[Samba] Re: User problem (samba, w2k3)

Markus Klimke m.klimke at tu-harburg.de
Thu Apr 29 14:17:10 GMT 2004


Yohann Ferreira wrote:
> Hi there
> 
> Could you also join your krb5.conf and your pam.d/login files ?
> I also have the same kind of problem, and I just would like to see 
> differences between our configurations ...
> 
> Thanks for reading !
> 
> Bertram

Hi Bertram,

sure:

:: krb5.conf ::

[libdefaults]
         ticket_lifetime = 600
         default_realm = DOMAIN.DE
         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
         DOMAIN.DE = {
           kdc = w2k3.domain.de:88
         }

[domain_realm]
         .domain.de = DOMAIN.DE
         domain.de = DOMAIN.DE

[kdc]
         profile = /etc/krb5kdc/kdc.conf

[logging]
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmin.log
         default = FILE:/var/log/krb5lib.log

[appdefaults]
         pam = {
           debug = false
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = false
         }


:: pam.d/system-auth ::

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so
auth       sufficient   /lib/security/pam_krb5.so use_first_pass likeauth
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
account    required     /lib/security/pam_ldap.so

password   required     /lib/security/pam_cracklib.so retry=3 type=
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow 
use_authtok
password   sufficient   /lib/security/pam_krb5.so use_first_pass
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel 
umask=0022
session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    optional     /lib/security/pam_krb5.so
session    optional     /lib/security/pam_ldap.so

But I don't think it's related to this one's. I've tried a little around 
and saw, that I had some problems understanding the permissions theory 
concerning windows and linux interoperability with samba. The main fact 
is, that if you have the same users (usernames) on both sides, they have 
the right to map their home drive. Even another share point, with 
exclusive rights for group membership, should give you the ability to 
map and/or access them. That does it for me. I don't know exactly why I 
had the problem, but it seems to be fixed. Maybe it was because winbind 
wasn't started, what could be. Now I can access the shares, if you have 
the permissions to access it.

Anyway at this time I can't set permissions in the security tab of 
windows for shares, but this is related to the SID -> UID mapping, which 
I will have a closer look later.

Best Regards
-markus

> 
>> From: Markus Klimke <m.klimke at tu-harburg.de>
>> To: samba at lists.samba.org
>> Subject: [Samba] User problem (samba, w2k3)
>> Date: Thu, 29 Apr 2004 13:00:53 +0200
>>
>> Hello all,
>>
>> :: Strategy ::
>>
>> I am using Samba 3.0.2a with security mode ADS, hooking a fileserver 
>> up to a W2k3 server and domain. The join worked as mentioned in the 
>> documentation. For auth of users I use nssldap to query the LDAP 
>> database of W2k3, so my windows users are visible either under linux 
>> and windows.
>>
>> :: Problem ::
>>
>> If I try to share the homes or other points I'm asked to type in a 
>> username and a password. When I type in a username, which is as 
>> described visible on both sides, windows says that this user is not 
>> valid to enter the share. As a workaround I used an "admin" entry in 
>> the smbpasswd, which has access to the shares. I think this is a very 
>> ugly hack. I also tried it with winbind, but it didn't work also. When 
>> I open the security tab under windows of a share or the subdirectories 
>> within, it shows entries like "FILER\user" which is not my domain just 
>> the samba server itself. Maybe this is correct, but I can't make any 
>> change of adding a user to the security context of windows.
>>
>> I am not using the winbind name switch in nsswitch.conf and not any 
>> winbind pam auth, because of using nssldap for making users visible on 
>> linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in 
>> advanced mode (not native or mixed mode), which might be a problem, 
>> but I don't believe this. If I type "wbinfo -u" the users on windows 
>> side are listed, but not with the domain separator, just the user itself.
>>
>> :: Question ::
>>
>> How can I map samba shares with "security = ADS" on a windows machine, 
>> without using "smbpasswd"?
>>
>> :: smb.conf ::
>>
>> # Global parameters
>> [global]
>>         workgroup = DOMAIN
>>         realm = DOMAIN.DE
>>         security = ads
>>         password server = w2k3.domain.de
>>         encrypt passwords = yes
>>         #smb passwd file = /etc/samba/smbpasswd
>>     ;; I don't want to use this line, because the documentation
>>     ;; said I don't need this
>>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>         os level = 10
>>         preferred master = no
>>         idmap uid = 500-6000
>>         idmap gid = 500-6000
>>         winbind separator = +
>>         winbind enum users = yes
>>         winbind enum groups = yes
>>         winbind trusted domains only = yes
>>     ;; Catched the above line from a hint, which was mentioned
>>     ;; to fix the problem
>>
>> [homes]
>>         comment = %u's Home Directory
>>     ;; This one's always showing, if smbpasswd entry above
>>     ;; is enabled: "admin's Home Directory", where admin is
>>     ;; is the smbpasswd entry to get shares mapped
>>         create mask = 0755
>>         read only = No
>>         browseable = No
>>
>> [shared]
>>         comment = Share Point
>>         path = /shared
>>         read only = no
>>         browseable = yes
>>
>> [backup]
>>         comment = Backup Repo
>>         path = /backup
>>         read only = yes
>>         browseable = no
>>
>>
>> Many thanks for every hint or assistance
>> Best regards
>> -markus
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
> _________________________________________________________________
> Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551
> 



More information about the samba mailing list