ham,[Samba] No access to share

Chris Boyd chris.boyd at usit.ie
Wed Jul 4 14:17:20 GMT 2007


All the group mappings are in place:
 
net groupmap list
Domain Admins (S-1-5-21-1953726507-754737620-746616776-20000) -> admins
Domain Guests (S-1-5-21-1953726507-754737620-746616776-20002) -> guests
Domain Users (S-1-5-21-1953726507-754737620-746616776-20001) -> users

getent passwd
admin:*:0:20000:admin :/home/users/admins/in:
gal_script$:*:30000:515:Computer:/dev/null:/bin/false
ie-aqd-w089$:*:30001:515:Computer:/dev/null:/bin/false
aqd-christian$:*:30002:515:Computer:/dev/null:/bin/false
chris.boyd:*:1000:20000:Chris Boyd:/home/chris.boyd:/bin/bash
emmett.sutton:*:1001:20000:Emmett Sutton:/home/emmett.sutton:/bin/bash
bob.bobson:*:1002:20001:Bob Bobson:/home/bob.bobson:/bin/bash

getent group
admins:*:20000:
guests:*:20002:
users:*:20001:

I changed the "valid users = USIT\%S" and "valid users = @USIT\admin,
@USIT\users"
Commented out the second path statement under profiles. 
Still whenever I log onto as say chris.boyd I can access the home drive and
is mapped but still get the command prompt from the logon script saying
"invalid password for usit-file <file://usit-file/> " and refuses to allow
access to the share even with the admin logon. Strangely the profile folders
show up in the home folder and there are no desktop icons showing? 
 
The machine log shows for that logon: 
 
[2007/07/04 10:52:35, 0] printing/pcap.c:pcap_cache_reload(159)
  Unable to open printcap file /etc/printcap for read!
[2007/07/04 10:59:23, 1] smbd/service.c:close_cnum(1150)
  aqd-christian (10.133.2.46) closed connection to service profiles
[2007/07/04 10:59:23, 1] smbd/service.c:close_cnum(1150)
  aqd-christian (10.133.2.46) closed connection to service profiles
[2007/07/04 10:59:57, 1] smbd/service.c:close_cnum(1150)
  aqd-christian (10.133.2.46) closed connection to service netlogon
[2007/07/04 11:01:19, 1] smbd/service.c:close_cnum(1150)
  aqd-christian (10.133.2.46) closed connection to service chris.boyd


-----Original Message-----
From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com] 
Sent: 03 July 2007 18:04
To: Chris Boyd
Subject: Re: ham,[Samba] No access to share


Chris,

If your problem turns out to be ldap, I am not of much use.  However, have
you done all the group mapping?  Did you take into account the ldap schema
changes since 3.0.23?  Are your groups domain groups?  If yes, then it
should be "valid users = DOMAIN\%S" and "valid users = @DOMAIN\admin,
@DOMAIN\users".  
See
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html.
You also have two "paths" listed under [profiles].
Can't think of anything more to suggest.  If all this fails, provide an
error log to the list.

Good luck,
Dale

Chris Boyd wrote: 

Running Debian Etch with Samba-3.0.24 and ldap...

I've set up a few users as part of the admin group and one in the users

group. When I log onto the XP machine they can see their home drives but I

get a command prompt asking for username and password for the server

(usit-file). Not even admin can login though. Even if I log onto the XP

machine as the domain admin I can't access the share.

The relevant bits:

 

smb.conf:

 

workgroup = usit



server string = %h server



wins support = yes



wins server = 10.133.1.21



dns proxy = yes



name resolve order = lmhosts host wins bcast



interfaces = 127.0.0.0/8 10.133.0.0/16 eth0



log file = /var/log/samba/log.%m



max log size = 1000



syslog = 10



panic action = /usr/share/samba/panic-action %d



security = user



encrypt passwords = true



passdb backend = ldapsam:ldap://10.133.1.21



ldap suffix = dc=usit,dc=ie



ldap machine suffix = ou=machines



ldap user suffix = ou=users



ldap group suffix = ou=groups



ldap admin dn = cn=admin,dc=usit,dc=ie



ldap delete dn = no



obey pam restrictions = yes



ldap password sync = yes 



invalid users = root



ldap passwd sync = Yes



passwd program = /usr/sbin/smbldap-passwd %u



passwd chat = *New*password* %n\n *Retype*new*password* %n\n

*all*authentication*tokens*updated*



domain logons = yes



enable privileges = yes



logon path =   <file://\\%N\profiles\%U> <file://\\%N\profiles\%U>
\\%N\profiles\%U



