Hi This has keeping me up for days now and I can't seem to find a solution in the various wikis, howtos and whatsoevers, so here's the plot: I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4 x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba 3.0.33-3.15.el5_4.1 (rpm installation out of the box). All I want to do is to have Samba authenticate against my DC. I've been setting up Kerberos, Winbind and Samba according to the Wiki-Page (http://wiki.samba.org/index.php/Samba_%26Active_Directory). Authentication seems to work (i.e if I logon to the server via ssh using the AD-Account, everything looks fine and even the created homedirs are assigned to the group "domain users") however, If i try to map a windows share from a laptop running XPpro, Samba won't accept the user neither for the homedirs nor for the datashare. So the big question is: where did I screw up and/or what did i forget? This is what my smb.conf looks like at the the moment: [global] workgroup = PROTEC realm = BSR.PROTEC-ENTERPRISES.COM password server = dc01-v.bsr.protec-enterprises.com preferred master = no server string = Samba FileServer Version %v netbios name = SAMBA-V # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 50 log level = 3 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes ; winbind nested groups = yes ; winbind nss info = rfc2307 security = ADS encrypt passwords = yes idmap uid = 10000-20000 idmap gid = 10000-20000 username map = /etc/samba/smbusers # just to map the root account to the AD-Administrator account # as well as the AD-Guest account to "nobody" template shell = /bin/bash ; template primary group = "Domain Users" [homes] comment = Home Directories valid users = $S readonly = no browseable = yes [Data] comment = New K-Drive valid users = @PROTEC+domain users path = /mnt/sambashares/filestore writeable = yes browseable = yes And here's what's in the workstation-log (not that i understand any of it...): [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151) store_gid_sid_cache: gid 10013 in cache -> S-1-5-21-1238498519-1179045160-1496349262-515 [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) fetch gid from cache 10000 -> S-1-5-32-544 [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) fetch gid from cache 10001 -> S-1-5-32-545 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-21-1238498519-1179045160-1496349262-1124] [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-21-1238498519-1179045160-1496349262-515] [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-11] [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) fetch gid from cache 10013 -> S-1-5-21-1238498519-1179045160-1496349262-515 [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304) User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$ [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325) UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101 [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356) Adding homes service for user 'PROTEC+fx805-02-p$' using home directory: '/home/PROTEC/fx805-02-p_' [2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691) adding home's share [fx805-02-p$] for user 'PROTEC+fx805-02-p$' at '/home/PROTEC/fx805-02-p_' [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) Transaction 2 of length 84 [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) switch message SMBtconX (pid 24205) conn 0x0 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815) Connect path is '/tmp' for service [IPC$] [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-5-21-1238498519-1179045160-1496349262-1124 se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95) Initialising default vfs hooks [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128) Initialising custom vfs hooks from [/[Default VFS]/] [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) se_access_check: user sid is S-1-5-21-1238498519-1179045160-1496349262-1124 se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042) 192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205) [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574) tconX service=IPC$ [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) Transaction 3 of length 102 [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430 [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636) get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root. [2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106) error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) Transaction 4 of length 240 [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) switch message SMBsesssetupX (pid 24205) conn 0x0 [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 40 [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) Got NTLMSSP neg_flags=0xa2088207 [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) Transaction 5 of length 338 [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) switch message SMBsesssetupX (pid 24205) conn 0x0 [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) wct=12 flg2=0xc807 [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) Doing spnego session setup [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24 len2=24
On 05/05/2010 1:38 PM, Mike wrote:> Hi > > This has keeping me up for days now and I can't seem to find a solution > in the various wikis, howtos and whatsoevers, so here's the plot: > > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4 > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba > 3.0.33-3.15.el5_4.1 (rpm installation out of the box). > > All I want to do is to have Samba authenticate against my DC. I've been > setting up Kerberos, Winbind and Samba according to the Wiki-Page > (http://wiki.samba.org/index.php/Samba_%26Active_Directory). > > Authentication seems to work (i.e if I logon to the server via ssh using > the AD-Account, everything looks fine and even the created homedirs are > assigned to the group "domain users") however, If i try to map a windows > share from a laptop running XPpro, Samba won't accept the user neither > for the homedirs nor for the datashare. > > So the big question is: where did I screw up and/or what did i forget? > > This is what my smb.conf looks like at the the moment: > > [global] > workgroup = PROTEC > realm = BSR.PROTEC-ENTERPRISES.COM > password server = dc01-v.bsr.protec-enterprises.com > preferred master = no > server string = Samba FileServer Version %v > netbios name = SAMBA-V > > # logs split per machine > log file = /var/log/samba/%m.log > # max 50KB per log file, then rotate > max log size = 50 > log level = 3 > > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > ; winbind nested groups = yes > ; winbind nss info = rfc2307 > > security = ADS > encrypt passwords = yes > > idmap uid = 10000-20000 > idmap gid = 10000-20000 > > username map = /etc/samba/smbusers > # just to map the root account to the AD-Administrator account > # as well as the AD-Guest account to "nobody" > > template