[Samba] chgrp: invalid group: `domain users'
yiannis goudetsidis
goude81 at yahoo.gr
Tue Sep 24 08:20:52 MDT 2013
Hello everyone
I have been struggling a lot with Samba and this mailing list is my last hope.
I have a windows server 2008 R2 and my aim is to store the user's
roaming profiles to a samba share. I don't want users to be able to
login into the linux machines using their windows credentials just to
save their roaming profiles on a samba share.
To achieve this I followed numerous pages online but I always get stuck and can not achieve my end result.
I managed to join the samba server to the windows domain:
net ads testjoin = Join is OK and I can see the samba server under computer accounts in AD
wbinfo -u works (I get all the active directories users listed)
wbinfo -g also works (can see AD groups)
getent passwd also works. Active directory users are listed in the format below:
b.simpson:*:16777235:16777219:Bart Simpson:/home/b.simpson:/bin/bash
j.giant:*:16777236:16777219:John Giant:/home/j.giant:/bin/bash
getent group does not work :( (only local users are shown)
My problem is that when I try to change the ownership of my samba share to "domain users" I get:
chgrp: invalid group: `domain users' . Therefore users can not login to the domain using a
client PC (WinXP).
They get the error about not being able to find the
servers copy of their roaming profile and they are getting logged in with a temp account.
"Login failure unknown username or bad password". (I can confirm I am typing the right password)
Could someone please have a look at my config files below and if you see anything wrong please let me know.
Samba server: 2.6.32-358.18.1.el6.x86_64
smbstatus: Samba version 3.6.9-151.el6_4.1
My krb5.conf looks like this:
[libdefaults]
ticket_lifetime = 600
default_realm = TESTAD.BIO.AC.UK
allow_weak_crypto = true
dns_lookup_realm = true
dns_lookup_kdc = true
forward = true
forwardable = true
clockskew = 300
noaddresses = true
[realms]
TESTAD.BIO.AC.UK = {
kdc = TESTSERVER1.TESTAD.BIO.AC.UK
default_domain = TESTAD.BIO.AC.UK
}
[domain_realm]
.testad.bio.ac.uk = TESTAD.BIO.AC.UK
testad.bio.ac.uk = TESTAD.BIO.AC.UK
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog
My SMB.CONF looks like this:
[global]
workgroup = TESTAD
password server = testserver1.testad.bio.ac.uk
realm = TESTAD.BIO.AC.UK
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind offline logon = no
server string = Samba Server Version %v
# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
name resolve order = bcast
netbios name = zeus
[Profiles]
path = /srv/samba/profiles/
comment = TestAD Directories
browseable = yes
read only = no
store dos attributes = Yes
create mask = 0600
directory mask = 0700
profile acls = yes
csc policy = disable
SELINUX and firewall is disabled.
The IP address of the windows server is inside /etc/resolv.conf
My nssswitch.conf looks like this:
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns nis
ethers: files nis
netmasks: files nis
networks: files nis
protocols: files nis
rpc: files nis
services: files
netgroup: files nis
publickey: nisplus
automount: files nis
aliases: files nisplus
Inside /etc/hosts I have included the samba server and the windows server information.
I don't know what other information should I provide. If you need anything else please let me know.
Many thanks
________________________________
Απο: "samba-request at lists.samba.org" <samba-request at lists.samba.org>
Προς: samba at lists.samba.org
Στάλθηκε: 7:00 μ.μ. Δευτέρα, 23 Σεπτεμβρίου 2013
Θέμα: samba Digest, Vol 129, Issue 26
----- Προωθημένο μήνυμα -----
Send samba mailing list submissions to
samba at lists.samba.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.samba.org/mailman/listinfo/samba
or, via email, send a message with subject or body 'help' to
samba-request at lists.samba.org
You can reach the person managing the list at
samba-owner at lists.samba.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of samba digest..."
Today's Topics:
1. Re: ldbedit syntax problem (steve)
2. Re: ldbedit syntax problem (G?mes G?za)
3. Samba as DC Member (KevinTang at umac.mo)
4. Re: ldbedit syntax problem (Rowland Penny)
5. Re: Samba as DC Member (steve)
6. Force user doesn't work (Bart-Jan van Hummel)
7. Re: Force user doesn't work (Bart-Jan van Hummel)
8. Re: Force user doesn't work (Jonathan Buzzard)
9. Log on to Samba 4 AD DC using domain user
(jared.m.jacobson at L-3com.com)
10. samba-tool join domain fails (Axel)
11. Re: Log on to Samba 4 AD DC using domain user (steve)
On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:
> On 22/09/13 13:04, steve wrote:
> > Hi
> > How do I ldbedit this dn?
