Rowland Penny
2015-Jul-15 15:49 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
On 15/07/15 15:10, Mario Pio Russo wrote:> OR > > is there any way, or magical hidden parmeter in the smb.conf that allows to > enumerate the users in the Domain Users? tbh this has a huge impact on the > file share server as many directorys have "domain users" as groupI don't think you understand this at all :-) If a user is a member of an AD domain, then they are members of the Domain Users group, this is done via the ' primaryGroupID' attribute which should be set to '513' If you examine the 'Domain Users' object in AD, you will find that it doesn't show as having *any* users, yet every user is a member and windows recognises this. So when you upgrade the 'Domain Users' group to being a Unix group by giving it a 'gidNumber' attribute and samba on a Unix client is set up correctly, the Unix machine will also recognise this and allow members of the 'Domain Users' group access to a share, this will happen even if 'getent group Domain\ Users' show no members of the group. You should note that you may also use domain_users to reference the group.> ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic03260.gif) > > > > From: Mario Pio Russo/Ireland/IBM at IBMIE > To: Rowland Penny <rowlandpenny241155 at gmail.com> > Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org> > Date: 15/07/2015 13:48 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng > cifs command , error "CIFS VFS: cifs_mount failed w/return code > = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > ok, what do you suggest then? maybe changing the authentication to another > group like "domainusers" ? > ___________________________________________________________________________________________ > > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic05703.gif) > > > > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Date: 15/07/2015 12:49 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box > uisng > cifs command , error "CIFS VFS: cifs_mount failed w/return code > = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > On 15/07/15 11:06, Mario Pio Russo wrote: >> I have some more findings about this >> >> it looks like getent does not get the right information from the Domain >> Controller, in fact the domain user groups shows with NO member users: >> >> getent group | grep "domain users" >> domain users:x:10000: >> root at seadog:~# >> >> >> Now funny thing is that other folders for wwhich getent retrieves the > users >> correctlly are mounted fine . any idea why I don t see the users in > getent? > > Yes :-D > > Oh, you want to know why :-) > > Every user is a member of Domain Users and as such they are not shown as > being members in the AD object, this is why getent doesn't show them. > > Rowland > >> for example: >> root at seadog:~# getent group | grep "domain admins" >> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator >> >> any idea? >> >> > ___________________________________________________________________________________________ > > >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland with > number >> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin > 4 >> (Embedded image moved to file: pic03233.gif) >> >> >> >> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >> To: samba at lists.samba.org >> Date: 14/07/2015 20:00 >> Subject: Re: [Samba] Samba3 shares cannot be mounted > on linux box > uisng >> cifs command , error "CIFS VFS: cifs_mount failed w/return > code >> = -13" >> Sent by: "samba" <samba-bounces at lists.samba.org> >> >> >> >> On 14/07/15 19:27, Mario Pio Russo wrote: >>> well, I have configured the kdc client on the file server, joined the >>> domain using net ads join and it worked fine, again getnet group , > getnet >>> passwd , wbinfo -u they all works perfectlly fine >> Well, this sounds like samba is working correctly. >> >>> I am also able to browse the shares from any windows machine joined to >> the >>> CCDC domain, but I am still not able to do ANY mount.cifs, not even form >>> linux boxes joined to the domain :-/ >> Any error messages anywhere ? >> Also when you say 'browse', can you give a bit more info, how are you >> 'browsing' and where are the shares, on the DC or somewhere else? >> >>> I have no idea what's happening. >>> >>> P.S. another thing I have noticed is that from windows machines, when I >> try >>> to do a network map to a share on the samba4, it gives "Authentication >>> Failure", while it was working correctly before the migration. >> Well, that probably means what it says, for some reason, samba is not >> recognising either your users or their passwords, >> >> Rowland >> >>> I'm running short of ideas now, any help more than welcome! >>> > ___________________________________________________________________________________________ > > >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 > 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland with >> number >>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, > Dublin >> 4 >>> (Embedded image moved to file: pic10279.gif) >>> >>> >>> >>> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >>> To: > samba at lists.samba.org >>> Date: 14/07/2015 19:07 >>> Subject: Re: [Samba] Samba3 > shares cannot be mounted > on linux box >> uisng >>> cifs command , error "CIFS VFS: cifs_mount failed w/return >> code >>> = -13" >>> Sent by: "samba" > <samba-bounces at lists.samba.org> >>> >>> >>> On 14/07/15 18:19, Mario Pio Russo wrote: >>>> Thanks Rowland! >>>> >>>> few answers to your question: >>>> >>>> 1) I used the samba-tool domain classicupgrade to "migrate" the domain >>> for >>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2 >>>> >>>> 2) on the DC, I have configured the service to use the old winbind, as >>>> that's just enaugh for our domain and it looked more stable during the >>> test >>>> phasethe smb.conf of the DC is the following: >>>> >>>> [global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4-DC1 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> server services = -winbindd +winbind >>> Remove these lines, they are not doing anything! >>>> dns forwarder = 9.0.138.50 >>>> #server services = -winbindd +winbind >>>> idmap config CCDC:backend = ad >>>> idmap config CCDC:schema_mode = rfc2307 >>>> idmap config CCDC:range = 10000-40000 >>>> >>>> >>>> # Store UIDs/GIDs for all other domains (including local >>>> # accounts/groups of this server) in a tdb file >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> >>>> # Use home directory and shell information from AD >>>> winbind nss info = rfc2307 >>> Ok, from here on no problems. >>>> tls enabled = yes >>>> tls keyfile = tls/myKey.pem >>>> tls certfile = tls/myCert.pem >>>> tls cafile >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>>> 3) I will remove the password server as you suggested , thanks >>>> >>>> 4) the server is present in the domain, and getent group and getent >>> passwd >>>> works correctlly, however it was NOT joined with net ads join, but with >>> net >>>> rpc join, could this make the difference? as I am currentlly thinking > of >>>> removing the server from the domain, configure kerberos-workstation and >>> try >>>> the net ads join, what do you think? >>> If getent is working, then there should be no reason to leave & rejoin >>> the domain, but then again, there is no reason not to try it :-) >>> >>> Rowland >>> >>>> again thanks for the help >>>> >>>> >>>> >>>> > ___________________________________________________________________________________________ > > >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 >> 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland with >>> number >>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >> Dublin >>> 4 >>>> (Embedded image moved to file: pic40897.gif) >>>> >>>> >>>> >>>> From: > Rowland Penny >> <rowlandpenny241155 at gmail.com> >>>> To: > samba at lists.samba.org >>>> Date: > 14/07/2015 17:50 >>>> Subject: > Re: [Samba] > Samba3 shares cannot be mounted >> on linux box >>> uisng >>>> cifs command , error "CIFS VFS: cifs_mount failed > w/return >>> code >>>> = -13" >>>> Sent by: > "samba" > <samba-bounces at lists.samba.org> >>>> >>>> >>>> On 14/07/15 16:49, Mario Pio Russo wrote: >>>>> Good Day All >>>>> >>>>> I have a problem for our main fileserver base don samba 3.5.6 >>>>> >>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation >>>> which >>>>> was acting as a PDC for our internal domian called CCDC. On a > sapearate >>>>> machine, we had another installation of samba 3.5.6 to act just as > file >>>>> share server. >>>>> >>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba >>>>> 4.2.2 , using the classicupgrade. >>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain >>>> classicupgrade' to an AD DC ? >>>> >>>>> Now I am able to access the shares from the windows boxes added to the >>>> CCDC >>>>> domain, but when I try to mount a cifs share form a linux box, then I >>> get >>>>> the following error: >>>>> >>>>> >>>>> mount.cifs -o >>>>> > username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/ >>>>> Password: >>>>> mount error(13): Permission denied >>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) >>>>> >>>>> form dmesg I can see the following error: >>>>> >>>>> CIFS VFS: cifs_mount failed w/return code = -13 >>>>> >>>> Your user is not known. >>>> >>>>> the smb.conf of the file server is the following: >>>>> >>>>> >>>>> root at seadog:/etc/samba# cat smb.conf >>>>> [global] >>>>> >>>>> write cache size = 131072 >>>>> >>>>> vfs objects = full_audit >>>>> full_audit:prefix = %u,%I,%m,%S >>>>> # removed this, so we only log failures. >>>>> # however will keep it here commented it out for future >>> reference >>>>> #full_audit:success = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:failure = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:facility = local7 >>>>> full_audit:priority = NOTICE >>>>> >>>>> >>>>> server string = CSI Samba Server >>>>> workgroup = CCDC >>>>> netbios name = SEADOG >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> #security = domain >>>>> wins server = 9.161.96.220 >>>>> server signing = mandatory >>>>> password server = 9.161.96.220 >>>> password server shouldn't be set, let samba find it itself. >>>> >>>>> map untrusted to domain = yes >>>>> >>>>> wins support = no >>>>> wins proxy = no >>>>> dns proxy = no >>>>> name resolve order = wins host bcast >>>>> >>>>> winbind use default domain = yes >>>>> >>>>> winbind uid = 10000-20000 >>>>> winbind gid = 10000-20000 >>>>> winbind cache time = 15 >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> >>>>> # This is needed, a fake home folder so that users are able > to >>> ftp >>>>> # this folder is empty but exists, do a getent passwd to see >>> what >>>> I >>>>> mean >>>>> template homedir = /home/winbind >>>>> >>>>> local master = no >>>>> domain master = no >>>>> >>>>> # To o with ACL mapping to windows >>>>> # >>>>> dos filemode = Yes >>>>> acl group control = Yes >>>>> acl map full control = Yes >>>>> map acl inherit = Yes >>>>> >>>>> guest account = nobody >>>>> invalid users = root daemon bin sys sync games man lp mail >> news >>>> uucp >>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd >>>>> >>>>> log file = /var/log/samba/log.%m >>>>> log level = 3 >>>>> >>>>> max log size = 2000 >>>>> syslog = 0 >>>>> >>>>> # using these options copied from clearcase. >>>>> # back in the day we did research these to death >>>>> # >>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 >> SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> >>>>> # This disables print options >>>>> # we are not a print server >>>>> # >>>>> load printers = No >>>>> disable spoolss = Yes >>>>> >>>>> smb ports = 139 >>>>> >>>>> # every mount from the SAN has a lost+found folder >>>>> # to avoid user confusion, have set this to hidden >>>>> # >>>>> hide files = /lost+found/ >>>>> >>>>> aio read size = 1 >>>>> aio write size = 1 >>>>> follow symlinks = no >>>>> >>>>> >>>>> >>>>> [scrap] >>>>> comment = ICS - CSI general scrap Area >>>>> path = /export/ICS/CSI/scrap >>>>> valid users = @"Domain Users" >>>>> force create mode = 750 >>>>> force directory mode = 740 >>>>> writeable = Yes >>>>> browseable = Yes >>>>> >>>>> >>>>> >>>>> >>>>> note that on this fileserver nothing was touched during the >>>> classiupgrade, >>>>> a part the following parameters of the smb.conf >>>> Well, it probably should have been :-) >>>> >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> wins server = 9.161.96.220 >>>>> >>>>> password server = 9.161.96.220 >>>>> >>>>> >>>>> >>>>> I have tried already different Linux machine with different >> distribution >>>>> and I always get the same error, I have also tried to add the > parameter >>>>> "sec=ntlm or ntlmi " but hasn't changed much. >>>>> >>>>> Note that for some historical reason, this file server has NOT a >> kerbero >>>>> workstation installation and was joined to the CCDC domain using net >> rpc >>>>> join instead of net ads join, could this be a problem? >>>> It would seem the domain has been upgraded to AD and your fileserver > may >>>> require joining to the new domain, but it is more likely to be > something >>>> to do with the winbindd changes that came in with 4.2.0, see here: >>>> >>>> https://www.samba.org/samba/history/samba-4.2.0.html >>>> >>>> Rowland >>>> >>>>> any help is much appreciated!!!! >>>>> >>>>> >>>>> thanks >>>>> > ___________________________________________________________________________________________ > > >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: > +353 >>> 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland with >>>> number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >>> Dublin >>>> 4 >>>>> (Embedded image moved to file: pic44465.gif) >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mario Pio Russo
2015-Jul-15 16:12 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
well that's peculiar, as I am experiencing something different. in fact from ADUC I can see all the users belonging to the "domain users" groups. the authentication, however, does not work on that group, and the share "scrap" cannot be accessed with this config: valid users = @"Domain Users" however, I have created an auxiliarry group called domainusers , added all the users to that group and changed the scrap access policy to this: valid users = @"domainusers" now all works fine. I am modifying the share in order to never use the "domain users" groups as after the migration it simly doesn't work. maybe this workaround can be helpful for others, Bye for now! ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic43860.gif) From: Rowland Penny <rowlandpenny241155 at gmail.com> To: samba at lists.samba.org Date: 15/07/2015 16:55 Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13" Sent by: "samba" <samba-bounces at lists.samba.org> On 15/07/15 15:10, Mario Pio Russo wrote:> OR > > is there any way, or magical hidden parmeter in the smb.conf that allowsto> enumerate the users in the Domain Users? tbh this has a huge impact onthe> file share server as many directorys have "domain users" as groupI don't think you understand this at all :-) If a user is a member of an AD domain, then they are members of the Domain Users group, this is done via the ' primaryGroupID' attribute which should be set to '513' If you examine the 'Domain Users' object in AD, you will find that it doesn't show as having *any* users, yet every user is a member and windows recognises this. So when you upgrade the 'Domain Users' group to being a Unix group by giving it a 'gidNumber' attribute and samba on a Unix client is set up correctly, the Unix machine will also recognise this and allow members of the 'Domain Users' group access to a share, this will happen even if 'getent group Domain\ Users' show no members of the group. You should note that you may also use domain_users to reference the group.>___________________________________________________________________________________________> > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland withnumber> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin4> > (Embedded image moved to file: pic03260.gif) > > > > From: Mario Pio Russo/Ireland/IBM at IBMIE > To: Rowland Penny <rowlandpenny241155 at gmail.com> > Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org> > Date: 15/07/2015 13:48 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux boxuisng> cifs command , error "CIFS VFS: cifs_mount failed w/returncode> = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > ok, what do you suggest then? maybe changing the authentication toanother> group like "domainusers" ? >___________________________________________________________________________________________> > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland withnumber> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin4> > (Embedded image moved to file: pic05703.gif) > > > > From: Rowland Penny<rowlandpenny241155 at gmail.com>> To: samba at lists.samba.org > Date: 15/07/2015 12:49 > Subject: Re: [Samba] Samba3 shares cannot be mountedon linux box> uisng > cifs command , error "CIFS VFS: cifs_mount failed w/returncode> = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > On 15/07/15 11:06, Mario Pio Russo wrote: >> I have some more findings about this >> >> it looks like getent does not get the right information from the Domain >> Controller, in fact the domain user groups shows with NO member users: >> >> getent group | grep "domain users" >> domain users:x:10000: >> root at seadog:~# >> >> >> Now funny thing is that other folders for wwhich getent retrieves the > users >> correctlly are mounted fine . any idea why I don t see the users in > getent? > > Yes :-D > > Oh, you want to know why :-) > > Every user is a member of Domain Users and as such they are not shown as > being members in the AD object, this is why getent doesn't show them. > > Rowland > >> for example: >> root at seadog:~# getent group | grep "domain admins" >> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator >> >> any idea? >> >> >___________________________________________________________________________________________> > >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +3531>> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland with > number >> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,Dublin> 4 >> (Embedded image moved to file: pic03233.gif) >> >> >> >> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >> To:samba at lists.samba.org>> Date: 14/07/2015 20:00 >> Subject: Re: [Samba] Samba3shares cannot be mounted> on linux box > uisng >> cifs command , error "CIFS VFS: cifs_mount failed w/return > code >> = -13" >> Sent by: "samba"<samba-bounces at lists.samba.org>>> >> >> >> On 14/07/15 19:27, Mario Pio Russo wrote: >>> well, I have configured the kdc client on the file server, joined the >>> domain using net ads join and it worked fine, again getnet group , > getnet >>> passwd , wbinfo -u they all works perfectlly fine >> Well, this sounds like samba is working correctly. >> >>> I am also able to browse the shares from any windows machine joined to >> the >>> CCDC domain, but I am still not able to do ANY mount.cifs, not evenform>>> linux boxes joined to the domain :-/ >> Any error messages anywhere ? >> Also when you say 'browse', can you give a bit more info, how are you >> 'browsing' and where are the shares, on the DC or somewhere else? >> >>> I have no idea what's happening. >>> >>> P.S. another thing I have noticed is that from windows machines, when I >> try >>> to do a network map to a share on the samba4, it gives "Authentication >>> Failure", while it was working correctly before the migration. >> Well, that probably means what it says, for some reason, samba is not >> recognising either your users or their passwords, >> >> Rowland >> >>> I'm running short of ideas now, any help more than welcome! >>> >___________________________________________________________________________________________> > >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 > 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland with >> number >>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, > Dublin >> 4 >>> (Embedded image moved to file: pic10279.gif) >>> >>> >>> >>> From:Rowland Penny> <rowlandpenny241155 at gmail.com> >>> To: > samba at lists.samba.org >>> Date:14/07/2015 19:07>>> Subject:Re: [Samba] Samba3> shares cannot be mounted > on linux box >> uisng >>> cifs command , error "CIFS VFS: cifs_mount failedw/return>> code >>> = -13" >>> Sent by:"samba"> <samba-bounces at lists.samba.org> >>> >>> >>> On 14/07/15 18:19, Mario Pio Russo wrote: >>>> Thanks Rowland! >>>> >>>> few answers to your question: >>>> >>>> 1) I used the samba-tool domain classicupgrade to "migrate" thedomain>>> for >>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2 >>>> >>>> 2) on the DC, I have configured the service to use the old winbind, as >>>> that's just enaugh for our domain and it looked more stable during the >>> test >>>> phasethe smb.conf of the DC is the following: >>>> >>>> [global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4-DC1 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> server services = -winbindd +winbind >>> Remove these lines, they are not doing anything! >>>> dns forwarder = 9.0.138.50 >>>> #server services = -winbindd +winbind >>>> idmap config CCDC:backend = ad >>>> idmap config CCDC:schema_mode = rfc2307 >>>> idmap config CCDC:range = 10000-40000 >>>> >>>> >>>> # Store UIDs/GIDs for all other domains (including local >>>> # accounts/groups of this server) in a tdb file >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> >>>> # Use home directory and shell information from AD >>>> winbind nss info = rfc2307 >>> Ok, from here on no problems. >>>> tls enabled = yes >>>> tls keyfile = tls/myKey.pem >>>> tls certfile = tls/myCert.pem >>>> tls cafile >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>>> 3) I will remove the password server as you suggested , thanks >>>> >>>> 4) the server is present in the domain, and getent group and getent >>> passwd >>>> works correctlly, however it was NOT joined with net ads join, butwith>>> net >>>> rpc join, could this make the difference? as I am currentlly thinking > of >>>> removing the server from the domain, configure kerberos-workstationand>>> try >>>> the net ads join, what do you think? >>> If getent is working, then there should be no reason to leave & rejoin >>> the domain, but then again, there is no reason not to try it :-) >>> >>> Rowland >>> >>>> again thanks for the help >>>> >>>> >>>> >>>> >___________________________________________________________________________________________> > >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:+353>> 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland with >>> number >>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >> Dublin >>> 4 >>>> (Embedded image moved to file: pic40897.gif) >>>> >>>> >>>> >>>> From: > Rowland Penny >> <rowlandpenny241155 at gmail.com> >>>> To: > samba at lists.samba.org >>>> Date: > 14/07/2015 17:50 >>>> Subject: > Re:[Samba]> Samba3 shares cannot be mounted >> on linux box >>> uisng >>>> cifs command , error "CIFS VFS: cifs_mount failed > w/return >>> code >>>> = -13" >>>> Sent by: > "samba" > <samba-bounces at lists.samba.org> >>>> >>>> >>>> On 14/07/15 16:49, Mario Pio Russo wrote: >>>>> Good Day All >>>>> >>>>> I have a problem for our main fileserver base don samba 3.5.6 >>>>> >>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation >>>> which >>>>> was acting as a PDC for our internal domian called CCDC. On a > sapearate >>>>> machine, we had another installation of samba 3.5.6 to act just as > file >>>>> share server. >>>>> >>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba >>>>> 4.2.2 , using the classicupgrade. >>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain >>>> classicupgrade' to an AD DC ? >>>> >>>>> Now I am able to access the shares from the windows boxes added tothe>>>> CCDC >>>>> domain, but when I try to mount a cifs share form a linux box, then I >>> get >>>>> the following error: >>>>> >>>>> >>>>> mount.cifs -o >>>>> >username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/>>>>> Password: >>>>> mount error(13): Permission denied >>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) >>>>> >>>>> form dmesg I can see the following error: >>>>> >>>>> CIFS VFS: cifs_mount failed w/return code = -13 >>>>> >>>> Your user is not known. >>>> >>>>> the smb.conf of the file server is the following: >>>>> >>>>> >>>>> root at seadog:/etc/samba# cat smb.conf >>>>> [global] >>>>> >>>>> write cache size = 131072 >>>>> >>>>> vfs objects = full_audit >>>>> full_audit:prefix = %u,%I,%m,%S >>>>> # removed this, so we only log failures. >>>>> # however will keep it here commented it out for future >>> reference >>>>> #full_audit:success = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:failure = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:facility = local7 >>>>> full_audit:priority = NOTICE >>>>> >>>>> >>>>> server string = CSI Samba Server >>>>> workgroup = CCDC >>>>> netbios name = SEADOG >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> #security = domain >>>>> wins server = 9.161.96.220 >>>>> server signing = mandatory >>>>> password server = 9.161.96.220 >>>> password server shouldn't be set, let samba find it itself. >>>> >>>>> map untrusted to domain = yes >>>>> >>>>> wins support = no >>>>> wins proxy = no >>>>> dns proxy = no >>>>> name resolve order = wins host bcast >>>>> >>>>> winbind use default domain = yes >>>>> >>>>> winbind uid = 10000-20000 >>>>> winbind gid = 10000-20000 >>>>> winbind cache time = 15 >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> >>>>> # This is needed, a fake home folder so that users areable> to >>> ftp >>>>> # this folder is empty but exists, do a getent passwd tosee>>> what >>>> I >>>>> mean >>>>> template homedir = /home/winbind >>>>> >>>>> local master = no >>>>> domain master = no >>>>> >>>>> # To o with ACL mapping to windows >>>>> # >>>>> dos filemode = Yes >>>>> acl group control = Yes >>>>> acl map full control = Yes >>>>> map acl inherit = Yes >>>>> >>>>> guest account = nobody >>>>> invalid users = root daemon bin sys sync games man lp mail >> news >>>> uucp >>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd >>>>> >>>>> log file = /var/log/samba/log.%m >>>>> log level = 3 >>>>> >>>>> max log size = 2000 >>>>> syslog = 0 >>>>> >>>>> # using these options copied from clearcase. >>>>> # back in the day we did research these to death >>>>> # >>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 >> SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> >>>>> # This disables print options >>>>> # we are not a print server >>>>> # >>>>> load printers = No >>>>> disable spoolss = Yes >>>>> >>>>> smb ports = 139 >>>>> >>>>> # every mount from the SAN has a lost+found folder >>>>> # to avoid user confusion, have set this to hidden >>>>> # >>>>> hide files = /lost+found/ >>>>> >>>>> aio read size = 1 >>>>> aio write size = 1 >>>>> follow symlinks = no >>>>> >>>>> >>>>> >>>>> [scrap] >>>>> comment = ICS - CSI general scrap Area >>>>> path = /export/ICS/CSI/scrap >>>>> valid users = @"Domain Users" >>>>> force create mode = 750 >>>>> force directory mode = 740 >>>>> writeable = Yes >>>>> browseable = Yes >>>>> >>>>> >>>>> >>>>> >>>>> note that on this fileserver nothing was touched during the >>>> classiupgrade, >>>>> a part the following parameters of the smb.conf >>>> Well, it probably should have been :-) >>>> >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> wins server = 9.161.96.220 >>>>> >>>>> password server = 9.161.96.220 >>>>> >>>>> >>>>> >>>>> I have tried already different Linux machine with different >> distribution >>>>> and I always get the same error, I have also tried to add the > parameter >>>>> "sec=ntlm or ntlmi " but hasn't changed much. >>>>> >>>>> Note that for some historical reason, this file server has NOT a >> kerbero >>>>> workstation installation and was joined to the CCDC domain using net >> rpc >>>>> join instead of net ads join, could this be a problem? >>>> It would seem the domain has been upgraded to AD and your fileserver > may >>>> require joining to the new domain, but it is more likely to be > something >>>> to do with the winbindd changes that came in with 4.2.0, see here: >>>> >>>> https://www.samba.org/samba/history/samba-4.2.0.html >>>> >>>> Rowland >>>> >>>>> any help is much appreciated!!!! >>>>> >>>>> >>>>> thanks >>>>> >___________________________________________________________________________________________> > >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: > +353 >>> 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland with >>>> number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >>> Dublin >>>> 4 >>>>> (Embedded image moved to file: pic44465.gif) >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jul-15 16:43 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
