[Samba] 2k3Srv ADS, debian member server,
Ubuntu workstations and no write
access to share (security =ADS mode, winbind, krb5)
john dooley
gpcglist at ontheparkgp.com
Sun Aug 7 23:47:01 GMT 2005
Hi All,
Im going nuts trying to get a mixed environment going. I have a couple
of problems, one related to logons and passwords which I think is a
pam.d/gdm config error on my part and one where I cant get write acccess
from the Ubuntu clients to the domain member server share. This is the
most critical....please help me fix this.
In a nutshell:
Single win 2003 Srv ADS (sp1)
A single domain member server (Debian sarge box).
Multiple Ubuntu/Debian workstations using gnome (hoary latest and debian
sarge-stable)
Using winbind kerberos method from the manual.
Aiming for single sign on and having the ubuntu workstations write to
(at this stage *any*) share on the debian box
Basic problem is this:
ubunutu boxes can see the share on the debian box but for the life of me
I cannot get them write access to any of the directories (I cant get
write access to files using Gedit or openoffice under gnome -I can
apparently execute a logon as a domain user NEXUS+sci1 for example).
Strangely I can create an empty file, rename it to .txt and then open it
in Gedit (but only read only)! I am confused also because if I log on
to the W2k3Server as Administrator and examine the share I have write
permission and can alter files (I also have this user as an admin user
in the smb.conf). I am not sure my pam.d/gdm and other pam files are
right. I also get asked for auth to access the share after logging on
as a domain user (which I need to fix)
On the debian member server side I have set permissions on the share
directory to rwx group, owner, world, chown the files to NEXUS+sci1 (my
test user), chgrp to NEXUS+domain users. On the 2003ADS side I
published the share and gave full control to Domain Users (I think
successfully)
Heres the directory thats being shared [sharefile]:
drwxrwxrwx 6 sci1 NEXUS+domain users 4096 2005-08-08
09:12 tmp
heres a test file on the share I can only open read only no matter what
I do on the debian/ubuntu workstations with gnome/gedit. Looking at
permissions from the gnome workstation I get 744 User rwx, group and
other r only (which seems to match the behaviour but not the permissions
on the actual file on the share -i manually set them onm the share just
to be sure)
-rwxrwxrwx 1 NEXUS+sci1 NEXUS+domain users 14 2005-08-08 09:28
krb5cc_0.txt
Even more strangely I managed to open it with bluefish editor, change
and SAVE it! But openoffice and gedit cant access it (openoffice gives
a file does not exist error and gedit will only open it read only)
As for authentication:
I can join the boxes to the domain I think successfully ie - from both
debian member server and ubuntu boxes execute a net ads join command,
wbinfo -u,g, getent passwd and getent group okay and see all the AD
users in the domain. The machines appear in the active directory
computers section.
Example on debian member server from getent passwd
NEXUS+administrator:x:10000:10000:Administrator:/home/NEXUS/administrator:/bin/bash
NEXUS+dl380$:x:10008:10003:dl380:/home/NEXUS/dl380_:/bin/bash
NEXUS+ws1$:x:10009:10003:ws1:/home/NEXUS/ws1_:/bin/bash
Im out of my depth (im on the steep part of the learning curve from
windows peer to peer land)- its like there is still a block on
authentication for the ubuntu boxes that I dont realise (I thought I had
given appropriate access and permissions). I apologise for being pretty
clueless. I have been thinking its a permissions issue relating to the
ubuntu boxes not authing as the correct user or something (due to my
pam.d/gdm hacking). I have posted the smb.conf from the debian member
server.
I can post log.smbd etc if that helps.
If its too hard to fix me, can someone post a known good smb.conf and
set of pam.d/ files for a debian box including (especially pam.d/gdm)
else I will have to resort to two sets of users / linux and
windoze....The windoze box runs a proprietary database app and will have
TS sessions to that app only (plus run active directory and DNS). The
linux boxes will be the workhorses for the users (openoffice etc) and
open .rdp sesssions to the database as necessary. LDAP is too advanced
for me.
Thanks in advance:
John Dooley
SMB.conf
# Samba config file created using SWAT <<< Im not using swat though
# from 192.168.0.20 (192.168.0.20)
# Date: 2005/07/22 08:34:10
# Global parameters
[global]
security = ads
realm = INTRANET.NEXUSDOMAIN.COM
encrypt passwords = yes
password server = nexus01.intranet.nexusdomain.com
workgroup = NEXUS
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
obey pam restrictions = yes
password server = *
log level = 2
admin users = NEXUS+administrator
nt acl support = Yes
map acl inherit = Yes
client use spnego = Yes
[homes]
comment = Home Directories
[sharefile]
comment = Temporary file space
path = /tmp
read only = no
writeable = yes
valid users = @"NEXUS+domain users" NEXUS+domainall
public = yes
# create mode = 0777
# directory mode =0777
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns hosts wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
KRB5.CONF
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = INTRANET.NEXUSDOMAIN.COM
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#default_tgt_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
INTRANET.NEXUSDOMAIN.COM = {
# kdc=192.168.0.2:88
kdc = nexus01.intranet.nexusdomain.com:88
admin_server = nexus01.intranet.nexusdomain.com
default_domain = INTRANET.NEXUSDOMAIN.COM
}
[domain_realm]
.intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM
intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM
dl380:/etc/pam.d# cat common-*
#
COMMON ACCOUNT
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required pam_unix.so
#
COMMON AUTH
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so nullok_secure
#
COMMON PASSWORD
# /etc/pam.d/common-password - password-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password required pam_unix.so nullok obscure min=4 max=8 md5
# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required pam_cracklib.so retry=3 minlen=6 difok=3
# password required pam_unix.so use_authtok nullok md5
#
COMMON SESSION
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_unix.so
UBUNTU/DEBIAN PAM.D/GDM
dl380:/tmp# cat gdm
#%PAM-1.0
auth sufficient pam_winbind.so
auth requisite pam_nologin.so
auth required pam_env.so
account sufficient pam_winbind.so
account sufficient pam_unix.so use_first_pass
@include common-auth
@include common-account
session required pam_limits.so
session sufficient pam_winbind.so
@include common-session
password sufficient pam_winbind.so
@include common-password
--
More information about the samba
mailing list