[Samba] winbind: authenticating UNIX user before Win Domain user

Greg Chavez greg.chavez at gmail.com
Wed Nov 17 20:48:06 GMT 2004

We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain
member (security = domain) to a win2k pdc (clouds) for the domain DOM.
 We have several unix users and two Win-only users.  The unix users
have matching AD accounts on the win2k, but the Win-only users do not
have unix accounts (and we want to keep it that way).  So, it seemed
that winbind would be the best way to bridge the gap:

1.  UNIX users could access shares on the samba server in the same way
whether logged on to windows workstation or the samba server itself
2.  Files created on the shares would be controlled via permissions
for UNIX users and groups.
3.  Win users would not need to have UNIX accounts created, but could
access the samba shares as easily as the UNIX users.
4.  Home directories and profiles will be pulled from the samba server.

It works well exept that winbind does not authenticate the UNIX users
as expected when they logon from Windows.  For example: from Windows
workstation, I log on as "gchavez".  There is a UNIX user on the samba
server "gchavez" which I expect winbind to authenticate against when I
try to access the samba shares.  This does not happen.  Instead,
winbind authenticates against the win2k server with my Win account,
DOM+gchavez, and things don't work (although it does manage to map my
home directory correctly).

Consequently, I come in with Windows group permissions (DOM+Domain
Users) and cannot access the shares protected with UNIX group
permissions.  I am trying to keep this message short, but these
command line vitals should tell the rest of the story.

shell> tesparm -sv 
        workgroup = DOM
        security = DOMAIN
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        log level = 2
        client use spnego = No
        preferred master = No
        local master = No
        domain master = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        valid users = +users, "DOM+Domain Users"
        force group = +users
        read only = No
        create mask = 0660
        directory mask = 01770

        comment = "DOM Home Directories"
        path = /usera/home/%U/winhome
        create mask = 0600
        directory mask = 0740
        browseable = No

        comment = "Product Documentation - full access"
        path = /usera/docs

        comment = "Shared Programs - full access"
        path = /usera/programs

        comment = "Backups"
        path = /usera/backups

        comment = "Project Files - full access"
        path = /usera/projects

        comment = "PSC Project - restricted"
        path = /usera/projects/psc
        valid users = +psc
        force group = +psc

shell> getent passwd | grep gchavez
gchavez:x:503:503:Greg Chavez:/home/gchavez:/bin/bash
DOM+gchavez:x:10007:10000:Greg Chavez:/home/OSDS/gchavez:/bin/false

** this happens when I try to access my homes share from windows, the 
shares are chmod'd with full permission so I can get in ***
shell> tail /var/log/samba/smb.log
[2004/11/17 15:09:12, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [gchavez] -> [gchavez]
-> [DOM+gchavez] succeeded
[2004/11/17 15:09:14, 2] smbd/uid.c:change_to_user(202)
  change_to_user: SMB user  (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2004/11/17 15:09:14, 0] smbd/service.c:make_connection_snum(570)
  Can't become connected user!
[2004/11/17 15:09:14, 1] smbd/service.c:make_connection_snum(648)
  sunfish (xx.93.106.16) connect to service gchavez initially as user
DOM+gchavez (uid=10007, gid=10000) (pid 3312)

# net groupmap list | grep users
Domain Users (S-1-5-21-1316288518-2476102628-626236970-513) -> users   

# grep winbind /etc/nsswitch.conf
passwd:     files winbind
group:      files winbind

--Greg Chavez

More information about the samba mailing list