yan at seiner.com
2014-Feb-06 21:43 UTC
[Samba] AD integration - Administrator can log in but no one else can
I have an Ubuntu 12.04 LTS server that I am trying to get integrated into
the company AD.
The global AD administrator with the username Administrator can log in and
access the shares on the samba box.
No other user, even users with Administrator privileges, can.
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [WIKI\Administrator] succeeded
check_ntlm_password: Authentication for user [yans] -> [yans] FAILED
with error NT_STATUS_NO_SUCH_USER
The yans user (me) can log into any computer except the samba box. Even
if I granted Admin privileges I am still refused.
Eventually I need to integrate this into our existing network but for now
I need to get user logins working.
The users do not have unix accounts on the samba box. They do not need
any accounts unless required to by samba.
I can't figure out what I am doing wrong. I have tried many things;
here's my current smb.conf:
[global]
workgroup = hpm
server string = %h server (Samba/Ubuntu)
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ads
realm = hpm.net
idmap backend = lwopen
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
[mediawiki]
comment = Manuals Wiki Folders
read only = yes
path = /srv/mediawiki
read list = @wikiread
guest ok = no
[manuals]
comment = Manuals for download
path = /srv/mediawiki/downloads
browsable = yes
writeable = yes
read list = @wikiread
write list = @wikiwrite
create mask = 0775
guest ok = no
[covers]
comment = cover images for manuals
path = /srv/mediawiki/local/covers
browsable = yes
writeable = yes
read list = @wikiread
write list = @wikiwrite
guest ok = no
create mask = 0775
/etc/nsswitch.conf:
passwd: compat lsass winbind
group: compat lsass winbind
shadow: compat
hosts: files dns winbind wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
yan at seiner.com
2014-Feb-06 21:57 UTC
[Samba] AD integration - Administrator can log in but no one else can
> I have an Ubuntu 12.04 LTS server that I am trying to get integrated into > the company AD. > > The global AD administrator with the username Administrator can log in and > access the shares on the samba box. > > No other user, even users with Administrator privileges, can. > > check_ntlm_password: authentication for user [Administrator] -> > [Administrator] -> [WIKI\Administrator] succeeded > > check_ntlm_password: Authentication for user [yans] -> [yans] FAILED > with error NT_STATUS_NO_SUCH_USERHere's what's puzzling - wbinfo returns my userid so I know it's valid. Why am I getting NO_SUCH_USER? wbinfo -u ... HPM\yans
L.P.H. van Belle
2014-Feb-07 09:36 UTC
[Samba] AD integration - Administrator can log in but no one else can
Hai, In you globel smb.conf set realm in CAPS. is see your workgroup = HPM but administrator auths with : WIKI\Administrator and your users with : wbinfo -u ... HPM\yans so this isnt right im thinking.. , is you servername WIKI ? regards, Louis>-----Oorspronkelijk bericht----- >Van: yan at seiner.com [mailto:samba-bounces at lists.samba.org] >Namens yan at seiner.com >Verzonden: donderdag 6 februari 2014 22:43 >Aan: samba at lists.samba.org >Onderwerp: [Samba] AD integration - Administrator can log in >but no one else can > >I have an Ubuntu 12.04 LTS server that I am trying to get >integrated into >the company AD. > >The global AD administrator with the username Administrator >can log in and >access the shares on the samba box. > >No other user, even users with Administrator privileges, can. > > check_ntlm_password: authentication for user [Administrator] -> >[Administrator] -> [WIKI\Administrator] succeeded > > check_ntlm_password: Authentication for user [yans] -> [yans] FAILED >with error NT_STATUS_NO_SUCH_USER > >The yans user (me) can log into any computer except the samba >box. Even >if I granted Admin privileges I am still refused. > >Eventually I need to integrate this into our existing network >but for now >I need to get user logins working. > >The users do not have unix accounts on the samba box. They do not need >any accounts unless required to by samba. > >I can't figure out what I am doing wrong. I have tried many things; >here's my current smb.conf: > >[global] > workgroup = hpm > server string = %h server (Samba/Ubuntu) > log level = 2 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > security = ads > realm = hpm.net > > idmap backend = lwopen > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n >*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > map to guest = bad user > usershare allow guests = yes > >[mediawiki] > comment = Manuals Wiki Folders > read only = yes > path = /srv/mediawiki > read list = @wikiread > guest ok = no >[manuals] > comment = Manuals for download > path = /srv/mediawiki/downloads > browsable = yes > writeable = yes > read list = @wikiread > write list = @wikiwrite > create mask = 0775 > guest ok = no >[covers] > comment = cover images for manuals > path = /srv/mediawiki/local/covers > browsable = yes > writeable = yes > read list = @wikiread > write list = @wikiwrite > guest ok = no > create mask = 0775 > >/etc/nsswitch.conf: > >passwd: compat lsass winbind >group: compat lsass winbind >shadow: compat > >hosts: files dns winbind wins >networks: files > >protocols: db files >services: db files >ethers: db files >rpc: db files > >netgroup: nis > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >