Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without
typing in the default domain does not work any more.
-------- Original-Nachricht --------> Datum: Mon, 28 Mar 2011 16:34:19 +1300
> Von: Marco Huang <marco.huang at auckland.ac.nz>
> An: samba at lists.samba.org
> Betreff: [Samba] winbind is not taking default domain
> Hi,
>
> We have been running samba file server about 2 years without this problem.
> The problem appeared at the same time on our debian and centos servers.
> Not sure if it's related to any updates on our windows AD servers.
>
> Debian Squeeze
> sernet-samba-3.5.8-27
>
> Centos 5.5
> samba3-3.5.5-43.el5
>
> Use Active Directory for user login authentication
> Use uid/gid from ldap
> The reason we still want winbind is for managing permissions from client
> end.
>
> Since last week, users failed on login with "valid users =
@staff" until I
> stopped winbind. I found if I change to valid users =
@"ABC\staff", users
> can login, however the change can not resolve the problem of ACLs on the
> folders/files. Of cause, if I stop winbind, works ok - user can login, and
> following the current permissions, but we do need winbind for managing
> permissions from client end.
>
> # smb.conf
>
> [global]
> realm = ad.mydomain
> workgroup = ABC
> server string = %h server
> enable privileges = yes
> dns proxy = no
> netbios name = linfiles
> smb ports = 139 445
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> log file = /var/log/samba/%U.log
> log level = 10 winbind:10
> debug timestamp = yes
> max log size = 1000
> syslog only = no
> syslog = 2
> panic action = /usr/share/samba/panic-action %d
>
> security = ADS
> encrypt passwords = true
> obey pam restrictions = no
> invalid users = root
>
> unix extensions = no
>
> idmap backend = nss
> idmap config ABC : default = yes
> idmap config ABC : backend = nss
> idmap alloc backend = nss
> idmap cache time = 30
> allow trusted domains = no
>
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> SO_RCVBUF=65536 SO_SNDBUF=65536
> locking = yes
> strict locking = no
> posix locking = yes
> kernel oplocks = no
> oplocks = yes
> level2 oplocks = yes
>
> winbind trusted domains only = yes
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> winbind cache time = 3600
>
> acl compatibility = auto
>
> [sit]
> comment = Shares
> browseable = yes
> writable = yes
> create mask = 0770
> directory mask = 0770
> acl group control = yes
> acl check permissions = True
> nt acl support = yes
> force directory security mode = 770
> inherit permissions = yes
> inherit acls = yes
> inherit owner = no
> map acl inherit = yes
> path = /mnt/sit
> valid users = @staff
>
> # /etc/nsswitch.conf
> passwd: files ldap
> shadow: files
> group: files ldap
>
> # getent group staff returns group members with testuser.
>
> # wbinfo --own-domain
> ABC
>
> # Here are some logs from debug mode, winbind just trying to lookup domain
> LINFILES and Unix Group rather than ABC.
>
> [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid)
> string_to_sid: Sid @staff does not start with 'S-'.
> [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup)
> Unable to get default yp domain, let's try without specifying it
> [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup)
> looking for user testuser of domain (ANY) in netgroup staff
> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name)
> lookup_name: LINFILES\staff => LINFILES (domain), staff (name)
> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name)
> lookup_name: flags = 0x077
> [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2011/03/25 12:43:50.645783, 5]
> auth/token_util.c:525(debug_nt_user_token)
> NT user token: (NULL)
> [2011/03/25 12:43:50.645792, 5]
> auth/token_util.c:551(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2011/03/25 12:43:50.645825, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name)
> lookup_name: Unix Group\staff => Unix Group (domain), staff (name)
> [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name)
> lookup_name: flags = 0x077
> [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token)
> User testuser not in 'valid users'
> [2011/03/25 12:43:50.647820, 2]
> smbd/service.c:598(create_connection_server_info)
> user 'testuser' (from session setup) not permitted to access this
share
> (sit)
> [2011/03/25 12:43:50.647832, 1] smbd/service.c:678(make_connection_snum)
> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2011/03/25 12:43:50.647882, 3] smbd/error.c:80(error_packet_set)
> error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
>
> cheers
> --
> Marco
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de