logon path = \\%N\%U\profile



logon drive = H:



logon home =   <file://\\%N\%U> <file://\\%N\%U> \\%N\%U



logon script = logon.bat



add machine script = /usr/sbin/smbldap-useradd -w "%u" 



add user script = /usr/sbin/smbldap-useradd -m "%u"



ldap delete dn = Yes



delete user script = /usr/sbin/smbldap-userdel "%u"



add machine script = /usr/sbin/smbldap-useradd -w "%u"



add group script = /usr/sbin/smbldap-groupadd -p "%g"



delete group script = /usr/sbin/smbldap-groupdel "%g"



add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"



delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"



set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"



socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192



domain master = yes



preferred master = yes



[homes]



comment = Home Directories



browseable = no



writable = yes



create mask = 0700



directory mask = 0700



valid users = %S



inherit acls = Yes



[netlogon]



comment = Network Logon Service



path = /home/samba/netlogon



guest ok = yes



writable = no



share modes = no



write list = "@admins"



[profiles]



comment = Users profiles



path = /home/samba/profiles



path = %H



guest ok = no



# browseable = no



store dos attributes = Yes



create mask = 0600



directory mask = 0700



[shared]



comment = Shared folder



path = /data/Shared



# force group = users



read only = no



create mask = 0770



directory mask = 0770



valid users = @admin, at users



Permissions:



usit-file:~#  ls -la /data/

total 16

drwxr-xr-x  4 root root  4096 2007-06-07 16:33 .

drwxr-xr-x 25 root root  4096 2007-06-08 14:52 ..

drwxr-xr-x  3 root root  4096 2007-06-07 16:33 AQ

drwxrwx--- 15 root users 4096 2007-06-08 11:51 Shared





Users: 



admin:*:0:20000:admin :/home/users/admins/in:

gal_script$:*:30000:515:Computer:/dev/null:/bin/false

ie-aqd-w089$:*:30001:515:Computer:/dev/null:/bin/false

aqd-christian$:*:30002:515:Computer:/dev/null:/bin/false

chris.boyd:*:1000:20000:Chris Boyd:/home/chris.boyd:/bin/bash

emmett.sutton:*:1001:20000:Emmett Sutton:/home/emmett.sutton:/bin/bash

bob.bobson:*:1002:20001:Bob Bobson:/home/bob.bobson:/bin/bash





Logon.bat:



net time \\usit-file /set /yes

net use s: \\usit-file\Shared





 





-----------------------------------------------------------------

This email message is intended only for the addressee(s) 

and contains information that may be confidential and/or 

copyrighted.  If you are not the intended recipient please 

notify the sender by reply email and immediately delete 

this email. Use, disclosure or reproduction of this email 

by anyone other than the intended recipient(s) is strictly 

prohibited. USIT has scanned this email for viruses and 

dangerous content and believes it to be clean. However, 

virus scanning is ultimately the responsibility of the recipient.

-----------------------------------------------------------------

USIT Ireland Ltd. Company No. 377526. Registered Office 19/21 Aston Quay
Dublin 2.


  _____  


No virus found in this incoming message.

Checked by AVG. 

Version: 7.5.476 / Virus Database: 269.9.14/883 - Release Date: 7/1/2007
12:19 PM

  


-----------------------------------------------------------------

This email message is intended only for the addressee(s) 

and contains information that may be confidential and/or 

copyrighted.  If you are not the intended recipient please 

notify the sender by reply email and immediately delete 

this email. Use, disclosure or reproduction of this email 

by anyone other than the intended recipient(s) is strictly 

prohibited. USIT has scanned this email for viruses and 

dangerous content and believes it to be clean. However, 

virus scanning is ultimately the responsibility of the recipient.

-----------------------------------------------------------------

USIT Ireland Ltd. Company No. 377526. Registered Office 19/21 Aston Quay Dublin 2.


More information about the samba mailing list