shell = /bin/bash > ; template primary group = "Domain Users" > > [homes] > comment = Home Directories > valid users = $S >Mike, I see a couple of syntax errors. You must prefix with the domain and separator. Also use %, not $. valid users = PROTEC+%S> readonly = no > browseable = yes > > [Data] > comment = New K-Drive > valid users = @PROTEC+domain users >Domain Users has a space, so you must enclose in quotes valid users = @"PROTEC+ Domain Users" See if this helps. Dale> path = /mnt/sambashares/filestore > writeable = yes > browseable = yes > > > And here's what's in the workstation-log (not that i understand any of > it...): > > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151) > store_gid_sid_cache: gid 10013 in cache -> > S-1-5-21-1238498519-1179045160-1496349262-515 > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > fetch gid from cache 10000 -> S-1-5-32-544 > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > fetch gid from cache 10001 -> S-1-5-32-545 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > get_privileges: No privileges assigned to SID > [S-1-5-21-1238498519-1179045160-1496349262-1124] > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > get_privileges: No privileges assigned to SID > [S-1-5-21-1238498519-1179045160-1496349262-515] > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > get_privileges: No privileges assigned to SID [S-1-5-2] > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > get_privileges: No privileges assigned to SID [S-1-5-11] > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > fetch gid from cache 10013 -> > S-1-5-21-1238498519-1179045160-1496349262-515 > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304) > User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$ > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325) > UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101 > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356) > Adding homes service for user 'PROTEC+fx805-02-p$' using home > directory: '/home/PROTEC/fx805-02-p_' > [2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691) > adding home's share [fx805-02-p$] for user 'PROTEC+fx805-02-p$' at > '/home/PROTEC/fx805-02-p_' > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) > Transaction 2 of length 84 > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) > switch message SMBtconX (pid 24205) conn 0x0 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815) > Connect path is '/tmp' for service [IPC$] > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) > se_access_check: user sid is > S-1-5-21-1238498519-1179045160-1496349262-1124 > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-11 > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95) > Initialising default vfs hooks > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128) > Initialising custom vfs hooks from [/[Default VFS]/] > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) > se_access_check: user sid is > S-1-5-21-1238498519-1179045160-1496349262-1124 > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-11 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042) > 192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user > PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205) > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574) > tconX service=IPC$ > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) > Transaction 3 of length 102 > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) > switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430 > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636) > get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root. > [2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106) > error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2) > NT_STATUS_NOT_FOUND > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) > Transaction 4 of length 240 > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) > switch message SMBsesssetupX (pid 24205) conn 0x0 > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) > wct=12 flg2=0xc807 > [2010/05/05 14:34:41, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) > Doing spnego session setup > [2010/05/05 14:34:41, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 > 5.1] PrimaryDomain=[] > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) > reply_spnego_negotiate: Got secblob of size 40 > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > Got NTLMSSP neg_flags=0xa2088207 > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) > Transaction 5 of length 338 > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) > switch message SMBsesssetupX (pid 24205) conn 0x0 > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) > wct=12 flg2=0xc807 > [2010/05/05 14:34:41, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) > Doing spnego session setup > [2010/05/05 14:34:41, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 > 5.1] PrimaryDomain=[] > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) > Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24 > len2=24 > > >
Mike put forth on 5/5/2010 1:38 PM:> Hi > > This has keeping me up for days now and I can't seem to find a solution > in the various wikis, howtos and whatsoevers, so here's the plot: > > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4 > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba > 3.0.33-3.15.el5_4.1 (rpm installation out of the box).Make sure your system time is accurate on your VM guests. Virtual machines on VMWare ESX are notorious for not keeping time correctly, sometimes drifting by hours in a single day. Read, thoroughly, and implement the recommendations in this guide: http://www.vmware.com/pdf/vmware_timekeeping.pdf Kerberos requires client and server clocks to be no more than 5 minutes apart. From: http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Clock-Skew.html "6.2 Clock Skew In order to prevent intruders from resetting their system clocks in order to continue to use expired tickets, Kerberos V5 is set up to reject ticket requests from any host whose clock is not within the specified maximum clock skew of the KDC (as specified in the kdc.conf file). Similarly, hosts are configured to reject responses from any KDC whose clock is not within the specified maximum clock skew of the host (as specified in the krb5.conf file). The default value for maximum clock skew is 300 seconds, or five minutes. MIT suggests that you add a line to client machines' /etc/rc files to synchronize the machine's clock to your KDC at boot time. On UNIX hosts, assuming you had a kdc called kerberos in your realm, this would be: gettime -s kerberos If the host is not likely to be rebooted frequently, you may also want to set up a cron job that adjusts the time on a regular basis." Clock may not be the cause of your current problems, but over 80% of the time it is the cause of kerberos problems with VMWare guests. -- Stan