> >
> > CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
> >
> > It's the * that I can't get.
> >
> > Cheers,
> > Steve
> >
> >
> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the
> results for '*'
>
> Rowland
Hi Rowland, hi everyone
Yes, that works fine, thanks. The problem is that it loads the whole of
the db into the editor.
Cheers,
Steve
2013-09-22 21:09 keltezéssel, steve írta:
> On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:
>> On 22/09/13 13:04, steve wrote:
>>> Hi
>>> How do I ldbedit this dn?
>>>
>>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
>>>
>>> It's the * that I can't get.
>>>
>>> Cheers,
>>> Steve
>>>
>>>
>> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the
>> results for '*'
>>
>> Rowland
> Hi Rowland, hi everyone
> Yes, that works fine, thanks. The problem is that it loads the whole of
> the db into the editor.
> Cheers,
> Steve
>
>
Hi,
I haven't tried it but with ldbsearch it works:
-b OU=auto.users,ou=automount,DC=bar,DC=foo CN=*
Regards
Geza Gemes
Dear all,
I have install Windows AD and Linux client PC.
In Linux PC, I modify these file to allow AD user logon the Linux Client
PC via LDAPS.
- /etc/sssd/sssd.conf
- /etc/krb5.conf
- /etc/pam.d/system-auth-ac
- /etc/pam.d/password-auth-ac
- /etc/openldap/ldap.conf
When I create SAMBA share folder on Linux Client PC, and my Windows PC
want to connect to it, Windows prompt a login dialog for access that SAMBA
share.
My problem is no matter I enter AD user account, or Linux 'root' account,
it already said login error and cannot allow me to enter. What wrong of my
setting?
My Windows AD is:
OS: Windows Server 2008 R2 64bit standard edition
IP: 192.168.10.1/16
My Windows Client is:
OS: Windows 7, 32bit Enterprise. (already join Windows AD domain).
IP: 192.168.20.1/16
My Linux Client is:
OS: CentOS 6.4, 64bit
IP: 192.168.30.1/16
Thank you very much
Kevin Tang
On 22/09/13 20:09, steve wrote:
> On Sun, 2013-09-22 at 13:36 +0100, Rowland Penny wrote:
>> On 22/09/13 13:04, steve wrote:
>>> Hi
>>> How do I ldbedit this dn?
>>>
>>> CN=*,OU=auto.users,ou=automount,DC=bar,DC=foo
>>>
>>> It's the * that I can't get.
>>>
>>> Cheers,
>>> Steve
>>>
>>>
>> Hi Steve, how about 'ldbedit -e nano --url=ldap://server.bar.foo
>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0 CN=*' and then search in the
>> results for '*'
>>
>> Rowland
> Hi Rowland, hi everyone
> Yes, that works fine, thanks. The problem is that it loads the whole of
> the db into the editor.
> Cheers,
> Steve
>
>
Well, yes but better too much rather than nothing
Rowland
On Mon, 2013-09-23 at 15:51 +0800, KevinTang at umac.mo wrote:
> Dear all,
>
> I have install Windows AD and Linux client PC.
>
> In Linux PC, I modify these file to allow AD user logon the Linux Client
> PC via LDAPS.
> - /etc/sssd/sssd.conf
> - /etc/krb5.conf
> - /etc/pam.d/system-auth-ac
> - /etc/pam.d/password-auth-ac
> - /etc/openldap/ldap.conf
> My Linux Client is:
> OS: CentOS 6.4, 64bit
> IP: 192.168.30.1/16
>
> Thank you very much
> Kevin Tang
>
Hi
I think you want the client to be a file server no?
try in [global]
workgroup = MYDOMAIN
security = ADS
kerberos method = system keytab
Make sure /etc/hosts has:
127.0.0.1 centos-client.mydomain.com centos-client localhost
and that you can (at least) ping the 2008 box
Then try to join the domain:
net ads join -UAdministrator
That may get you a little closer.
HTH
Steve
I am using Samba 3.6.6 on Debian Wheezy.
I want to be able to change www files on my dev server using my macbook.
So I setup samba and made a share for the /var/www directory.
I added the users bart & root to samba to connect. And connect using command K and then smb://192.168.2.100 (my samba server).
As apache uses www-data as a user and group for the www files I use force user and force group in samba to prevent errors in the rights.
However it does force the group www-data, but doesn't force the user. Every file I create is being owned by root in the group www-data.
