[Samba] Re: User problem (samba, w2k3)
Markus Klimke
m.klimke at tu-harburg.de
Thu Apr 29 14:17:10 GMT 2004
Yohann Ferreira wrote:
> Hi there
>
> Could you also join your krb5.conf and your pam.d/login files ?
> I also have the same kind of problem, and I just would like to see
> differences between our configurations ...
>
> Thanks for reading !
>
> Bertram
Hi Bertram,
sure:
:: krb5.conf ::
[libdefaults]
ticket_lifetime = 600
default_realm = DOMAIN.DE
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
DOMAIN.DE = {
kdc = w2k3.domain.de:88
}
[domain_realm]
.domain.de = DOMAIN.DE
domain.de = DOMAIN.DE
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
:: pam.d/system-auth ::
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so
auth sufficient /lib/security/pam_krb5.so use_first_pass likeauth
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok md5 shadow
use_authtok
password sufficient /lib/security/pam_krb5.so use_first_pass
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so skel=/etc/skel
umask=0022
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_krb5.so
session optional /lib/security/pam_ldap.so
But I don't think it's related to this one's. I've tried a little around
and saw, that I had some problems understanding the permissions theory
concerning windows and linux interoperability with samba. The main fact
is, that if you have the same users (usernames) on both sides, they have
the right to map their home drive. Even another share point, with
exclusive rights for group membership, should give you the ability to
map and/or access them. That does it for me. I don't know exactly why I
had the problem, but it seems to be fixed. Maybe it was because winbind
wasn't started, what could be. Now I can access the shares, if you have
the permissions to access it.
Anyway at this time I can't set permissions in the security tab of
windows for shares, but this is related to the SID -> UID mapping, which
I will have a closer look later.
Best Regards
-markus
>
>> From: Markus Klimke <m.klimke at tu-harburg.de>
>> To: samba at lists.samba.org
>> Subject: [Samba] User problem (samba, w2k3)
>> Date: Thu, 29 Apr 2004 13:00:53 +0200
>>
>> Hello all,
>>
>> :: Strategy ::
>>
>> I am using Samba 3.0.2a with security mode ADS, hooking a fileserver
>> up to a W2k3 server and domain. The join worked as mentioned in the
>> documentation. For auth of users I use nssldap to query the LDAP
>> database of W2k3, so my windows users are visible either under linux
>> and windows.
>>
>> :: Problem ::
>>
>> If I try to share the homes or other points I'm asked to type in a
>> username and a password. When I type in a username, which is as
>> described visible on both sides, windows says that this user is not
>> valid to enter the share. As a workaround I used an "admin" entry in
>> the smbpasswd, which has access to the shares. I think this is a very
>> ugly hack. I also tried it with winbind, but it didn't work also. When
>> I open the security tab under windows of a share or the subdirectories
>> within, it shows entries like "FILER\user" which is not my domain just
>> the samba server itself. Maybe this is correct, but I can't make any
>> change of adding a user to the security context of windows.
>>
>> I am not using the winbind name switch in nsswitch.conf and not any
>> winbind pam auth, because of using nssldap for making users visible on
>> linux and pam_krb5/pam_ldap for the auth. My W2k3 is operating in
>> advanced mode (not native or mixed mode), which might be a problem,
>> but I don't believe this. If I type "wbinfo -u" the users on windows
>> side are listed, but not with the domain separator, just the user itself.
>>
>> :: Question ::
>>
>> How can I map samba shares with "security = ADS" on a windows machine,
>> without using "smbpasswd"?
>>
>> :: smb.conf ::
>>
>> # Global parameters
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.DE
>> security = ads
>> password server = w2k3.domain.de
>> encrypt passwords = yes
>> #smb passwd file = /etc/samba/smbpasswd
>> ;; I don't want to use this line, because the documentation
>> ;; said I don't need this
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> os level = 10
>> preferred master = no
>> idmap uid = 500-6000
>> idmap gid = 500-6000
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind trusted domains only = yes
>> ;; Catched the above line from a hint, which was mentioned
>> ;; to fix the problem
>>
>> [homes]
>> comment = %u's Home Directory
>> ;; This one's always showing, if smbpasswd entry above
>> ;; is enabled: "admin's Home Directory", where admin is
>> ;; is the smbpasswd entry to get shares mapped
>> create mask = 0755
>> read only = No
>> browseable = No
>>
>> [shared]
>> comment = Share Point
>> path = /shared
>> read only = no
>> browseable = yes
>>
>> [backup]
>> comment = Backup Repo
>> path = /backup
>> read only = yes
>> browseable = no
>>
>>
>> Many thanks for every hint or assistance
>> Best regards
>> -markus
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: http://lists.samba.org/mailman/listinfo/samba
>
>
> _________________________________________________________________
> Trouvez l'âme soeur sur MSN Rencontres http://g.msn.fr/FR1000/9551
>
More information about the samba
mailing list