[Samba] winbind group problem

todd.jones at weirminerals.com todd.jones at weirminerals.com
Sun Jul 9 07:44:56 GMT 2006 

My Samba server is a domain member to a Win2k ADS domain.  I have a domain 
group where some members of the group can access a particular share, while 
others cannot.  If the user tries to login from a different system, the 
problem still exists.  Additionally, the user can log into other shares. I 
have verified this with two different groups.  It seems like the system 
cannot identify the username in the group.  All other tests with getent 
and wbinfo appear as expected and the server tends to run fine for most 
users on most shares.

OS = RedHat Ent Server 3 update 3
Samba = 3.0.9-1.3E.5
Kerberos = 1.2.7-47

Relevant smb.conf
[global]
        workgroup = WARGROUP
        realm = GT.WARMAN.COM.AU
        server string = sydtch1 file server
        security = ADS
        log level = 5
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        ldap ssl = no
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /fshare/users/%U
        winbind cache time = 120
        cups options = raw
[matproj]
        path = /fshare/depdata/materialprojects
        valid users = @WARGROUP\matproj
        read only = No
        create mask = 0660
        directory mask = 0775

The WARGROUP\matproj group has four users, one of which is Administrator 
and cannot connect to the matproj share while the other users can.  The 
following error appears when debugging.  I have more extensive logs, if 
requested.  The permissions on the matproj directory are 2775 with the 
WARGROUP\matproj group having group ownership.
        [2006/07/09 16:54:08, 2] smbd/service.c:make_connection_snum(314)
          user 'WARGROUP\administrator' (from session setup) not permitted 
to access this share (matproj)
        [2006/07/09 16:54:08, 3] smbd/error.c:error_packet(129)
          error packet at smbd/reply.c(416) cmd=117 (SMBtconX) 
NT_STATUS_ACCESS_DENIED

My krb5.conf file is as follows.
        [logging]
         default = FILE:/var/log/krb5libs.log
         kdc = FILE:/var/log/krb5kdc.log
         admin_server = FILE:/var/log/kadmind.log
        [libdefaults]
         ticket_lifetime = 24000
         default_realm = GT.WARMAN.COM.AU
         dns_lookup_realm = false
         dns_lookup_kdc = false
         default_tgs_enctypes = des-cbc-crc des-cbc-md5
         default_tkt_enctypes = des-cbc-crc des-cbc-md5
        [realms]
         GT.WARMAN.COM.AU = {
          kdc = wgtnts1.gt.warman.com.au:88
          admin_server = wgtnts1.gt.warman.com.au:749
          default_domain = gt.warman.com.au
         }
        [domain_realm]
         .gt.warman.com.au = GT.WARMAN.COM.AU
         gt.warman.com.au = GT.WARMAN.COM.AU
        [kdc]
         profile = /var/kerberos/krb5kdc/kdc.conf
        [appdefaults]
         pam = {
           debug = false
           ticket_lifetime = 36000
           renew_lifetime = 36000
           forwardable = true
           krb4_convert = false
         }

My nsswitch.conf file.
        passwd:     files winbind
        shadow:     files
        group:      files winbind
        hosts:      files dns winbind
        bootparams: files
        ethers:     files
        netmasks:   files
        networks:   files dns
        protocols:  files
        rpc:        files
        services:   files
        netgroup:   files
        publickey:  files
        automount:  files
        aliases:    files

I'm not sure if it's related, but I'm also seeing a lot of the following 
errors in my winbindd.log file.
        [2006/07/09 17:01:24, 3] 
lib/charcnv.c:convert_string_allocate(576)
          convert_string_allocate: Conversion error: Illegal multibyte 
sequence(å      µ )
        [2006/07/09 17:01:24, 3] 
lib/charcnv.c:convert_string_allocate(567)
          convert_string_allocate: Conversion error: Incomplete multibyte 
sequence(µ )

Thanks for any assistance.
Todd Jones

==========================================================================
The information contained in this email (including any attachments) is confidential, subject to copyright and for the use of the intended recipient only. If you are not the intended recipient please delete this message after notifying the sender. Unauthorised retention, alteration or distribution of this email is forbidden and may be actionable.

Attachments are opened at your own risk and you are advised to scan incoming email for viruses before opening any attached files. We give no guarantee that any communication is virus-free and accept no responsibility for virus contamination or other system loss or damage of any kind.
==========================================================================

More information about the samba mailing list