On 15/07/15 17:12, Mario Pio Russo wrote:> well that's peculiar, as I am experiencing something different. in fact > from ADUC I can see all the users belonging to the "domain users" groups. > the authentication, however, does not work on that group, and the share > "scrap" cannot be accessed with this config:Well, yes you can see them with ADUC, but we were discussing Unix tools.> > valid users = @"Domain Users"Have you tried "@Domain Users" ? But having said that, that will be everybody any, so you probably don't need the line anyway. Rowland> > however, I have created an auxiliarry group called domainusers , added all > the users to that group and changed the scrap access policy to this: > > > valid users = @"domainusers" > > > now all works fine. I am modifying the share in order to never use the > "domain users" groups as after the migration it simly doesn't work. > > maybe this workaround can be helpful for others, > > Bye for now! > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic33473.gif) > > > > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Date: 15/07/2015 16:55 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng > cifs command , error "CIFS VFS: cifs_mount failed w/return code > = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > On 15/07/15 15:10, Mario Pio Russo wrote: >> OR >> >> is there any way, or magical hidden parmeter in the smb.conf that allows > to >> enumerate the users in the Domain Users? tbh this has a huge impact on > the >> file share server as many directorys have "domain users" as group > I don't think you understand this at all :-) > > If a user is a member of an AD domain, then they are members of the > Domain Users group, this is done via the ' primaryGroupID' attribute > which should be set to '513' > > If you examine the 'Domain Users' object in AD, you will find that it > doesn't show as having *any* users, yet every user is a member and > windows recognises this. > > So when you upgrade the 'Domain Users' group to being a Unix group by > giving it a 'gidNumber' attribute and samba on a Unix client is set up > correctly, the Unix machine will also recognise this and allow members > of the 'Domain Users' group access to a share, this will happen even if > 'getent group Domain\ Users' show no members of the group. You should > note that you may also use domain_users to reference the group. > > > ___________________________________________________________________________________________ > >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland with > number >> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin > 4 >> (Embedded image moved to file: pic03260.gif) >> >> >> >> From: Mario Pio Russo/Ireland/IBM at IBMIE >> To: Rowland Penny <rowlandpenny241155 at gmail.com> >> Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org> >> Date: 15/07/2015 13:48 >> Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box > uisng >> cifs command , error "CIFS VFS: cifs_mount failed w/return > code >> = -13" >> Sent by: "samba" <samba-bounces at lists.samba.org> >> >> >> >> ok, what do you suggest then? maybe changing the authentication to > another >> group like "domainusers" ? >> > ___________________________________________________________________________________________ > >> >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland with > number >> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin > 4 >> (Embedded image moved to file: pic05703.gif) >> >> >> >> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >> To: samba at lists.samba.org >> Date: 15/07/2015 12:49 >> Subject: Re: [Samba] Samba3 shares cannot be mounted > on linux box >> uisng >> cifs command , error "CIFS VFS: cifs_mount failed w/return > code >> = -13" >> Sent by: "samba" <samba-bounces at lists.samba.org> >> >> >> >> On 15/07/15 11:06, Mario Pio Russo wrote: >>> I have some more findings about this >>> >>> it looks like getent does not get the right information from the Domain >>> Controller, in fact the domain user groups shows with NO member users: >>> >>> getent group | grep "domain users" >>> domain users:x:10000: >>> root at seadog:~# >>> >>> >>> Now funny thing is that other folders for wwhich getent retrieves the >> users >>> correctlly are mounted fine . any idea why I don t see the users in >> getent? >> >> Yes :-D >> >> Oh, you want to know why :-) >> >> Every user is a member of Domain Users and as such they are not shown as >> being members in the AD object, this is why getent doesn't show them. >> >> Rowland >> >>> for example: >>> root at seadog:~# getent group | grep "domain admins" >>> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator >>> >>> any idea? >>> >>> > ___________________________________________________________________________________________ > >> >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 > 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland with >> number >>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, > Dublin >> 4 >>> (Embedded image moved to file: pic03233.gif) >>> >>> >>> >>> From: Rowland Penny >> <rowlandpenny241155 at gmail.com> >>> To: > samba at lists.samba.org >>> Date: 14/07/2015 20:00 >>> Subject: Re: [Samba] Samba3 > shares cannot be mounted >> on linux box >> uisng >>> cifs command , error "CIFS VFS: cifs_mount failed w/return >> code >>> = -13" >>> Sent by: "samba" > <samba-bounces at lists.samba.org> >>> >>> >>> On 14/07/15 19:27, Mario Pio Russo wrote: >>>> well, I have configured the kdc client on the file server, joined the >>>> domain using net ads join and it worked fine, again getnet group , >> getnet >>>> passwd , wbinfo -u they all works perfectlly fine >>> Well, this sounds like samba is working correctly. >>> >>>> I am also able to browse the shares from any windows machine joined to >>> the >>>> CCDC domain, but I am still not able to do ANY mount.cifs, not even > form >>>> linux boxes joined to the domain :-/ >>> Any error messages anywhere ? >>> Also when you say 'browse', can you give a bit more info, how are you >>> 'browsing' and where are the shares, on the DC or somewhere else? >>> >>>> I have no idea what's happening. >>>> >>>> P.S. another thing I have noticed is that from windows machines, when I >>> try >>>> to do a network map to a share on the samba4, it gives "Authentication >>>> Failure", while it was working correctly before the migration. >>> Well, that probably means what it says, for some reason, samba is not >>> recognising either your users or their passwords, >>> >>> Rowland >>> >>>> I'm running short of ideas now, any help more than welcome! >>>> > ___________________________________________________________________________________________ > >> >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 >> 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland with >>> number >>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >> Dublin >>> 4 >>>> (Embedded image moved to file: pic10279.gif) >>>> >>>> >>>> >>>> From: > Rowland Penny >> <rowlandpenny241155 at gmail.com> >>>> To: >> samba at lists.samba.org >>>> Date: > 14/07/2015 19:07 >>>> Subject: > Re: [Samba] Samba3 >> shares cannot be mounted >> on linux box >>> uisng >>>> cifs command , error "CIFS VFS: cifs_mount failed > w/return >>> code >>>> = -13" >>>> Sent by: > "samba" >> <samba-bounces at lists.samba.org> >>>> >>>> On 14/07/15 18:19, Mario Pio Russo wrote: >>>>> Thanks Rowland! >>>>> >>>>> few answers to your question: >>>>> >>>>> 1) I used the samba-tool domain classicupgrade to "migrate" the > domain >>>> for >>>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2 >>>>> >>>>> 2) on the DC, I have configured the service to use the old winbind, as >>>>> that's just enaugh for our domain and it looked more stable during the >>>> test >>>>> phasethe smb.conf of the DC is the following: >>>>> >>>>> [global] >>>>> workgroup = CCDC >>>>> realm = CCDC.LAN >>>>> netbios name = CCDC-SAMBA4-DC1 >>>>> server role = active directory domain controller >>>>> idmap_ldb:use rfc2307 = yes >>>>> >>>>> server services = -winbindd +winbind >>>> Remove these lines, they are not doing anything! >>>>> dns forwarder = 9.0.138.50 >>>>> #server services = -winbindd +winbind >>>>> idmap config CCDC:backend = ad >>>>> idmap config CCDC:schema_mode = rfc2307 >>>>> idmap config CCDC:range = 10000-40000 >>>>> >>>>> >>>>> # Store UIDs/GIDs for all other domains (including local >>>>> # accounts/groups of this server) in a tdb file >>>>> idmap config *:backend = tdb >>>>> idmap config *:range = 2000-9999 >>>>> >>>>> # Use home directory and shell information from AD >>>>> winbind nss info = rfc2307 >>>> Ok, from here on no problems. >>>>> tls enabled = yes >>>>> tls keyfile = tls/myKey.pem >>>>> tls certfile = tls/myCert.pem >>>>> tls cafile >>>>> >>>>> [netlogon] >>>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> path = /var/lib/samba/sysvol >>>>> read only = No >>>>> >>>>> 3) I will remove the password server as you suggested , thanks >>>>> >>>>> 4) the server is present in the domain, and getent group and getent >>>> passwd >>>>> works correctlly, however it was NOT joined with net ads join, but > with >>>> net >>>>> rpc join, could this make the difference? as I am currentlly thinking >> of >>>>> removing the server from the domain, configure kerberos-workstation > and >>>> try >>>>> the net ads join, what do you think? >>>> If getent is working, then there should be no reason to leave & rejoin >>>> the domain, but then again, there is no reason not to try it :-) >>>> >>>> Rowland >>>> >>>>> again thanks for the help >>>>> >>>>> >>>>> >>>>> > ___________________________________________________________________________________________ > >> >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: > +353 >>> 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland with >>>> number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >>> Dublin >>>> 4 >>>>> (Embedded image moved to file: pic40897.gif) >>>>> >>>>> >>>>> >>>>> From: >> Rowland Penny >>> <rowlandpenny241155 at gmail.com> >>>>> To: >> samba at lists.samba.org >>>>> Date: >> 14/07/2015 17:50 >>>>> Subject: >> Re: > [Samba] >> Samba3 shares cannot be mounted >>> on linux box >>>> uisng >>>>> cifs command , error "CIFS VFS: cifs_mount failed >> w/return >>>> code >>>>> = -13" >>>>> Sent by: >> "samba" >> <samba-bounces at lists.samba.org> >>>>> >>>>> On 14/07/15 16:49, Mario Pio Russo wrote: >>>>>> Good Day All >>>>>> >>>>>> I have a problem for our main fileserver base don samba 3.5.6 >>>>>> >>>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation >>>>> which >>>>>> was acting as a PDC for our internal domian called CCDC. On a >> sapearate >>>>>> machine, we had another installation of samba 3.5.6 to act just as >> file >>>>>> share server. >>>>>> >>>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba >>>>>> 4.2.2 , using the classicupgrade. >>>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain >>>>> classicupgrade' to an AD DC ? >>>>> >>>>>> Now I am able to access the shares from the windows boxes added to > the >>>>> CCDC >>>>>> domain, but when I try to mount a cifs share form a linux box, then I >>>> get >>>>>> the following error: >>>>>> >>>>>> >>>>>> mount.cifs -o >>>>>> > username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/ >>>>>> Password: >>>>>> mount error(13): Permission denied >>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) >>>>>> >>>>>> form dmesg I can see the following error: >>>>>> >>>>>> CIFS VFS: cifs_mount failed w/return code = -13 >>>>>> >>>>> Your user is not known. >>>>> >>>>>> the smb.conf of the file server is the following: >>>>>> >>>>>> >>>>>> root at seadog:/etc/samba# cat smb.conf >>>>>> [global] >>>>>> >>>>>> write cache size = 131072 >>>>>> >>>>>> vfs objects = full_audit >>>>>> full_audit:prefix = %u,%I,%m,%S >>>>>> # removed this, so we only log failures. >>>>>> # however will keep it here commented it out for future >>>> reference >>>>>> #full_audit:success = mkdir rename unlink rmdir open chown >>> chmod >>>>>> connect readlink >>>>>> full_audit:failure = mkdir rename unlink rmdir open chown >>> chmod >>>>>> connect readlink >>>>>> full_audit:facility = local7 >>>>>> full_audit:priority = NOTICE >>>>>> >>>>>> >>>>>> server string = CSI Samba Server >>>>>> workgroup = CCDC >>>>>> netbios name = SEADOG >>>>>> realm = CCDC.LAN >>>>>> security = ads >>>>>> #security = domain >>>>>> wins server = 9.161.96.220 >>>>>> server signing = mandatory >>>>>> password server = 9.161.96.220 >>>>> password server shouldn't be set, let samba find it itself. >>>>> >>>>>> map untrusted to domain = yes >>>>>> >>>>>> wins support = no >>>>>> wins proxy = no >>>>>> dns proxy = no >>>>>> name resolve order = wins host bcast >>>>>> >>>>>> winbind use default domain = yes >>>>>> >>>>>> winbind uid = 10000-20000 >>>>>> winbind gid = 10000-20000 >>>>>> winbind cache time = 15 >>>>>> winbind enum users = yes >>>>>> winbind enum groups = yes >>>>>> >>>>>> # This is needed, a fake home folder so that users are > able >> to >>>> ftp >>>>>> # this folder is empty but exists, do a getent passwd to > see >>>> what >>>>> I >>>>>> mean >>>>>> template homedir = /home/winbind >>>>>> >>>>>> local master = no >>>>>> domain master = no >>>>>> >>>>>> # To o with ACL mapping to windows >>>>>> # >>>>>> dos filemode = Yes >>>>>> acl group control = Yes >>>>>> acl map full control = Yes >>>>>> map acl inherit = Yes >>>>>> >>>>>> guest account = nobody >>>>>> invalid users = root daemon bin sys sync games man lp mail >>> news >>>>> uucp >>>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd >>>>>> >>>>>> log file = /var/log/samba/log.%m >>>>>> log level = 3 >>>>>> >>>>>> max log size = 2000 >>>>>> syslog = 0 >>>>>> >>>>>> # using these options copied from clearcase. >>>>>> # back in the day we did research these to death >>>>>> # >>>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE >>>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 >>> SO_KEEPALIVE >>>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>>> >>>>>> # This disables print options >>>>>> # we are not a print server >>>>>> # >>>>>> load printers = No >>>>>> disable spoolss = Yes >>>>>> >>>>>> smb ports = 139 >>>>>> >>>>>> # every mount from the SAN has a lost+found folder >>>>>> # to avoid user confusion, have set this to hidden >>>>>> # >>>>>> hide files = /lost+found/ >>>>>> >>>>>> aio read size = 1 >>>>>> aio write size = 1 >>>>>> follow symlinks = no >>>>>> >>>>>> >>>>>> >>>>>> [scrap] >>>>>> comment = ICS - CSI general scrap Area >>>>>> path = /export/ICS/CSI/scrap >>>>>> valid users = @"Domain Users" >>>>>> force create mode = 750 >>>>>> force directory mode = 740 >>>>>> writeable = Yes >>>>>> browseable = Yes >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> note that on this fileserver nothing was touched during the >>>>> classiupgrade, >>>>>> a part the following parameters of the smb.conf >>>>> Well, it probably should have been :-) >>>>> >>>>>> realm = CCDC.LAN >>>>>> security = ads >>>>>> wins server = 9.161.96.220 >>>>>> >>>>>> password server = 9.161.96.220 >>>>>> >>>>>> >>>>>> >>>>>> I have tried already different Linux machine with different >>> distribution >>>>>> and I always get the same error, I have also tried to add the >> parameter >>>>>> "sec=ntlm or ntlmi " but hasn't changed much. >>>>>> >>>>>> Note that for some historical reason, this file server has NOT a >>> kerbero >>>>>> workstation installation and was joined to the CCDC domain using net >>> rpc >>>>>> join instead of net ads join, could this be a problem? >>>>> It would seem the domain has been upgraded to AD and your fileserver >> may >>>>> require joining to the new domain, but it is more likely to be >> something >>>>> to do with the winbindd changes that came in with 4.2.0, see here: >>>>> >>>>> https://www.samba.org/samba/history/samba-4.2.0.html >>>>> >>>>> Rowland >>>>> >>>>>> any help is much appreciated!!!! >>>>>> >>>>>> >>>>>> thanks >>>>>> > ___________________________________________________________________________________________ > >> >>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: >> +353 >>>> 1 >>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>>> IBM Ireland Product Distribution Limited registered in Ireland with >>>>> number >>>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >>>> Dublin >>>>> 4 >>>>>> (Embedded image moved to file: pic44465.gif) >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"