[Samba] 2k3Srv ADS, debian member server, Ubuntu workstations and no write access to share (security =ADS mode, winbind, krb5)

[john dooley]

Hi All,
Im going nuts trying to get a mixed environment going.   I have a couple
of problems, one related to logons and passwords which I think is a
pam.d/gdm config error on my part and one where I cant get write acccess
from the Ubuntu clients to the domain member server share.  This is the
most critical....please help me fix this.

In a nutshell:
Single win 2003 Srv ADS (sp1)
A single domain member server (Debian sarge box).
Multiple Ubuntu/Debian workstations using gnome (hoary latest and debian
sarge-stable)

Using winbind kerberos method from the manual.
Aiming for single sign on and having the ubuntu workstations write to
(at this stage *any*) share on the debian box

Basic problem is this:
ubunutu boxes can see the share on the debian box but for the life of me
I cannot get them write access to any of the directories (I cant get
write access to files using Gedit or openoffice under gnome -I can
apparently execute a logon as a domain user NEXUS+sci1 for example).
Strangely I can create an empty file, rename it to .txt and then open it
in Gedit (but only read only)!  I am confused also because if I log on
to the W2k3Server as Administrator and examine the share I have write
permission and can alter files (I also have this user as an admin user
in the smb.conf).  I am not sure my pam.d/gdm and other pam files are
right.  I also get asked for auth to access the share after logging on
as a domain user (which I need to fix)

On the debian member server side I have set permissions on the share
directory to rwx group, owner, world, chown the files to NEXUS+sci1 (my
test user), chgrp to NEXUS+domain users.  On the 2003ADS side I
published the share and gave full control  to Domain Users (I think
successfully)

Heres the directory thats being shared [sharefile]:
drwxrwxrwx   6 sci1                NEXUS+domain users  4096 2005-08-08
09:12 tmp

heres a test file on the share I can only  open read only no matter what
I do on the debian/ubuntu workstations with gnome/gedit.  Looking at
permissions from the gnome workstation I get 744 User rwx, group and
other r only (which seems to match the behaviour but not the permissions
on the actual file on the share -i manually set them onm the share just
to be sure)
-rwxrwxrwx  1 NEXUS+sci1 NEXUS+domain users    14 2005-08-08 09:28
krb5cc_0.txt

Even more strangely I managed to open it with bluefish editor, change
and SAVE it!  But openoffice and gedit cant access it (openoffice gives
a file does not exist error and gedit will only open it read only)

As for authentication:
I can join the boxes to the domain I think successfully ie -  from both
debian member server and ubuntu boxes execute a net ads join command,
wbinfo -u,g, getent passwd and getent group okay and see all the AD
users in the domain.  The machines appear in the active directory
computers section.

Example on debian member server from getent passwd
NEXUS+administrator:x:10000:10000:Administrator:/home/NEXUS/administrator:/bin/bash
NEXUS+dl380$:x:10008:10003:dl380:/home/NEXUS/dl380_:/bin/bash
NEXUS+ws1$:x:10009:10003:ws1:/home/NEXUS/ws1_:/bin/bash

Im out of my depth (im on the steep part of the learning curve from
windows peer to peer land)- its like there is still a block on
authentication for the ubuntu boxes that I dont realise (I thought I had
given appropriate access and permissions). I apologise for being pretty
clueless.  I have been thinking its a permissions issue relating to the
ubuntu boxes not authing as the correct user or something (due to my
pam.d/gdm hacking).  I have posted the smb.conf from the debian member
server.
I can post  log.smbd etc if that helps.

If its too hard to fix me, can someone post a known good smb.conf and
set of pam.d/ files for a debian box including (especially pam.d/gdm)
else I will have to resort to two sets of users / linux and
windoze....The windoze box runs a proprietary database app and will have
TS sessions to that app only (plus run active directory and DNS).  The
linux boxes will be the workhorses for the users (openoffice etc) and
open .rdp sesssions to the database as necessary.  LDAP is too advanced
for me.

Thanks in advance:

John Dooley


SMB.conf
# Samba config file created using SWAT  <<<  Im not using swat though
# from 192.168.0.20 (192.168.0.20)
# Date: 2005/07/22 08:34:10

# Global parameters
[global]
        security = ads
        realm = INTRANET.NEXUSDOMAIN.COM
        encrypt passwords = yes
        password server = nexus01.intranet.nexusdomain.com
        workgroup = NEXUS
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        obey pam restrictions = yes
        password server = *
        log level = 2
        admin users = NEXUS+administrator
        nt acl support = Yes
        map acl inherit = Yes
        client use spnego = Yes
[homes]
        comment = Home Directories

[sharefile]
        comment = Temporary file space
        path = /tmp
        read only = no
        writeable = yes
        valid users =  @"NEXUS+domain users"  NEXUS+domainall
        public = yes
#       create mode = 0777
#       directory mode =0777

[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files winbind
shadow:         files

hosts:          files dns hosts wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

KRB5.CONF
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

ticket_lifetime = 24000
default_realm = INTRANET.NEXUSDOMAIN.COM
#default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
#default_tgt_enctypes = des3-hmac-sha1 des-cbc-crc


[realms]
INTRANET.NEXUSDOMAIN.COM = {
#       kdc=192.168.0.2:88
        kdc = nexus01.intranet.nexusdomain.com:88
        admin_server = nexus01.intranet.nexusdomain.com
        default_domain = INTRANET.NEXUSDOMAIN.COM
}
[domain_realm]
        .intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM
        intranet.nexusdomain.com = INTRANET.NEXUSDOMAIN.COM


dl380:/etc/pam.d# cat common-*
#

COMMON ACCOUNT
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so
#

COMMON AUTH
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_unix.so nullok_secure
#

COMMON PASSWORD
# /etc/pam.d/common-password - password-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define  the services to be
#used to change user passwords.  The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

password   required   pam_unix.so nullok obscure min=4 max=8 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
# password required       pam_cracklib.so retry=3 minlen=6 difok=3
# password required       pam_unix.so use_authtok nullok md5

#

COMMON SESSION
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so


UBUNTU/DEBIAN PAM.D/GDM
dl380:/tmp# cat gdm
#%PAM-1.0
auth sufficient pam_winbind.so
auth    requisite       pam_nologin.so
auth    required        pam_env.so
account sufficient pam_winbind.so
account sufficient pam_unix.so use_first_pass
@include common-auth
@include common-account
session required        pam_limits.so
session sufficient pam_winbind.so
@include common-session
password sufficient pam_winbind.so
@include common-password
--