[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Sat Aug 9 15:41:41 MDT 2014
Alright, I am calling it quits for the day unless somebody knows what I
have screwed up here. If I do "getent passwd" it shows all local and
domain users, and the domain users have the wrong ID's. If I do "getent
passwd <domain user>" I get absolutely nothing. Obviously I have done
something wrong here, but I have no clue what. This behavior started
after modifying the configuration file though. The modifications Rowland
showed me in his. That tells me that maybe it is trying to do something
right and cannot. I have one last idea of my own, then I will be
installing the backports version Monday on a clean VM.
On 8/9/2014 4:24 PM, Ryan Ashley wrote:
> Just wanted to tell you, the files you asked about are right where
> they should be based on my configuration. They're in "/usr/lib". With
> that being known, do you have any ideas as to why some users resolve
> via getent and others don't? That may reveal something key to my whole
> issue. I am researching it now.
>
> On 8/9/2014 3:55 PM, Ryan Ashley wrote:
>> As a C/C++ programmer, I love building the latest stable and enjoy
>> having it, but I am beginning to think maybe I should be using the
>> backports S4. I will have to do that on Monday however, since I need
>> physical access to wipe and reinstall the VM. It would be fewer
>> packages to install though, since I would not need the headers and
>> such. Oh wait, it's a VM. I still have to build the virtualized
>> drivers. Still, I may give it a go. The version you stated is only
>> two versions behind what I am running (4.1.11), so no big loss there.
>> For now however, I am going to attempt to make this work. If I have
>> failed then Monday i will try your suggestion when I can get access
>> to the physical system.
>>
>> On 8/9/2014 2:20 PM, Rowland Penny wrote:
>>> On 09/08/14 18:58, Ryan Ashley wrote:
>>>> I have been working on this alone for a while since the thread is
>>>> so long and have tried a few things and discovered others. One
>>>> REALLY strange thing is that when I use getent to look up users,
>>>> some users show the 70001 and up IDs, and others do not show a
>>>> thing. This is normal users now, not my domain admin account. For
>>>> example, "getent passwd yolandab" returns nothing while "getent
>>>> passwd cynthiaj" returns two ID's above 70k. Even my normal user
>>>> account, reach_support, returns nothing. This one has me a tad
>>>> lost, but the next thing I discovered may be the solution.
>>>> If I attempt to install libnss-winbind or libpam-winbind from
>>>> the repos, it tries to install the Samba stuff from the repos.
>>>> Aren't those two built when you build S4? I am currently looking
>>>> for them and have a "find" command running on the system in a
>>>> screen session. I imagine I need to symlink those to /lib, right?
>>>> Assuming they were built, I will try this and if it doesn't work, I
>>>> will let you know. If it does, I will also tell you. I hope this
>>>> has been my issue all along, but we should know soon.
>>>> Finally, I delete both /var/lib/samba AND /var/cache/samba. I
>>>> found the latter afterwards. I also deleted /etc/krb5.keytab once I
>>>> left the domain and before joining again. Just being safe. I do
>>>> know that the keytab does not store ID's or anything, I am just
>>>> trying to be thorough. Thank you again for your help and I do know
>>>> of the manpages, but I normally get headaches reading them. I wish
>>>> they had the info on a wiki page so I could go right to the section
>>>> I want to study.
>>>>
>>>> On 8/8/2014 1:12 PM, Rowland Penny wrote:
>>>>> On 08/08/14 17:49, Ryan Ashley wrote:
>>>>>> Thanks, Rowland. I do not have some of the things you have on
>>>>>> your laptop. Our server configs are almost identical, and I use
>>>>>> BIND9 also. I am going to assume then, based on that, that my
>>>>>> issue lies in my client configuration. I can run getent on the
>>>>>> server and get the correct results. Just not on the two member
>>>>>> servers, more proof that it is indeed an issue on them.
>>>>>>
>>>>>> If I may ask, you have a LOT of entries not shown in any of the
>>>>>> guides, including the ones you already had me add, such as the
>>>>>> keytab. Several of your entries catch my eye.
