Some may remember all my issues trying to get one Samba server to mount shares from another Samba server. Well, I decided to completely reformat my laptop with Ubuntu 10.04, and start over (leaving the other Samba server at Ubuntu 9.10) (to recap - I have a Win2003 AD (not R2), with SFU installed) I took the smb.conf from the 9.10 server (running 3.4.0) and loaded it on the Ubuntu 10.04 laptop, which is running 3.4.7. The only editing I did was to remove the share definitions, which don't exist on the laptop (no shares defined at all). Also copied the krb5.conf, to configure Kerberos. Cleared the /var/lib/samba, /var/cache/samba, /var/log/samba directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files already configured for samba, I copied over the common-account, common-auth, common-password, common-session files from the 9.10 server to the 10.04 server. Did the same with the nsswitch.conf file. Figured I should get identical results, right? HA! :-( Got a ticket. Joined the domain. It gave me an error message, something about the client not existing in the Kerberos database. It worked, tho, as the computer account did appear in AD. wbinfo -t works. wbinfo -u works. wbinfo -g works. If I use sudo, then wbinfo -a DOMAIN+user works. (I used "+" as a delimiter) Getent passwd fails. Getent group fails. I am seeing this, in log.winbind on the 10.04 server: [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent) error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500 [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) could not lookup domain user Administrator [2010/05/07 23:16:59, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID and repeating, for all domain users. I'm pretty much ready to just give up, and use the Windows installed on this laptop. That one has no problem accessing shares from the Samba server, or the Windows stations on the LAN. Anyone? Please. :-) Testparm of smb.conf: (I had to add the "idmap uid/gid" statements to the 10.04 server) [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 3 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 100000-200000 idmap gid = 100000-200000 template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu winbind refresh tickets = Yes idmap config DACRIB: schema_mode = sfu idmap config DACRIB: range = 100000 - 200000 idmap config DACRIB: backend = ad hide dot files = No Testparm of smb.conf of 9.10 server: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba %v, Domain: %D, Server: %L - %R) security = ADS auth methods = winbind map to guest = Bad User obey pam restrictions = Yes password server = dim-win2300.DaCrib.local pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes client NTLMv2 auth = Yes log level = 4 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto os level = 2 local master = No domain master = No dns proxy = No eventlog list = Application, System, Security, SyslogLinux usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d template shell = /bin/bash winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu winbind refresh tickets = Yes idmap config DCRIB:schema_mode = sfu idmap config DACRIB: range = 100000 - 200000 idmap config DACRIB: backend = ad hide dot files = No wide links = No
Christian PERRIER
2010-May-08 08:00 UTC
[Samba] smb.conf works for 3.4.0; doesn't work for 3.4.7
Quoting Mike Leone (turgon at mike-leone.com):> directories. Even tho Ubuntu 10.04 seems to have the /etc/pam.d files > already configured for samba, I copied over the common-account, > common-auth, common-password, common-session files from the 9.10 server > to the 10.04 server. Did the same with the nsswitch.conf file.This is very very probably the source of all your problems. Even though I don't know the details of changes introduced in Ubuntu itself (not using Ubuntu myself), the 2:3.4.0-4 version of samba packages has seen changes in the way PAM modules, and particularly pam_winbind, are handled in samba packages postinst. If the version in Ubuntu 9.10 is lower than this, the chances that your manual changes broke the planned upgrade path are high. All this is meant to cope with the pam-auth-update utility introduced in pam 1.0.1-6. So, these 3 files have the explicit mention: # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.> If I use sudo, then wbinfo -a DOMAIN+user works. (I used "+" as a delimiter) > > Getent passwd fails. > Getent group fails. > > I am seeing this, in log.winbind on the 10.04 server: > > [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:97(winbindd_fill_pwent) > error getting user id for sid S-1-5-21-2780757143-49591276-3462498634-500 > [2010/05/07 23:16:59, 1] winbindd/winbindd_user.c:856(winbindd_getpwent) > could not lookup domain user Administrator > [2010/05/07 23:16:59, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) > Could not get unix ID > > and repeating, for all domain users. > > I'm pretty much ready to just give up, and use the Windows installed on > this laptop. That one has no problem accessing shares from the Samba > server, or the Windows stations on the LAN.Messing up with files owned by packages without letting the package maintainer scripts handling this properly for you is quite probably one of the reasons of your problems. I'm suggest putting the common-* files you had after upgrading and before replacing them with those of 9.10 (you kept them somewhere, right?) in place and reconfigure packages with "dpkg-reconfigure winbind".