[Samba] Permission weirdness

Chris chrisd at better-investing.org
Fri Sep 10 14:07:29 GMT 2004


Okay...

Another interesting turn-out...

I issued a 'klist' on my samba server.

And got this:


Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MOE at DOMAIN

Valid starting     Expires            Service principal
09/09/04 16:10:24  09/10/04 02:10:29  krbtgt/DOMAIN at DOMAIN
        renew until 09/10/04 16:10:24

Is this a problem?  Should I issue a kdestroy?  I am not that strong with 
kerberos yet, and I am a little fuzzy on the implications of doing a 
kdestroy.

Anyone?



Thanks.

Chris


On Thursday 09 September 2004 04:34 pm, Chris wrote:
> Okay,
>
> I left and rejoined the domain.
>
> Same problem... if this is the problem....
>
> Any help is appreciated!
>
> Thanks.
>
>
> Chris
>
> On Thursday 09 September 2004 04:13 pm, Chris wrote:
> > Okay..
> >
> > I think I may have found something, but I don't know what to do about
> > it....
> >
> > I have found this in my log.winbind file:
> >
> >
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> >   Added domain NAIC NAIC.INT S-0-0
> > [2004/09/09 15:50:55, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
> >   krb5_cc_get_principal failed (No credentials cache found)
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> >   Added domain NAICSYS  S-1-5-21-1898674339-994652211-837300805
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> >   Added domain BUILTIN  S-1-5-32
> > [2004/09/09 15:50:55, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
> >   Added domain PERSEUS  S-1-5-21-3652935647-1358748155-3390278020
> >
> > It is the "No credentials found" part that looks suspicious.  When I
> > initially rolled the system out a couple months back, it did not give
> > this error.  Now it does, and I can't think of a thing that has changed
> > on the system.
> >
> > Again, the weird thing is it doesn't appear to affect everybody, just
> > certain users trying to use certain resources.
> >
> > I have seen many posts with this error, but no solutions to it.  I am
> > going to try to leave and rejoin the domain... I hope I don't regret
> > that...
> >
> >
> > Chris
> >
> > On Thursday 09 September 2004 03:28 pm, Chris wrote:
> > > This is worse than I thought!
> > >
> > > Another user has now complained to me that he does not have rights to
> > > something he should have rights to!
> > >
> > > I have a printer shared out, to use it you must be in the
> > > DOMAIN+ColorPrint_ group.  He is a member, and yet it won't let him
> > > even access it to install it!  An authentication box pops up asking for
> > > username and passwd.
> > >
> > > [phaser8400]
> > >         path = /var/spool/samba
> > >         valid users = @Domain+ColorPrint_
> > >         printable = Yes
> > >         printer name = phaser8400
> > >         browseable = No
> > >         root preexec = echo Connect   :%T U.G=%U.%G u.g=%u.%g
> > >
> > > >> /root/.info/p8400.log
> > >
> > >         root postexec = echo Disconnect:%T U.G=%U.%G u.g=%u.%g
> > >
> > > >> /root/.info/p8400.log
> > >
> > >         printer admin = @"DOMAIN+Domain Admins"
> > >
> > > Nothing has changed...   I haven't messed with any of the configuration
> > > files or added any new software.  This just started happening
> > > spontaneously it seems.
> > >
> > > my wbinfo -t/-u/-g all look good.
> > >
> > > Is the tdb corrupted or something?   What can I do to fix this?
> > >
> > >
> > > Chris
> > >
> > > On Thursday 09 September 2004 02:29 pm, Chris wrote:
> > > > Hello.
> > > >
> > > > I am running samba 3.0.5 in an ADS environment.  I have a win2k3
> > > > server as the DC and my samba machine (running on Gentoo Linux) is a
> > > > member of that domain. I am using winbind.
> > > >
> > > > I have three users, for this example I will call them Larry, Curly
> > > > and Moe. All three have RW access to a share on the server called
> > > > "stooges". The linux perms on this directory look like this:
> > > >
> > > > drwxrwx---  root DOMAIN+stooges_         stooges
> > > >
> > > > There are other users who are members of the DOMAIN+stooges group,
> > > > but these three are in charge and need access to a more restricted
> > > > subdirectory of stooges.  So I made a stooges_CIA directory under the
> > > > stooges share.
> > > >
> > > > Its linux perms look like this:
> > > >
> > > > drwxrwx--- root DOMAIN+stooges_CIA_   stooges_CIA
> > > >
> > > > Larry, Curly and Moe are all members of both the DOMAIN+stooges_CIA_
> > > > (only those three) and the DOMAIN+stooges_ groups (those 3 plus other
> > > > users in the dept).
> > > >
> > > > Now here is the strange part:
> > > >
> > > > Larry and curly can access everything in the share stooges and the
> > > > subdirectory stooges_CIA.  Moe, can access everyting in the stooges
> > > > share but NOT anything in the stooges_CIA subdir.
> > > >
> > > > This makes absolutely no sense to me!  Moe is a group member of
> > > > DOMAIN+stooges_CIA.  He shows up thusly when I do a 'getent group' or
> > > > when I do a 'groups DOMAIN+moe'.  Likewise, he shows up on the domain
> > > > controller as being part of that group.  *BOTH* systems have him
> > > > listed in that group -- but for some reason he has no access!
> > > >
> > > > He gets this error:
> > > >
> > > > "\\server\stooges\stooges_CIA is not accessible.  You might not have
> > > > permission to use this network resource.  Contact the administrator
> > > > of this server to find out if you have access permissions."
> > > >
> > > > What the heck is going on here?
> > > >
> > > > Thanks!
> > > >
> > > > Chris


More information about the samba mailing list