methods = winbind
	map to guest = Bad User
	obey pam restrictions = Yes
	password server = dim-win2300.DaCrib.local
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	client NTLMv2 auth = Yes
	log level = 2
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	server signing = auto
	os level = 2
	local master = No
	domain master = No
	dns proxy = No
	eventlog list = Application, System, Security, SyslogLinux
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	template shell = /bin/bash
	winbind separator = +
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	idmap config DACRIB:schema_mode = rfc2307
	idmap config DACRIB:range = 10000-20000
	idmap config DACRIB:backend = rid
	invalid users = root
	read only = No
	create mask = 0700
	directory mask = 0775
	hide dot files = No
	wide links = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
	browsable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers


[OldHome]
	comment = The Old Home Folder
	path = /OldHome

Thanks for any help.

Here's what I don't understand - the user I am trying to mount shares
with, does not show up the same on both systems, yet the smb.confs are
the same.

On 05/03/2010 04:14 PM, Dale Schroeder wrote:
> On 05/02/2010 10:32 PM, Mike Leone wrote:
>> Here's what I don't understand - the user I am trying to mount
shares
>> with, does not show up the same on both systems, yet the smb.confs are
>> the same.
>>
>> > From workhorse:
>>
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10007:10012:Mike Leone:/home/DACRIB/turgon:/bin/bash
>>
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10012:
>>
>> > From Dual-Booter:
>>
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10003:10000:Mike Leone:/home/DACRIB/turgon:/bin/bash
>>
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10000:
>>
>> Is this the reason I can't mount? Shouldn't the group IDs be
equivalent
>> on both Samba servers, especially since the smb.confs have the same
>> settings?
>>    
> Mike,
> 
> Since I see you're using RID for the idmap backend, 
Only because I found a web howto that recommended it. :-) Apparently, I
need the domain uid and gid to be the same on different Samba servers,
and this page recommend RID as the way to do it.
> yes, the user and
> group ID's should be the same across all Samba servers.
> I can't say if that's your only problem.  You might try
regenerating
> /var/cache/samba/idmap_cache.tdb on both systems to see
> which is correct.  Be aware that you will have to reset directory/file
> permissions on the incorrect system after this is done.
How do I do that? Do I just stop winbind and samba; delete the
idmap_cache.tdb; and restart winbind and samba?

I believe I had started fresh, by leaving the domain; deleting all .tdb
files; rejoining the domain. But I may be mis-remembering ...
> If you only have one domain, 
I do.
>you might also try the simpler, old-style idmap_rid declaration.
> 
>     #idmap config DACRIB:range = 10000 - 20000
>     #idmap config DACRIB:backend = rid
>     #idmap config DACRIB:schema_mode = rfc2307
>     idmap backend = rid:DACRIB=10000-20000
> 
> For testing purposes, also note that for idmap_rid, the defaults for
> "auth methods" and "winbind nss info" are  usually
sufficient.
I can give that a shot, sure. :-)
> Although it may not matter, there are some significant differences in
> the smb.conf's.  Specifically, in Dual-Booter, you have
> set some parameters in [global] (that are normally reserved for shares)
> which are not declared in workhorse.
> 
> [global]
> 
>     read only = No
>     create mask = 0700
>     directory mask = 0775
> 
I can lose those, no big deal.
> Additionally, Dual-Booter has the following, but workhorse does not.
> 
>     invalid users = root
I am told (on another list) that I will need to use nss_ldap, if I
want(need?) to keep domain lookups consistent across Samba servers.
Using winbind for NSS only guarantees consistent uid/gids on one server.

Such conflicting information is what makes these ... less than
enjoyable. :-)