[Samba] need some assistance - Samba 3.09 on FreeBSD 4.5

Jon Starbird jcstar at streamtheory.com
Tue Jan 11 20:10:12 GMT 2005 

Hello,
	I've been able to get Samba up and running, it joins the ADS domain 
fine. It appears in the network browser on our Windows machines but when 
anyone attempts to access a restricted share it fails to authenticate 
them. I say restricted because if anyone accesses an open to everyone 
share it works.

I'm trying to get the entire thing setup so that the Samba server is 
just a MEMBER of the Active Directory domain, running in Native mode. I 
do not want the Samba machine to be any kind of domain controller.

I've run wbinfo and it does return all the info correctly.

The log files, logging set to level 3, are showing the following when 
someone attempts to connect to a restricted share:

 From the log of the machine attempting to access Samba share:

[2005/01/11 11:50:50, 2] smbd/service.c:make_connection_snum(314)
   user '[real username]' (from session setup) not permitted to access 
this share ([real share name])
[2005/01/11 11:50:50, 3] smbd/error.c:error_packet(129)
   error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

 From the log.smbd:

[2005/01/11 11:50:50, 0] smbd/server.c:open_sockets_smbd(383)
   open_sockets_smbd: accept: Software caused connection abort

 From the log.winbindd:

[2005/01/11 11:50:50, 3] 
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
   [ 5472]: request interface version
[2005/01/11 11:50:50, 3] 
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
   [ 5472]: request location of privileged pipe
[2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210)
   [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]]
[2005/01/11 11:50:50, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(210)
   [ 5472]: domain_info [[CORRECT_DOMAIN_NAME.COM]]
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 1001
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 0
[2005/01/11 11:50:50, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(422)
   [ 5472]: gid to sid 70
[2005/01/11 11:51:50, 3] nsswitch/winbindd_ads.c:trusted_domains(832)
   ads: trusted_domains
[2005/01/11 11:51:50, 3] libads/ldap.c:ads_connect(247)
   Connected to LDAP server [correct IP to Domain Controllor]
[2005/01/11 11:51:50, 3] libads/ldap.c:ads_server_info(2432)
   got ldap server name [correct_DC_NAME at correct_domain.com], using bind 
path: dc=[correct domain name],dc=COM
[2005/01/11 11:51:50, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
   IPC$ connections done anonymously
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_start_connection(1382)
   Connecting to host=[correct dc name]
[2005/01/11 11:51:50, 3] lib/util_sock.c:open_socket_out(752)
   Connecting to [correct dc ip] at port 445
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(713)
   Doing spnego session setup (blob length=115)
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 48018 1 2 2
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 113554 1 2 2
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 2 840 113554 1 2 2 3
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(738)
   got OID=1 3 6 1 4 1 311 2 2 10
[2005/01/11 11:51:50, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
   got principal=[correct dc name]$@[correct domain name.com]
[2005/01/11 11:51:50, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(538)
   Doing kerberos session setup
[2005/01/11 11:51:50, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
   Ticket in ccache[MEMORY:cliconnect] expiration Tue, 11 Jan 2005 
21:51:48 GMT


[smb.conf]

[global]
   workgroup = domain_name
   realm = realm_name.com
   server string = Samba Server
   netbios name = server_name
   hosts allow = [several IP ranges to allow from]
   security = ADS
   encrypt passwords = yes
   password server = DC_name.domainname.com
   #username map = /etc/samba/smbusers
   client signing = yes
   server signing = yes
   guest account = samba
   log level = 3
   log file = /var/log/samba/log.%m
   max log size = 50
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template primary group = "Domain Users"
   template shell = /bin/bash
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE 
SO_RCVBUF=8192 SO_SNDBUF=8192
   interfaces = fxp0
   local master = no
   dns proxy = no
   winbind separator = _

#============================ Share Definitions 
==============================
[homes]
    comment = Home Directories
    browseable = no
    read only = No
    valid users = %S

# A publicly accessible directory, but read only, except for people in
# the "staff" group
[public]
    comment = Public Stuff
    path = /home/samba
    browseable = yes
    public = yes
    read only = no
    printable = no
    valid users = @"domainname.com_Domain Users"

# Processing share, contains processing files and tools.
[share name]
    comment = Stuff
    path = /usr/local/stuff
    browseable = yes
    public = yes
    read only = no
    printable = no
    valid users = @"domainname.COM_Domain Users"
    create mask = 666
    directory mask = 777
    force user = mrjones
    force group = webheads



Any help will be greatly apprecicated.


Thanks,
Jon

More information about the samba mailing list