[Samba] Can't login from Windows PC to Samba using ADS?
Michael Cesar
TheCesars at comcast.net
Tue Aug 31 12:17:56 GMT 2004
Yang Xiao wrote:
>On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <thecesars at comcast.net> wrote:
>
>
>>I hope this is the right place to post this.
>>
>>I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I
>>installed samba 3.0.5 on it and followed the instructions in the online
>>book "Samba-3 by Example" for chapter 9 "Active Directory Domain with
>>Samba Domain Member Server
>><http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>"
>>to the tee (of course it is for 3.0.2) and have every thing working
>>except for W2K pc cannot authenticate? Oh yeah, I also went the steps in
>>the troubleshooting guide but couldn't get the step "net use x:
>>\\mysamba\web" to add.
>>
>>I can 'net view \\mysamba' just fine and sambaclient -L
>>mysamba.xxx.com/mydomainloginname ok using my ADS password.
>>I can see mysamba in the Network Neighborhood.
>>But I just can't get access to the share from my PC. Oh yea, and I am
>>using encrypted passwords = yes.
>>
>>I assume I must have missed something somewhere but for the life of me I
>>can' t see it. Anybody have any ideas?
>>
>>Michael Cesar
>>
>>***** my smb.conf file contents: ******
>>
>># Samba config file created using SWAT
>># from 0.0.0.0 (0.0.0.0)
>># Date: 2004/08/27 14:25:35
>>
>># Global parameters
>>[global]
>> workgroup = MBTMASTER
>> realm = MBTMASTER.COM
>> netbios name = SAMBA_TEST
>> security = ADS
>> map to guest = Bad User
>> log level = 1
>> syslog = 0
>> log file = /var/log/samba/%m
>> time server = Yes
>> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>> os level = 2
>> ldap ssl = no
>> preload = global
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template primary group =
>> template shell = /bin/bash
>> winbind separator = +
>> veto files = /*.eml/*.nws/riched20.dll/*.{*}/
>>
>>[homes]
>> comment = Home Directories
>> valid users = %S
>> read only = No
>> create mask = 0640
>> directory mask = 0750
>> browseable = No
>>
>>[printers]
>> comment = All Printers
>> path = /var/tmp
>> create mask = 0600
>> printable = Yes
>> browseable = No
>>
>>[print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/drivers
>> write list = @ntadmin, root
>> force group = ntadmin
>> create mask = 0664
>> directory mask = 0775
>>
>>[web]
>> comment = Test Web Root
>> path = /srv/www/htdocs
>> valid users = michael.cesar, @Administrtors
>> admin users = michael.cesar
>> read only = No
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>Hi,
>Is your winbind running? did you configure Kerboros correctly? try add
>log level = 2 in the smb.conf and see if you can catch anything in the logs.
>
>Yang
>
>
>
Winbind appears to be running fine. My share definition for 'web'
contains 'valid users' of 'michael.cesar' (my domain login) and
'@Administrators' ( the domain group I belong to). I set the log level
to 2 and am getting the following below. I don't understand why...
1) Why is winbind trying to create a user in the first place? I want it
to validate an existing one.
2) When winbind fails to create the user it doesn't know the group
Administrators and gives the error "cannot validate gid for group()"?
3) Why it is trying to validate 'mcesar' (a local login account not
listed in any config file for samba etc)? and not michael.cesar (my
domain login). I am using the command line "net use" so the apache
logins my browser knows should not come into play - one would think)
Michael Cesar
[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
[2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
Registered MSG_REQ_POOL_USAGE
[2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain MBTMASTER MBTMASTER.COM S-0-0
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No such file or directory)
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain SAMBA_TEST S-1-5-21-289385821-3664457749-2860223883
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'mcesar' does not exist
[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'mcesar' does not exist
[2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'root' does not exist
[2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
user 'mcesar' does not exist
More information about the samba
mailing list