[Samba] Can't login from Windows PC to Samba using ADS?

Michael Cesar TheCesars at comcast.net
Tue Aug 31 12:58:09 GMT 2004 

Yang Xiao wrote:

>On Tue, 31 Aug 2004 08:17:56 -0400, Michael Cesar <thecesars at comcast.net> wrote:
>  
>
>>Yang Xiao wrote:
>>
>>    
>>
>>>On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <thecesars at comcast.net> wrote:
>>>
>>>
>>>      
>>>
>>>>I hope this is the right place to post this.
>>>>
>>>>I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I
>>>>installed samba 3.0.5 on it and followed the instructions in the online
>>>>book "Samba-3 by Example" for chapter 9 "Active Directory Domain with
>>>>Samba Domain Member Server
>>>><http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>"
>>>>to the tee (of course it is for 3.0.2) and have every thing working
>>>>except for W2K pc cannot authenticate? Oh yeah, I also went the steps in
>>>>the troubleshooting guide but couldn't get the step "net use x:
>>>>\\mysamba\web" to add.
>>>>
>>>>I can 'net view \\mysamba' just fine and sambaclient -L
>>>>mysamba.xxx.com/mydomainloginname ok using my ADS password.
>>>>I can see mysamba in the Network Neighborhood.
>>>>But I just can't get access to the share from my PC. Oh yea, and I am
>>>>using encrypted passwords = yes.
>>>>
>>>>I assume I must have missed something somewhere but for the life of me I
>>>>can' t see it. Anybody have any ideas?
>>>>
>>>>Michael Cesar
>>>>
>>>>***** my smb.conf file contents: ******
>>>>
>>>># Samba config file created using SWAT
>>>># from 0.0.0.0 (0.0.0.0)
>>>># Date: 2004/08/27 14:25:35
>>>>
>>>># Global parameters
>>>>[global]
>>>>  workgroup = MBTMASTER
>>>>  realm = MBTMASTER.COM
>>>>  netbios name = SAMBA_TEST
>>>>  security = ADS
>>>>  map to guest = Bad User
>>>>  log level = 1
>>>>  syslog = 0
>>>>  log file = /var/log/samba/%m
>>>>  time server = Yes
>>>>  socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
>>>>  os level = 2
>>>>  ldap ssl = no
>>>>  preload = global
>>>>  idmap uid = 10000-20000
>>>>  idmap gid = 10000-20000
>>>>  template primary group =
>>>>  template shell = /bin/bash
>>>>  winbind separator = +
>>>>  veto files = /*.eml/*.nws/riched20.dll/*.{*}/
>>>>
>>>>[homes]
>>>>  comment = Home Directories
>>>>  valid users = %S
>>>>  read only = No
>>>>  create mask = 0640
>>>>  directory mask = 0750
>>>>  browseable = No
>>>>
>>>>[printers]
>>>>  comment = All Printers
>>>>  path = /var/tmp
>>>>  create mask = 0600
>>>>  printable = Yes
>>>>  browseable = No
>>>>
>>>>[print$]
>>>>  comment = Printer Drivers
>>>>  path = /var/lib/samba/drivers
>>>>  write list = @ntadmin, root
>>>>  force group = ntadmin
>>>>  create mask = 0664
>>>>  directory mask = 0775
>>>>
>>>>[web]
>>>>  comment = Test Web Root
>>>>  path = /srv/www/htdocs
>>>>  valid users = michael.cesar, @Administrtors
>>>>  admin users = michael.cesar
>>>>  read only = No
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>Hi,
>>>Is your winbind running? did you configure Kerboros correctly? try add
>>>log level = 2 in the smb.conf and see if you can catch anything in the logs.
>>>
>>>Yang
>>>
>>>
>>>
>>>      
>>>
>>Winbind appears to be running fine. My share definition for 'web'
>>contains 'valid users' of 'michael.cesar' (my domain login) and
>>'@Administrators' ( the domain group I belong to).  I set the log level
>>to 2 and am getting the following below. I don't understand why...
>>1) Why is winbind trying to create a user in the first place? I want it
>>to validate an existing one.
>>2) When winbind fails to create the user it doesn't know the group
>>Administrators and gives the error "cannot validate gid for group()"?
>>3) Why it is trying to validate 'mcesar' (a local login account not
>>listed in any config file for samba etc)? and not michael.cesar (my
>>domain login). I am using the command line "net use" so the apache
>>logins my browser knows should not come into play - one would think)
>>
>>Michael Cesar
>>
>>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
>> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
>>[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
>> added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
>>[2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
>> Registered MSG_REQ_POOL_USAGE
>>[2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain MBTMASTER MBTMASTER.COM S-0-0
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
>> krb5_cc_get_principal failed (No such file or directory)
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain BUILTIN  S-1-5-32
>>[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
>> Added domain SAMBA_TEST  S-1-5-21-289385821-3664457749-2860223883
>>[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
>> winbindd_create_user: Cannot validate gid for group ()
>>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>[2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'root' does not exist
>>[2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
>> Doing kerberos session setup
>>[2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
>> user 'mcesar' does not exist
>>
>>
>>    
>>
>Sounds like you have not mapped the user groups, you need to use "net
>groupmap" which allows you to map NT user groups to Linux user groups,
>both have to be valid existing groups. Do a "net groupmap list" and
>you will see.
>
>What is missing from the how-to is user group mapping.
>Make sure you /etc/nsswitch.conf file uses winbind for user name resolution.
>
>Yang
>
>  
>
Thanks Yang, for the tip on groupmap. As for the nsswitch.conf 
file...are us suggesting I add the 'network' and 'netgroup' keywords? 
The following, according to the how-to are the only services mapped to 
winbind...

passwd: compat winbind
group:  compat winbind

Michael Cesar

More information about the samba mailing list