[Samba] [homes] access failing when security=domain

Jonathan Tullett jtullett at scyph.co.uk
Tue Mar 21 20:11:46 GMT 2006

Hash: SHA1


I'm having real difficulty in getting access to my [homes] shares on my
samba server using any method (smbclient, from any windows machines etc).

My setup:
Samba: 3.0.14a (Debian precompiled binaries)
Winbind: 3.0.14a (Debian precompiled binaries
Domain controller: Windows 2003 SP1

The machine's joined to the domain and users are authenticating via SSH
(/etc/nsswitch.conf is configured correctly) and to any of the
non-[homes] shares they're entitled to access (ie shares that are
specifically defined in smb.conf.)

Proof of this working setup:
officeserver:/home# wbinfo -t
checking the trust secret via RPC calls succeeded
officeserver:/home# wbinfo -u | head -2
officeserver:/home# wbinfo -g | head -2
BUILTIN+system operators
officeserver:/home# id tullettj
uid=15003(tullettj) gid=15001(domain users) groups=15001(domain
users),15000(domain admins)

The smb.conf file I'm using contains the following:
        workgroup = DWPUB
        server string = %h server (Samba %v)
        security = DOMAIN
        client schannel = No
        obey pam restrictions = Yes
        password server = opmaster1.dwpub.com
        passdb backend = tdbsam, guest
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /home/DWPUB/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        invalid users = root

        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0600
        directory mask = 0700
        browseable = No

I've run the server with 'log level = 3' to see what's going on, and the
relevant parts of the output debug are:
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[DWPUB]\[tullettj]@[OFFICESERVER] with the new password interface
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DWPUB]\[tullettj]@[OFFICESERVER]
[2006/03/21 20:05:29, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [tullettj] succeeded
[2006/03/21 20:05:29, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [tullettj] -> [tullettj]
- -> [DWPUB+tullettj] succeeded
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(222)
  User name: DWPUB+tullettj     Real name:
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(241)
  UNIX uid 15003 is UNIX user DWPUB+tullettj, and will be vuid 100
[2006/03/21 20:05:29, 3] smbd/password.c:register_vuid(270)
  Adding homes service for user 'DWPUB+tullettj' using home directory:
[2006/03/21 20:05:29, 3] param/loadparm.c:lp_add_home(2368)
  adding home's share [tullettj] for user 'DWPUB+tullettj' at

which all look great, but then it says:

[2006/03/21 20:05:29, 3] smbd/process.c:process_smb(1091)
  Transaction 3 of length 102
[2006/03/21 20:05:29, 3] smbd/process.c:switch_message(886)
  switch message SMBtconX (pid 10909) conn 0x0
[2006/03/21 20:05:29, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/03/21 20:05:29, 2] smbd/service.c:make_connection_snum(321)
  user 'DWPUB+tullettj' (from session setup) not permitted to access
this share (tullettj)
[2006/03/21 20:05:29, 3] smbd/error.c:error_packet(129)
  error packet at smbd/reply.c(415) cmd=117 (SMBtconX)

The home directory has been created:
officeserver:/home/DWPUB# ls -tlrd tullettj
drwxr-xr-x  2 tullettj domain users 4096 Mar 21 20:05 tullettj

but I haven't been able to access it.

I've been trying different things, have read the news group and mailing
lists but have so far been unsuccessful.  If anyone is able to shed some
light on this problem I would be _very_ greatful - this machine is
supposed to be in production in a week or so.

Many thanks in advance for any help you can provide,
Version: GnuPG v1.4.2.2 (MingW32)


More information about the samba mailing list