[Samba] Samba / Winbind / LDAP - Can't access shares
Julian Pilfold-Bagwell
jools at oss4all.plus.com
Wed Apr 18 00:22:45 GMT 2007
Hi All,
I have the following setup. Samba/LDAP PDC, Samba BDC, Samba member
server, Win2K member server, 300 Win XP Client PCs.
I can access the shares on the PDC from all Win XP clients. I can
access the shares on the Win2K member server from all XP clients, I
can't however access any of the shares on the Samba BDC or Samba member
server from the XP clients.
LDAP is working fine and PAM/LDAP/NSS are working fine. Getent works
for users and groups on all samba servers and net groupmap list provides
identical group mapping across all samba servers. I can do things like
chmod user."Domain Admins" and it works. I can use setfacl and
generate acls with Domain groups in them and it works but I cannot
access the shares on the Samba servers from anywhere on the network.
wbinfo works on the samba member server but cannot lookup users and
groups when run on the PDC and BDC.
OS's are Mandriva 2007 and Ubuntu Edgy. Samba version is 3.0.23d. All
machines names are resolvable via nmblookup and nslookup and I've been
through every document and howto I can find as well as loads of Google
searches but have not managed to resolve it yet.
All help gratefully received. Cheers,
Jools
SMB Conf's are as follows:
PDC:
[global]
# General Options for domain
workgroup = BGS
netbios name = SMB5
server string = Samba Server %v
log file = /var/log/samba/%m.log
max log size = 50
# hosts allow = 172.20.0. 172.20.1. 172.20.2. 127.
map to guest = bad user
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
# unix password sync = Yes
# pam password change = yes
# passwd program = /usr/bin/passwd '%u'
# passwd chat = *Nadmin1*UNIX*password* %n\n
*Re*ype*nadmin1*UNIX*password* %n\n \
# *passwd:*all*authentication*tokens*updated*successfully*
# username map = /etc/samba/smbusers
include = /etc/samba/smb.conf.%m
wins support = yes
# wins server = 127.0.0.1
dns proxy = no
dos charset = 850
unix charset = ISO8859-1
admin users = BGS\admin3 BGS\admin1 BGS\admin2 +"BGS\Domain Admins"
log level = 10
# winbind separator = +
# winbind enum users = yes
# winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
# winbind use default domain =yes
# Tune Samba and detrmine its priority in the Domain
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# remote announce = 172.20.0.255 172.20.1.255 172.20.2.255
172.20.3.255
local master = yes
domain logons = yes
wins support = yes
os level = 254
domain master = yes
preferred master = yes
name resolve order = wins lmhosts bcast
# Set the paths to the various resources on the Domain
domain logons = yes
logon script = %G.bat
logon path = \\%L\Profiles\%U
# Define the interaction between smbldap tools and the server's LDAP backend
# ldap password sync = yes
unix password sync = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *Nadmin1*password* %n\n *Retype*nadmin1*password* %n\n
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x
'%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null
-c 'Machine Account' -s /bin/false '%u'
# Allow members of Domain Admins to add machine accounts
enable privileges = yes
# Define ID backend structure
# passdb backend = smbpasswd guest
# passdb backend = tdbsam:/etc/samba/passdb.tdb
passdb backend = ldapsam:ldap://localhost
# In case of compatibility issues
# Use the samba2 LDAP schema:
# passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest
idmap backend = ldap:ldap://localhost
ldap admin dn =
cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
# ldap ssl = start_tls
#ldap port = 389
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap machine suffix = ou=Hosts
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
# Example for AD-ish layout:
# ldap machine suffix = cn=Computers
# ldap user suffix = cn=Users
# ldap group suffix = cn=Groups
# ldap idmap suffix = cn=Idmap
#============================ Share Definitions
==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
veto files =
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/
create mask = 0660
directory mask = 0770
preexec = /bin/echo \"%u logged in to %m at %T\" >>
/var/log/samba/logons.log
postexec = /bin/echo \"%u logged off of %m at %T\" >>
/var/log/samba/logons.log
# You can enable VFS recycle bin and on-access virus-scanning on a per
# share basis:
# Uncomment the next 2 lines (make sure you create a .recycle folder in
# the base of the share and ensure all users will have write access to it.
# For virus scanning, install samba-vscan-clamav and ensure the clamd
service
# is running
# vfs objects = vscan-clamav recycle
# vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /spare/samba/profiles
browseable = no
guest ok = yes
writable = yes
#vfs objects = fake_perms
# A share allowing administrators to set ACLs on, or access for backup
purposes
# all files (as root).
[admin]
path = /
admin users = +"BGS\Domain Admins"
valid users = +"BGS\Domain Admins"
browseable = no
writeable = yes
BDC:
[global]
workgroup = BGS
passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
domain master = no
domain logons = yes
wins server = SMB5
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
idmap backend = ldap:ldap://smb5.bordnegrammar.kent.sch.uk
idmap uid = 10000-20000
idmap gid = 10000-20000
[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no
Member Server:
[global]
workgroup = BGS
passdb backend = ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
domain master = no
domain logons = no
wins server = 172.20.0.105
security = domain
ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
idmap backend = ldap:ldap://smb5.bordengrammar.kent.sch.uk
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
# winbind separator = +
# winbind use default domain = yes
[Apps]
comment = old P-drive structure
path = /share/apps
browseable = yes
read list = +"BGS\Domain Admins" +"BGS\Domain Users" +BGS\teachers
BGS\pupils
write list = +"BGS\Domain Admins" +"BGS\Domain Users" +BGS\teachers
create mask = 744
directory mask = 755
force group = users
[odrive]
comment = odrive
path = /share/odrive
browseable = yes
read list = +BGS\teachers @"Domain Admins"
write list = +BGS\teachers @"Domain Admins"
create mask = 660
directory mask = 770
[staff]
comment = Shared Directory for Staff Access Only
path = /share/staff
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
write list = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
valid users = +"BGS\Domain Admins" +BGS\teachers +BGS\admin
invalid users = +BGS\pupils
create mask = 660
directory mask = 770
force group = teachers
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1
[Departmental]
comment = Shared Directory for Pupils
path = /share/Departmental-Files
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers
write list = +"BGS\Domain Admins" +BGS\teachers
valid users = +"BGS\Domain Admins" +BGS\teachers
invalid users = +BGS\pupils
create mask = 0660
directory mask = 770
force user = %U
force group = %G
[pupils]
comment = Shared Directory for Pupils
path = /share/pupils
browseable = yes
read list = +"BGS\Domain Admins" +BGS\"Domain Users" +BGS\pupils
+BGS\teachers +BGS\miscreants
write list = +"BGS\Domain Admins" +BGS\"Domain Users" +BGS\pupils
+BGS\teachers +BGS\miscreants
create mask = 660
directory mask =770
force user = %U
force group = +BGS\teachers
veto files =
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.wmv/*.mp4/*.mpg/*.mpeg/*.ra/*.ram/*.bas/*.bat/*.rar/
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1
[coursadmin1ork]
comment = Read-Write for Teachers Read only for Pupils
path = /share/coursadmin1ork
browseable = yes
#read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils
#write list = +"BGS\Domain Admins" +BGS\teachers
#create mask = 0664
#directory mask = 0775
[admins]
comment = Access for Admins Only
path = /share/admins
browseable = yes
read list = +"BGS\Domain Admins" admin3 admin1 admin2
write list = +"BGS\Domain Admins" admin3 admin1 admin2
create mask = 660
directory mask = 770
[resources]
comment = Open Share for Distribution
path = /share/resources
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils +BGS\"Domain
Users"
write list = +"BGS\Domain Admins"
create mask = 440
directory mask = 770
[library]
browseable = yes
read list = +"BGS\Domain Admins",@@"Domain
Users", at +BGS\teachers, at +BGS\pupils,+BGS\librarians
write list = jfj,gpc,+"BGS\Domain Admins",+BGS\librarians
path = /share/library
force group = +BGS\librarians
force user = +BGS\gpc
comment = Library Share
create mode = 660
directory mode = 770
[free-software]
comment = Open Share for Distribution
path = /share/free-software
browseable = yes
read list = +"BGS\Domain Admins" +BGS\teachers +BGS\pupils
write list = +"BGS\Domain Admins"
create mask = 640
directory mask = 770
[mcafee]
comment = Updates for McAfee
path = /share/mcafee
browseable = yes
write list = BGS\admin2 BGS\admin3 BGS\admin1 BGS\updater +BGS\updaters
+"BGS\Domain Admins" @"Domain Users"
create mask = 660
directory mask = 770
# force user = admin1
# force group = +"BGS\Domain Admins"
More information about the samba
mailing list