To seek for errors I tailed the logs in /var/log/samba and only found an error in the log.smbd when restarting the samba service. See the log here:
smbd version 3.6.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2013/09/23 11:14:22.601031, 0] printing/print_cups.c:110(cups_connect)
Unable to connect to CUPS server localhost:631 - Connection refused
[2013/09/23 11:14:22.602215, 0] printing/print_cups.c:487(cups_async_callback)
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
And here is my smb.conf:
[global]
server string = %h server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[www]
comment = www
path = /var/www/
valid users = bart, root
admin users = bart, root
write list = bart, root
force user = www-data
force group = www-data
read only = No
I even tried adding www-data to the valid users as well as the admin users and the write list. This did not have any effect.
Can you help me out? Thanks in advance!
On Mon, 2013-09-23 at 16:20 Jonathan Buzzard wrote:
> Simplest solution is to put "unix extensions = no" in your smb.conf and
> restart Samba. Though this requires that you don't rely on them
> elsewhere.
Thanks I will do that just to be sure.
Just now I found another solution as well:
Removing the admin users also works, this used to work fine on older versions of Samba,
on this version (and I take it on newer versions as well) this needs te be removed.
On Mon, 2013-09-23 at 11:45 +0200, Bart-Jan van Hummel wrote:
> I am using Samba 3.6.6 on Debian Wheezy.
>
> I want to be able to change www files on my dev server using my macbook.
That is your problem right there. The MacOS X smb client does not
generally respect force user/group parameters when Unix extensions are
present.
Simplest solution is to put "unix extensions = no" in your smb.conf and
restart Samba. Though this requires that you don't rely on them
elsewhere.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
Hi, all,
I am having trouble figuring out how to log on to a Samba 4 AD DC using
any AD domain account. Has anyone had success doing this? If so, is
there a guide somewhere?
I have stood up a Samba 4 Active Directory Domain Controller on a Red
Hat 6.3 system, and it appears to be functioning correctly. I have a
Windows 7 workstation, a Windows 2008R2 storage server, and two other
Red Hat servers (running Samba 3.6.9) joined to the domain, and I can
log in to all the systems except the DC using domain accounts. How do I
configure the AD DC to allow login?
So far I've tried following the guidance in the Red Hat "Integrating Red
Hat Enterprise 6 with Active Directory
<http://www.redhat.com/resourcelibrary/reference-architectures/integrati
ng-red-hat-enterprise-linux-6-with-active-directory> ", the Samba wiki's
pages "Local user management and authentication/sssd
<https://wiki.samba.org/index.php/Local_user_management_and_authenticati
on/sssd> " and "Local user management and authentication/nslcd
<https://wiki.samba.org/index.php/Local_user_management_and_authenticati
on/nslcd> ". I've tried following the Samba wiki page "Samba 4/Winbind
<https://wiki.samba.org/index.php/Samba4/Winbind> ". None of them have
worked.
Thanks for any help you can offer.
Jared
_________________________________________
Jared Jacobson, CISSP
Information Assurance Engineer
L-3 Communications - Communications Systems West
Desk: (801) 594-3669
Cell: (801) 530-9191
E-mail: jared.m.jacobson at L-3com.com
Hi folks,
big problem with my testint environment... my windows 2003-domain exists since 2004 and the credentials are correct, guaranteed.
This problem is actually same on Ubuntu 12.04.3 and Debian 7...
<code>
root at pa-lnxd-04:~# /usr/local/samba/bin/samba-tool domain join INTRANET.DOMAIN.DE DC -Uintranet/admin --realm=intranet.DOMAIN.de
Finding a writeable DC for domain 'INTRANET.DOMAIN.DE'
Found DC wi-pas01.intranet.DOMAIN.de
Password for [INTRANET\admin]:
workgroup is INTRANET
realm is intranet.DOMAIN.de
checking sAMAccountName
Adding CN=PA-LNXD-04,OU=Domain Controllers,DC=intranet,DC=DOMAIN,DC=de
Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00000522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> <>
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join
ctx.join_add_objects()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects
ctx.samdb.add(rec)
</code>
It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
On Mon, 2013-09-23 at 10:00 -0600, jared.m.jacobson at L-3com.com wrote:
> Hi, all,
>
>
>
> I am having trouble figuring out how to log on to a Samba 4 AD DC using
> any AD domain account. Has anyone had success doing this? If so, is
> there a guide somewhere?
Hi
Each domain user must have a uidNumber and a gidNumber to be able to
authenticate to a Linux system such as Samba4. You can use winbind,
nss-ldapd or sssd to do that. I'd recommend storing the numbers in AD
and pulling them direct rather than a separate mapping.
HTH
Steve
_______________________________________________
samba mailing list
samba at lists.samba.org
https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list