[Samba] Winbind & idmap_ad plugin: Debian kerberos-related problems fixed

Tue Feb 24 13:59:31 GMT 2004

Slowly making progress with Active Directory integration. I have Samba 3.0.2
as an ADS member, and I can see shares, including user home directories. My
linux boxes run Debian unstable, and use the PAM and NSS LDAP backends,
against an Active Directory on Windows 2000 SP4, using the MS Services For
Unix V2.0 schema updates. PAM-authenticated login, ssh etc. all work fine,
although I did have to enable anonymous searches of the Active Directory on
the DC.

To get this far, I have had to build MIT Kerberos 1.3.1 from source (Debian
only has v 1.3 packaged at the moment) This fixed problems with the RC4 hash
that stopped anything from working. I use a completely minimal krb5.conf:

[libdefaults]
        default_realm           = XXX.XXX.XXX.XXX

[realms]
        XXX.XXX.XXX.XXX = {
                kdc = 192.168.0.2
        }

However, my final problem is that users cannot write to files in their home
directories. I gather the way to fix this is to use Luke's idmap_ad plugin
from PADL, so I built that (for Debian you also need to at least configure a
Samba source tree somewhere - I apt-get the source, and killed the build
after the configuration). Now, I have winbindd using the idmap-ad plugin,
and wbinfo can convert SIDs to UIDs. (wbinfo -n jonr gets the SID, and
wbinfo -S <sid> gets the uid).

BUT: I still get permission denied trying to create new files or delete
existing ones in user home directories from a Windows XP SP1 client:

[2004/02/24 13:42:50, 5] smbd/uid.c:change_to_user(203)
  change_to_user uid=(1001,1001) gid=(0,500)
[2004/02/24 13:42:50, 3] smbd/service.c:make_connection_snum(705)
  192.168.0.5 (192.168.0.5) connect to service IPC$ initially as user jonr
(uid=
1001, gid=500) (pid 12428)
[2004/02/24 13:42:50, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/24 13:42:50, 5] auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/02/24 13:42:50, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/02/24 13:42:50, 5] smbd/uid.c:change_to_root_user(218)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/02/24 13:42:50, 3] smbd/reply.c:reply_tcon_and_X(326)
  tconX service=IPC$
....

[2004/02/24 13:42:57, 3] smbd/process.c:switch_message(685)
  switch message SMBntcreateX (pid 12428)
[2004/02/24 13:42:57, 4] smbd/uid.c:change_to_user(122)
  change_to_user: Skipping user change - already user
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(114)
  unix_convert called on file "\New Text Document.txt"
[2004/02/24 13:42:57, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [/New Text Document.txt]
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(188)
  unix_convert begin: name = New Text Document.txt, dirpath = , start = New
Text
 Document.txt
[2004/02/24 13:42:57, 5] smbd/filename.c:unix_convert(323)
  New file New Text Document.txt
[2004/02/24 13:42:57, 3] smbd/dosmode.c:unix_mode(110)
  unix_mode(New Text Document.txt) returning 0764
[2004/02/24 13:42:57, 5] smbd/files.c:file_new(122)
  allocated file structure 4137, fnum = 8233 (2 used)
[2004/02/24 13:42:57, 3] lib/util.c:unix_clean_name(580)
  unix_clean_name [New Text Document.txt]
[2004/02/24 13:42:57, 4] smbd/open.c:open_file_shared1(1004)
  calling open_file with flags=0x2 flags2=0x80 mode=0764
[2004/02/24 13:42:57, 3] smbd/open.c:open_file(110)
  Permission denied opening New Text Document.txt
[2004/02/24 13:42:57, 5] smbd/files.c:file_free(385)
  freed files structure 8233 (1 used)
[2004/02/24 13:42:57, 3] smbd/error.c:error_packet(94)
  error string = Operation not permitted
[2004/02/24 13:42:57, 3] smbd/error.c:error_packet(118)
  error packet at smbd/trans2.c(1811) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DE
NIED

Any ideas? I can post full session logs if that helps (they're huge).

Jon.