RES: [Samba] Samba3 with W2K Native Mode
Estevam Henrique Carvalho
estevamh at bmf.com.br
Fri Mar 19 18:23:33 GMT 2004
Have you locked at samba-3.0.2a/source/nsswitch directory ? Normally the pam
modules and nss libs are there, you need manually copy that to /lib/security
(Debian system. maybe different in your distribution)
Also remember to run ldconfig after copy the files to the lib directory.
Make sure that you /etc/pam.d/login is, some like that:
passwd: winbind files
shadow: files
group: winbind files
Ps.: For more information Read
http://us1.samba.org/samba/docs/man/winbind.html
-----Mensagem original-----
De: samba-bounces+ecarvalho=bmf.com.br at lists.samba.org
[mailto:samba-bounces+ecarvalho=bmf.com.br at lists.samba.org] Em nome de Axel
Spallek
Enviada em: sexta-feira, 19 de março de 2004 05:41
Para: Samba
Assunto: AW: [Samba] Samba3 with W2K Native Mode
Hi.
I have news.
The Problem with 3.0.2-29 persisted, so I compiled 3.0.2a.
./configure --with-acl-support --with-winbind --with-ldap --with-ldapsam --w
ith-pam --with-pam_smbpass --with-krb5=/usr/local --with-ads
One problem after that was the missing pam_winbind.so used by
nssswitch.conf(?).
Now I am as far as with 2.0.2-29. I can get an kinit Administrator-Ticket
and can do a net join ads.
But when I try to click on s7 in the Network-Section of S4 I get a
[2004/03/19 09:33:06, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/03/19 09:33:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed
to verify incoming ticket!
[2004/03/19 09:33:06, 2] smbd/server.c:exit_server(558) Closing connections
That worked with 3.0.2-29.
I can connect via net use m: \\<ip>\share.
I think there is a problem with
nsswitch
pam_*.so
/lib/security/samba
But how can I debug this?
Sincerly,
Axel Spallek
Hülenweg 21
89134 Blaustein
http://mail.map24.com/axel_spallek
-----Ursprüngliche Nachricht-----
Von: samba-bounces+axel=spallek.ws at lists.samba.org
[mailto:samba-bounces+axel=spallek.ws at lists.samba.org]Im Auftrag von
Axel Spallek
Gesendet: Freitag, 27. Februar 2004 10:51
An: Samba
Betreff: [Samba] Samba3 with W2K Native Mode
Hi.
I use Samba 3.0.2-29 on Server S7.
In our network is a W2K Server named S4 running in Native Mode, Domain Name
hel.lan.
I tried to join the S4-Domain hel.lan.
s7:~ # kinit Administrator at HEL.LAN
Administrator at HEL.LAN's Password:
s7:~ # net ads join
[2004/02/27 08:20:54, 0] libads/ldap.c:ads_add_machine_acct(1006)
Host account for s7 already exists - modifying old account
Using short domain name -- HEL
Joined 'S7' to realm 'HEL.LAN'
s7:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator at HEL.LAN
Issued Expires Principal
Feb 27 08:20:12 Feb 27 18:20:12 krbtgt/HEL.LAN at HEL.LAN
Feb 27 08:20:19 Feb 27 18:20:12 s4$@HEL.LAN
Feb 27 08:20:19 Feb 27 18:20:12 kadmin/changepw at HEL.LAN
rcsmb restart
rcwinbind restart
Last two are needed (don't know why) otherwise the new Credentials are not
usable (getent gives error).
These steps I have to do every morning, because the credentials expired. Is
there a workaround?
So far so good.
Next I tried to use these
getent passwd
wbinfo -u
wbinfo -g
getent group
without any problem. They work fine, I can see all users and groups from
ADS.
Next I tried to use a share.
My smb.conf:
# Samba config file created using SWAT
# from 172.23.4.3 (172.23.4.3)
# Date: 2004/02/16 15:00:31
# Global parameters
[global]
unix charset = LOCALE
workgroup = HEL
realm = HEL.LAN
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
password server = s4.hel.lan
log level = 2
preferred master = No
local master = No
domain master = No
wins server = s4.hel.lan
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
[asx]
path = /mnt/testsamba
force user = root
read only = No
[test]
path = /mnt/Test
# force user = root
read only = No
create mask = 0700
force create mode = 0700
directory mask = 0700
force directory mode = 0700
The directories definitively exist, but the only share I can use is the asx
with force user = root. No matter which other user I try (even without the
force user) I get the following error message in log.smbd:
[2004/02/27 08:22:38, 2] smbd/server.c:open_sockets_smbd(318)
waiting for a connection
[2004/02/27 08:34:53, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
'/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
'/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
'/mnt/Test' does not exist or is not a directory, when connecting to
[test]
[2004/02/27 08:35:19, 0] smbd/service.c:make_connection_snum(677)
'/mnt/Test' does not exist or is not a directory, when connecting to
[test]
asx works:
[2004/02/27 08:35:33, 1] smbd/service.c:make_connection_snum(705)
172.23.4.3 (172.23.4.3) connect to service asx initially as user root
(uid=0, gid=0) (pid 732)
I can move the force user= root to the test share and I have the same
problem with asx.
s7:~ # dir /mnt
total 0
drwx------ 7 root root 184 Feb 16 13:41 .
drwxr-xr-x 20 root root 464 Feb 18 12:20 ..
drwxrwxrwx 3 as Domänen-Benutzer 72 Feb 16 13:57 Test
drwxrwxrwx 3 akey users 440 Feb 18 13:11 testsamba
As you can see the rights are changed to o+rwx for testing. No difference.
"as" is a ADS-User. "Domänen-Benutzer" is a Group from ADS. As you can see I
can do a "chown hel+as /mnt/test".
akey and users are local. force user = akey doesn't work as well as force
user hel+as
Is this a bug? I did not find a patch. Can anyone help?
s7:~ # cat /etc/krb5.conf
[libdefaults]
default_realm = HEL.LAN
clockskew = 300
[realms]
HEL.LAN = {
kdc = S4.HEL.LAN
# admin_server = MY.COMPUTER
kpasswd_server = S4.HEL.LAN
}
# OTHER.REALM = {
# kdc = OTHER.COMPUTER
# }
[domain_realm]
hel.lan = HEL.LAN
.hel.lan = HEL.LAN
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
}
s7:~ #cat /etc/nsswitch.conf
passwd: files winbind
shodow: files
group: files winbind
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files nis
aliases: files
Gruss,
Axel Spallek
Hülenweg 21
89134 Blaustein
http://mail.map24.com/axel_spallek
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
=========================================================
Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não
deverá utilizar, copiar, alterar, divulgar a informação nela contida ou
tomar qualquer ação baseada nessas informações. Se você recebeu esta
mensagem por engano, por favor avise imediatamente o remetente, respondendo
o e-mail e em seguida apague-o. Agradecemos sua cooperação.
This message may contain confidential and/or privileged information. If you
are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, change, take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.
=========================================================
More information about the samba
mailing list