[Samba] Can't login from Windows PC to Samba using ADS?
Michael Cesar
TheCesars at comcast.net
Tue Aug 31 12:58:09 GMT 2004
Yang Xiao wrote:
>On Tue, 31 Aug 2004 08:17:56 -0400, Michael Cesar <thecesars at comcast.net> wrote:
>
>
>>Yang Xiao wrote:
>>
>>
>>
>>>On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <thecesars at comcast.net> wrote:
>>>
>>>
>>>
>>>
>>>>I hope this is the right place to post this.
>>>>
>>>>I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I
>>>>installed samba 3.0.5 on it and followed the instructions in the online
>>>>book "Samba-3 by Example" for chapter 9 "Active Directory Domain with
>>>>Samba Domain Member Server
>>>><http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>"
>>>>to the tee (of course it is for 3.0.2) and have every thing working
>>>>except for W2K pc cannot authenticate? Oh yeah, I also went the steps in
>>>>the troubleshooting guide but couldn't get the step "net use x:
>>>>\\mysamba\web" to add.
>>>>
>>>>I can 'net view \\mysamba' just fine and sambaclient -L
>>>>mysamba.xxx.com/mydomainloginname ok using my ADS password.
>>>>I can see mysamba in the Network Neighborhood.
>>>>But I just can't get access to the share from my PC. Oh yea, and I am
>>>>using encrypted passwords = yes.
>>>>
>>>>I assume I must have missed something somewhere but for the life of me I
>>>>can' t see it. Anybody have any ideas?
>>>>
>>>>Michael Cesar
>>>>
>>>>***** my smb.conf file contents: ******
>>>>
>>>># Samba config file created using SWAT
>>>># from 0.0.0.0 (0.0.0.0)
>>>># Date: 2004/08/27 14:25:35
>>>>
>>>># Global parameters
>>>>[global]
>>>> workgroup = MBTMASTER
>>>> realm = MBTMASTER.COM
>>>> netbios name = SAMBA_TEST
>>>> security = ADS
>>>> map to guest = Bad User
>>>> log level = 1
>>>> syslog = 0
>>>> log file = /var/log/samba/%m
>>>> time server = Yes
>>>> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>>>> os level = 2
>>>> ldap ssl = no
>>>> preload = global
>>>> idmap uid = 10000-20000
>>>> idmap gid = 10000-20000
>>>> template primary group =
>>>> template shell = /bin/bash
>>>> winbind separator = +
>>>> veto files = /*.eml/*.nws/riched20.dll/*.{*}/
>>>>
>>>>[homes]
>>>> comment = Home Directories
>>>> valid users = %S
>>>> read only = No
>>>> create mask = 0640
>>>> directory mask = 0750
>>>> browseable = No
>>>>
>>>>[printers]
>>>> comment = All Printers
>>>> path = /var/tmp
>>>> create mask = 0600
>>>> printable = Yes
>>>> browseable = No
>>>>
>>>>[print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/drivers
>>>> write list = @ntadmin, root
>>>> force group = ntadmin
>>>> create mask = 0664
>>>> directory mask = 0775
>>>>
>>>>[web]
>>>> comment = Test Web Root
>>>> path = /srv/www/htdocs
>>>> valid users = michael.cesar, @Administrtors
>>>> admin users = michael.cesar
>>>> read only = No
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions: http://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Hi,
>>>Is your winbind running? did you configure Kerboros correctly? try add
>>>log level = 2 in the smb.conf and see if you can catch anything in the logs.
>>>
>>>Yang
>>>
>>>
>>>
>>>
>>>
>>Winbind appears to be running fine. My share definition for 'web'
>>contains 'valid users' of 'michael.cesar' (my domain login) and
>>'@Administrators' ( the domain group I belong to). I set the log level
>>to 2 and am getting the following below. I don't understand why...
>>1) Why is winbind trying to create a user in the first place? I want it
>>to validate an existing one.
>>2) When winbind fails to create the user it doesn't know the group
>>Administrators and gives the error "cannot validate gid for group()"?
>>3) Why it is trying to validate 'mcesar' (a local login account not
>>listed in any config file for samba etc)? and not michael.cesar (my
>>domain login). I am using the command line "net use" so the apache
>>logins my browser knows should not come into play - one would think)
>>
>>Michael Cesar
>>
>>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
>> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
>>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
>> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
>>[2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
>> Registered MSG_REQ_POOL_USAGE
>>[2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain MBTMASTER MBTMASTER.COM S-0-0
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
>> krb5_cc_get_principal failed (No such file or directory)
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain BUILTIN S-1-5-32
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain SAMBA_TEST S-1-5-21-289385821-3664457749-2860223883
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>[2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'root' does not exist
>>[2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>
>>
>>
>>
>Sounds like you have not mapped the user groups, you need to use "net
>groupmap" which allows you to map NT user groups to Linux user groups,
>both have to be valid existing groups. Do a "net groupmap list" and
>you will see.
>
>What is missing from the how-to is user group mapping.
>Make sure you /etc/nsswitch.conf file uses winbind for user name resolution.
>
>Yang
>
>
>
Thanks Yang, for the tip on groupmap. As for the nsswitch.conf
file...are us suggesting I add the 'network' and 'netgroup' keywords?
The following, according to the how-to are the only services mapped to
winbind...
passwd: compat winbind
group: compat winbind
Michael Cesar
More information about the samba
mailing list