samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] AD Integration drives me nuts

Re: [Samba] AD Integration drives me nuts

From: Mike <samba_at_nospam>
Date: Wed May 05 2010 - 21:20:10 GMT
To: samba@lists.samba.org

Hi Dale and thanks for your quick reply.

Actually this didn't just help, it solved the whole freakin' issue! :)

I just wonder why testparm didn't wake me up on the "$" insted of the
"%". The double quotes on the groupnames are a nice touch though...

Thanks again for your help

-- Mike On Wed, 2010-05-05 at 14:12 -0500, Dale Schroeder wrote: > On 05/05/2010 1:38 PM, Mike wrote: > > Hi > > > > This has keeping me up for days now and I can't seem to find a solution > > in the various wikis, howtos and whatsoevers, so here's the plot: > > > > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4 > > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba > > 3.0.33-3.15.el5_4.1 (rpm installation out of the box). > > > > All I want to do is to have Samba authenticate against my DC. I've been > > setting up Kerberos, Winbind and Samba according to the Wiki-Page > > (http://wiki.samba.org/index.php/Samba_%26Active_Directory). > > > > Authentication seems to work (i.e if I logon to the server via ssh using > > the AD-Account, everything looks fine and even the created homedirs are > > assigned to the group "domain users") however, If i try to map a windows > > share from a laptop running XPpro, Samba won't accept the user neither > > for the homedirs nor for the datashare. > > > > So the big question is: where did I screw up and/or what did i forget? > > > > This is what my smb.conf looks like at the the moment: > > > > [global] > > workgroup = PROTEC > > realm = BSR.PROTEC-ENTERPRISES.COM > > password server = dc01-v.bsr.protec-enterprises.com > > preferred master = no > > server string = Samba FileServer Version %v > > netbios name = SAMBA-V > > > > # logs split per machine > > log file = /var/log/samba/%m.log > > # max 50KB per log file, then rotate > > max log size = 50 > > log level = 3 > > > > winbind separator = + > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > ; winbind nested groups = yes > > ; winbind nss info = rfc2307 > > > > security = ADS > > encrypt passwords = yes > > > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > > > username map = /etc/samba/smbusers > > # just to map the root account to the AD-Administrator account > > # as well as the AD-Guest account to "nobody" > > > > template shell = /bin/bash > > ; template primary group = "Domain Users" > > > > [homes] > > comment = Home Directories > > valid users = $S > > > Mike, > > I see a couple of syntax errors. > You must prefix with the domain and separator. Also use %, not $. > valid users = PROTEC+%S > > readonly = no > > browseable = yes > > > > [Data] > > comment = New K-Drive > > valid users = @PROTEC+domain users > > > Domain Users has a space, so you must enclose in quotes > valid users = @"PROTEC+ Domain Users" > > See if this helps. > > Dale > > path = /mnt/sambashares/filestore > > writeable = yes > > browseable = yes > > > > > > And here's what's in the workstation-log (not that i understand any of > > it...): > > > > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151) > > store_gid_sid_cache: gid 10013 in cache -> > > S-1-5-21-1238498519-1179045160-1496349262-515 > > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > > fetch gid from cache 10000 -> S-1-5-32-544 > > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > > fetch gid from cache 10001 -> S-1-5-32-545 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID > > [S-1-5-21-1238498519-1179045160-1496349262-1124] > > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID > > [S-1-5-21-1238498519-1179045160-1496349262-515] > > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-2] > > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-11] > > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) > > fetch gid from cache 10013 -> > > S-1-5-21-1238498519-1179045160-1496349262-515 > > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304) > > User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$ > > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325) > > UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101 > > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356) > > Adding homes service for user 'PROTEC+fx805-02-p$' using home > > directory: '/home/PROTEC/fx805-02-p_' > > [2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691) > > adding home's share [fx805-02-p$] for user 'PROTEC+fx805-02-p$' at > > '/home/PROTEC/fx805-02-p_' > > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) > > Transaction 2 of length 84 > > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) > > switch message SMBtconX (pid 24205) conn 0x0 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815) > > Connect path is '/tmp' for service [IPC$] > > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) > > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is > > S-1-5-21-1238498519-1179045160-1496349262-1124 > > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95) > > Initialising default vfs hooks > > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128) > > Initialising custom vfs hooks from [/[Default VFS]/] > > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250) > > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is > > S-1-5-21-1238498519-1179045160-1496349262-1124 > > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042) > > 192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user > > PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205) > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574) > > tconX service=IPC$ > > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083) > > Transaction 3 of length 102 > > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932) > > switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430 > > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636) > > get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root. > > [2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2) > > NT_STATUS_NOT_FOUND > > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) > > Transaction 4 of length 240 > > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) > > switch message SMBsesssetupX (pid 24205) conn 0x0 > > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) > > wct=12 flg2=0xc807 > > [2010/05/05 14:34:41, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) > > Doing spnego session setup > > [2010/05/05 14:34:41, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) > > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 > > 5.1] PrimaryDomain=[] > > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) > > reply_spnego_negotiate: Got secblob of size 40 > > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) > > Got NTLMSSP neg_flags=0xa2088207 > > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083) > > Transaction 5 of length 338 > > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932) > > switch message SMBsesssetupX (pid 24205) conn 0x0 > > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) > > wct=12 flg2=0xc807 > > [2010/05/05 14:34:41, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) > > Doing spnego session setup > > [2010/05/05 14:34:41, 3] > > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) > > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 > > 5.1] PrimaryDomain=[] > > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) > > Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24 > > len2=24 > > > > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba