[Samba] Permission weirdness
Chris
chrisd at better-investing.org
Thu Sep 9 20:13:48 GMT 2004
Okay..
I think I may have found something, but I don't know what to do about it....
I have found this in my log.winbind file:
[2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain NAIC NAIC.INT S-0-0
[2004/09/09 15:50:55, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No credentials cache found)
[2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain NAICSYS S-1-5-21-1898674339-994652211-837300805
[2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain PERSEUS S-1-5-21-3652935647-1358748155-3390278020
It is the "No credentials found" part that looks suspicious. When I initially
rolled the system out a couple months back, it did not give this error. Now
it does, and I can't think of a thing that has changed on the system.
Again, the weird thing is it doesn't appear to affect everybody, just certain
users trying to use certain resources.
I have seen many posts with this error, but no solutions to it. I am going to
try to leave and rejoin the domain... I hope I don't regret that...
Chris
On Thursday 09 September 2004 03:28 pm, Chris wrote:
> This is worse than I thought!
>
> Another user has now complained to me that he does not have rights to
> something he should have rights to!
>
> I have a printer shared out, to use it you must be in the
> DOMAIN+ColorPrint_ group. He is a member, and yet it won't let him even
> access it to install it! An authentication box pops up asking for username
> and passwd.
>
> [phaser8400]
> path = /var/spool/samba
> valid users = @Domain+ColorPrint_
> printable = Yes
> printer name = phaser8400
> browseable = No
> root preexec = echo Connect :%T U.G=%U.%G u.g=%u.%g
>
> >> /root/.info/p8400.log
>
> root postexec = echo Disconnect:%T U.G=%U.%G u.g=%u.%g
>
> >> /root/.info/p8400.log
>
> printer admin = @"DOMAIN+Domain Admins"
>
> Nothing has changed... I haven't messed with any of the configuration
> files or added any new software. This just started happening spontaneously
> it seems.
>
> my wbinfo -t/-u/-g all look good.
>
> Is the tdb corrupted or something? What can I do to fix this?
>
>
> Chris
>
> On Thursday 09 September 2004 02:29 pm, Chris wrote:
> > Hello.
> >
> > I am running samba 3.0.5 in an ADS environment. I have a win2k3 server
> > as the DC and my samba machine (running on Gentoo Linux) is a member of
> > that domain. I am using winbind.
> >
> > I have three users, for this example I will call them Larry, Curly and
> > Moe. All three have RW access to a share on the server called "stooges".
> > The linux perms on this directory look like this:
> >
> > drwxrwx--- root DOMAIN+stooges_ stooges
> >
> > There are other users who are members of the DOMAIN+stooges group, but
> > these three are in charge and need access to a more restricted
> > subdirectory of stooges. So I made a stooges_CIA directory under the
> > stooges share.
> >
> > Its linux perms look like this:
> >
> > drwxrwx--- root DOMAIN+stooges_CIA_ stooges_CIA
> >
> > Larry, Curly and Moe are all members of both the DOMAIN+stooges_CIA_
> > (only those three) and the DOMAIN+stooges_ groups (those 3 plus other
> > users in the dept).
> >
> > Now here is the strange part:
> >
> > Larry and curly can access everything in the share stooges and the
> > subdirectory stooges_CIA. Moe, can access everyting in the stooges share
> > but NOT anything in the stooges_CIA subdir.
> >
> > This makes absolutely no sense to me! Moe is a group member of
> > DOMAIN+stooges_CIA. He shows up thusly when I do a 'getent group' or
> > when I do a 'groups DOMAIN+moe'. Likewise, he shows up on the domain
> > controller as being part of that group. *BOTH* systems have him listed
> > in that group -- but for some reason he has no access!
> >
> > He gets this error:
> >
> > "\\server\stooges\stooges_CIA is not accessible. You might not have
> > permission to use this network resource. Contact the administrator of
> > this server to find out if you have access permissions."
> >
> > What the heck is going on here?
> >
> > Thanks!
> >
> > Chris
More information about the samba
mailing list