[Samba] Problems with Samba and Active Directory
Ryan
wyild1 at gmail.com
Fri Dec 28 19:00:51 GMT 2007
Afternoon!
Let me apologize first if this is something soooo simple, but i have been
working on this for days and I'm still stuck on one part.
Where to start. Small user environment (under 100 users) using Active
Directory on Win 2k3 server. Running Fedora 8 on a server, and I am trying
to get it added to the domain, and to be able to access a share using
Windows usernames and passwords.
The server (known from here as fedoraftp) can kinit
[root at fedoraftp /]# kinit Administrator
Password for Administrator at DOMAIN.LOCAL:
[root at fedoraftp /]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.LOCAL
Valid starting Expires Service principal
12/28/07 12:44:31 12/28/07 22:44:35 krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
renew until 12/29/07 12:44:31
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at fedoraftp /]#
It can join the domain
[root at fedoraftp /]# net ads join -U Administrator
Administrator's password:
Using short domain name -- DOMAIN
Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL'
[root at fedoraftp /]#
wbinfo -u, wbinfo -g, getent passwd and getent group both show correct
information (not going to show output). I can also login locally on
fedoraftp using my windows username and password and not have any issues.
What i cannot get to work is accessing the share, as it wont take any
username/password thrown at it.
smb.conf
[global]
log file = /var/log/samba/log.%m
guest account = admin
load printers = no
show add printer wizard = No
idmap gid = 10000-20000
smb passwd file = /etc/samba/smbpasswd
unix password sync = yes
guest ok = yes
encrypt passwords = yes
realm = PIPFS.LOCAL
template shell = /bin/bash
netbios name = FEDORAFTP
cups options = raw
server string = Fedora Server Ver %v
idmap uid = 10000-20000
password server = 192.168.0.240
winbind nested groups = yes
workgroup = PIPFS
dns proxy = no
passwd program = /usr/bin/passwd %u
obey pam restrictions = yes
os level = 20
security = ads
preferred master = no
max log size = 50
winbind separator = #
winbind cache time = 0
log level = 3
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
passdb backend = tdbsam
[FTP]
msdfs root = yes
inherit permissions = yes
writeable = yes
admin users = @"domain users"
path = /home/ftpshare/
create mask = 700
directory mask = 700
valid users = admin,@"domain users",
inherit acls = yes
; public=yes
Output of /var/log/samba/log.smbd
[2007/12/28 12:53:05, 0] smbd/server.c:main(944)
smbd version 3.0.28-0.fc8 started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
[2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796)
Processing section "[FTP]"
[2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711)
adding IPC service
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
reloading printcap cache
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
reload status: ok
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117)
reloading printcap cache
[2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223)
reload status: ok
[2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.0.50 bcast=192.168.0.255 nmask=255.255.255.0
[2007/12/28 12:53:05, 3] smbd/server.c:main(982)
loaded services
[2007/12/28 12:53:05, 3] smbd/server.c:main(997)
Becoming a daemon.
[2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105)
Registered MSG_REQ_POOL_USAGE
[2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
store_gid_sid_cache: gid 0 in cache ->
S-1-5-21-3422581952-716862249-2814536807-1002
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-22-1-0]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-11]
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250)
[2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-22-1-0
se_access_check: also S-1-5-32-544
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
[2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489)
get_dc_list: preferred server list: "192.168.0.240, 192.168.0.240"
[2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394)
Connected to LDAP server 192.168.0.240
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213)
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222)
ads_sasl_spnego_bind: got server principal name = pipdc01$@DOMAIN.LOCAL
[2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
expiration Fri, 28 Dec 2007 22:53:05 CST
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133)
store_gid_sid_cache: gid 10008 in cache ->
S-1-5-21-1220945662-682003330-839522115-513
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 10000 -> S-1-5-32-544
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 10001 -> S-1-5-32-545
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID
[S-1-5-21-3422581952-716862249-2814536807-501]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID
[S-1-5-21-1220945662-682003330-839522115-513]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-22-2-10008]
[2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-32-545]
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 10008 -> S-1-5-21-1220945662-682003330-839522115-513
[2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089)
fetch gid from cache 10001 -> S-1-5-32-545
[2007/12/28 12:53:05, 3] printing/printing.c:start_background_queue(1388)
start_background_queue: Starting background LPQ thread
[2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458)
waiting for a connection
The main thing i see in the log from the computer trying to connect is (log
is huge...not going to post it all)
[2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616)
user 'DOMAIN#redwards' (from session setup) not permitted to access this
share (FTP)
[2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
redwards is part of the group "Domain Users"
Im at a HUGE loss right now how to go about this, as im still pretty green
to this whole type of setup. Any advice would be helpful. If more info is
required, please ask and ill provide it as i would like to resolve this
issue.
Cheers!
More information about the samba
mailing list