[Samba] Re: W2K3 Domain - Can't Connect to Share?

Fri Jul 28 18:27:21 GMT 2006

Nolan Garrett wrote:
> Gary Dale wrote:
>   
>> Nolan Garrett wrote:
>>     
>>>  I have a linux box, Samba 3.0.23a, that is joined to a W2K3 domain.
>>>  I cannot connect to the "MP3s" share (all legal!) on this system - I
>>>  can connect to home directories and printers.  When I try to connect
>>>  to MP3s as any user on the domain, I get an Access is denied message,
>>>  or it prompts me for the username and password again.  I am using
>>>  Winbind (if that matters), so none of these accounts exist locally on
>>>  the system.
>>>
>>>  Here is the applicable part of my smb.conf: [MP3s] path =
>>>  /home/samba/MP3s ;       writeable = no browseable = yes valid users
>>>  = @"MASSIVEGEEK+Domain Users" writeable = yes
>>>
>>>  And here is the actual file permissions: drwxrwx--- 93 root domain
>>>  users 4096 Jul 14 18:54 MP3s
>>>
>>>  Any ideas here?  I've tried connecting from several different systems
>>>  (XP, 2003, Linux), with no luck.  Here is output from smbclient:
>>>
>>>  [root at mgprisvr ~]# smbclient //mggryphont.massivegeek.local/MP3s -U
>>>  MASSIVEGEEK\\mgwinxpvm1vpn -d 2 added interface ip=192.168.0.1
>>>  bcast=192.168.0.255 nmask=255.255.255.0 added interface ip=127.0.0.1
>>>  bcast=127.255.255.255 nmask=255.0.0.0 Password: Domain=[MASSIVEGEEK]
>>>  OS=[Unix] Server=[Samba 3.0.23a-1.fc5.1] tree connect failed:
>>>  NT_STATUS_ACCESS_DENIED
>>>
>>>  Thank you!
>>>
>>>  Nolan
>>>
>>>       
>> Your valid users looks a little funny. Have you tried
>>
>>        valid users = @"Domain Users"
>>
>> instead?
>>
>> I'm assuming that your server is a member of the domain.
>>     
>
> Yeah, the server is a member of the domain.  I tried that line above, no
> luck either.  I've also tried it with no "valid users" line, but still
> no luck. I did find this in the logs:
>
> [2006/07/28 10:37:12, 0] smbd/service.c:make_connection_snum(773)
>   make_connection: connection to MP3s denied due to security descriptor.
>
> Any idea what that means?
>
> Here's my [global]:
>
> [global]
>         workgroup = MASSIVEGEEK
>         server string = Samba Server
>         printcap name = /etc/printcap
>         load printers = yes
>         printer admin = MASSIVEGEEK+ngarrett MASSIVEGEEK+Administrator root
>         cups options = raw
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         security = ADS
>         realm = MASSIVEGEEK.LOCAL
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         dns proxy = no
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>         template shell = /bin/bash
>         winbind use default domain = yes
>         username map = /etc/samba/smbusers
>         winbind separator = +
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/winnt/%D/%U
>         admin users = @"MASSIVEGEEK+Domain Admins"
>
> Thanks!
>
>   
Sorry, you've passed beyond my level of expertise here with Kerberos and 
ADS.

I can suggest you try some simple things like bumping up your log level 
and doing some testing. Perhaps try a share connecting as a user where 
the user is local as well as a domain user. The message looks like it is 
complaining about security, so I suspect it isn't getting the 
information it expects from your DC (if it is even communicating with it).