>>>>>>
>>>>> OK, if on the client, you run 'man smb.conf' you will get
>>>>> displayed what is called the 'manpage' for what you can put into
>>>>> smb.conf and what they do.
>>>>>
>>>>>
>>>>>> winbind expand groups = 4
>>>>>
>>>>> This option controls the maximum depth that winbindd
>>>>> will traverse
>>>>> when flattening nested group memberships of Windows
>>>>> domain groups.
>>>>>
>>>>>>
>>>>>> winbind normalize names = yes
>>>>>
>>>>> This parameter controls whether winbindd will replace
>>>>> whitespace in
>>>>> user and group names with an underscore (_) character.
>>>>>
>>>>>> printcap name = cups
>>>>>
>>>>> This parameter may be used to override the compiled-in
>>>>> default
>>>>> printcap name used by the server (usually /etc/printcap).
>>>>>
>>>>>> cups options = raw
>>>>>
>>>>> This parameter is only applicable if printing is set to
>>>>> cups. Its
>>>>> value is a free form string of options passed directly
>>>>> to the cups
>>>>> library.
>>>>>
>>>>>> usershare allow guests = yes
>>>>>
>>>>> Controls if usershares can permit guest access.
>>>>>
>>>>>> os level = 20
>>>>>
>>>>> This integer value controls what level Samba advertises
>>>>> itself as
>>>>> for browse elections. The value of this parameter
>>>>> determines
>>>>> whether nmbd(8) has a chance of becoming a local master
>>>>> browser for
>>>>> the workgroup in the local broadcast area.
>>>>>
>>>>>> map to guest = bad user
>>>>>
>>>>> This parameter can take four different values, which
>>>>> tell smbd(8)
>>>>> what to do with user login requests that don't match a
>>>>> valid UNIX
>>>>> user in some way.
>>>>>
>>>>> · Bad User - Means user logins with an invalid
>>>>> password are
>>>>> rejected, unless the username does not exist, in
>>>>> which case it
>>>>> is treated as a guest login and mapped into the
>>>>> guest account.
>>>>>
>>>>>> username map = /etc/samba/smbmap
>>>>>
>>>>> This option allows you to specify a file containing a
>>>>> mapping of
>>>>> usernames from the clients to the server.
>>>>>
>>>>> This is my smbmap file
>>>>>
>>>>> !root = EXAMPLE\Administrator Administrator administrator
>>>>>
>>>>> As I said there is more info available in the smb.conf manpage.
>>>>>
>>>>>>
>>>>>> I have never seen these before. The last entry on my list may be
>>>>>> the key if it does what I think it does. Before I add these lines
>>>>>> I need to ask if there is a cache of ID's to names somewhere.
>>>>>> See, I find it VERY odd that as often as I have removed the
>>>>>> system from the domain, wiped out everything in "/var/lib/samba",
>>>>>> and rejoined the domain, it keeps mapping the EXACT same ID
>>>>>> numbers on each box to the same usernames. My belief is that
>>>>>> there is a cache I am not deleting somewhere. Would you mind
>>>>>> telling me if there is a file somewhere I should delete to remove
>>>>>> the old mappings?
>>>>>
>>>>> If you are deleting /var/lib/samba then you are deleting the
>>>>> cache, provided of course you are doing this on the client. The
>>>>> fact that you are getting the right uidNumber's on the server
>>>>> shows that this seems to be set up correctly, the problem does
>>>>> seem to be with the client. Do you have all these packages
>>>>> installed on the client:
>>>>>
>>>>> samba libnss-winbind winbind libpam-winbind krb5-config
>>>>> libpam-krb5 krb5-user
>>>>>
>>>>> After that, I can only think that we are going to have to walk
>>>>> through the setup file by file.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>> This is one of the problems with building samba4 yourself, on the
>>> server you do not need the 'extra' packages, but when it comes to
>>> the clients, you do. As you are using Debian, have you considered
>>> using samba from backports, this would give you samba4 version 4.1.9
>>> (at the moment).
>>>
>>> Rowland
>>>
>>
>
More information about the samba
mailing list