[Samba] Permission weirdness
Chris
chrisd at better-investing.org
Fri Sep 10 14:07:29 GMT 2004
Okay...
Another interesting turn-out...
I issued a 'klist' on my samba server.
And got this:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MOE at DOMAIN
Valid starting Expires Service principal
09/09/04 16:10:24 09/10/04 02:10:29 krbtgt/DOMAIN at DOMAIN
renew until 09/10/04 16:10:24
Is this a problem? Should I issue a kdestroy? I am not that strong with
kerberos yet, and I am a little fuzzy on the implications of doing a
kdestroy.
Anyone?
Thanks.
Chris
On Thursday 09 September 2004 04:34 pm, Chris wrote:
> Okay,
>
> I left and rejoined the domain.
>
> Same problem... if this is the problem....
>
> Any help is appreciated!
>
> Thanks.
>
>
> Chris
>
> On Thursday 09 September 2004 04:13 pm, Chris wrote:
> > Okay..
> >
> > I think I may have found something, but I don't know what to do about
> > it....
> >
> > I have found this in my log.winbind file:
> >
> >
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> > Added domain NAIC NAIC.INT S-0-0
> > [2004/09/09 15:50:55, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
> > krb5_cc_get_principal failed (No credentials cache found)
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> > Added domain NAICSYS S-1-5-21-1898674339-994652211-837300805
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> > Added domain BUILTIN S-1-5-32
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> > Added domain PERSEUS S-1-5-21-3652935647-1358748155-3390278020
> >
> > It is the "No credentials found" part that looks suspicious. When I
> > initially rolled the system out a couple months back, it did not give
> > this error. Now it does, and I can't think of a thing that has changed
> > on the system.
> >
> > Again, the weird thing is it doesn't appear to affect everybody, just
> > certain users trying to use certain resources.
> >
> > I have seen many posts with this error, but no solutions to it. I am
> > going to try to leave and rejoin the domain... I hope I don't regret
> > that...
> >
> >
> > Chris
> >
> > On Thursday 09 September 2004 03:28 pm, Chris wrote:
> > > This is worse than I thought!
> > >
> > > Another user has now complained to me that he does not have rights to
> > > something he should have rights to!
> > >
> > > I have a printer shared out, to use it you must be in the
> > > DOMAIN+ColorPrint_ group. He is a member, and yet it won't let him
> > > even access it to install it! An authentication box pops up asking for
> > > username and passwd.
> > >
> > > [phaser8400]
> > > path = /var/spool/samba
> > > valid users = @Domain+ColorPrint_
> > > printable = Yes
> > > printer name = phaser8400
> > > browseable = No
> > > root preexec = echo Connect :%T U.G=%U.%G u.g=%u.%g
> > >
> > > >> /root/.info/p8400.log
> > >
> > > root postexec = echo Disconnect:%T U.G=%U.%G u.g=%u.%g
> > >
> > > >> /root/.info/p8400.log
> > >
> > > printer admin = @"DOMAIN+Domain Admins"
> > >
> > > Nothing has changed... I haven't messed with any of the configuration
> > > files or added any new software. This just started happening
> > > spontaneously it seems.
> > >
> > > my wbinfo -t/-u/-g all look good.
> > >
> > > Is the tdb corrupted or something? What can I do to fix this?
> > >
> > >
> > > Chris
> > >
> > > On Thursday 09 September 2004 02:29 pm, Chris wrote:
> > > > Hello.
> > > >
> > > > I am running samba 3.0.5 in an ADS environment. I have a win2k3
> > > > server as the DC and my samba machine (running on Gentoo Linux) is a
> > > > member of that domain. I am using winbind.
> > > >
> > > > I have three users, for this example I will call them Larry, Curly
> > > > and Moe. All three have RW access to a share on the server called
> > > > "stooges". The linux perms on this directory look like this:
> > > >
> > > > drwxrwx--- root DOMAIN+stooges_ stooges
> > > >
> > > > There are other users who are members of the DOMAIN+stooges group,
> > > > but these three are in charge and need access to a more restricted
> > > > subdirectory of stooges. So I made a stooges_CIA directory under the
> > > > stooges share.
> > > >
> > > > Its linux perms look like this:
> > > >
> > > > drwxrwx--- root DOMAIN+stooges_CIA_ stooges_CIA
> > > >
> > > > Larry, Curly and Moe are all members of both the DOMAIN+stooges_CIA_
> > > > (only those three) and the DOMAIN+stooges_ groups (those 3 plus other
> > > > users in the dept).
> > > >
> > > > Now here is the strange part:
> > > >
> > > > Larry and curly can access everything in the share stooges and the
> > > > subdirectory stooges_CIA. Moe, can access everyting in the stooges
> > > > share but NOT anything in the stooges_CIA subdir.
> > > >
> > > > This makes absolutely no sense to me! Moe is a group member of
> > > > DOMAIN+stooges_CIA. He shows up thusly when I do a 'getent group' or
> > > > when I do a 'groups DOMAIN+moe'. Likewise, he shows up on the domain
> > > > controller as being part of that group. *BOTH* systems have him
> > > > listed in that group -- but for some reason he has no access!
> > > >
> > > > He gets this error:
> > > >
> > > > "\\server\stooges\stooges_CIA is not accessible. You might not have
> > > > permission to use this network resource. Contact the administrator
> > > > of this server to find out if you have access permissions."
> > > >
> > > > What the heck is going on here?
> > > >
> > > > Thanks!
> > > >
> > > > Chris
More information about the samba
mailing list