[Samba] Re: Unable to set/authenticate to correct domain...

Matt sokkerstud_11 at hotmail.com
Mon Jun 4 21:31:33 GMT 2007 

Matt Anderson <sokkerstud_11 <at> hotmail.com> writes:
Updated to be readable...

> Dear Help,
I am running Samba 3.0.25 on AIX 5.3 (installed from the binaries available on
samba.org including the base install -- openldap, etc.) and have set it up to
authenticate to LDAP directories on two different servers (one of them set up as
a samba PDC and the other as a samba BDC) in the usual way:
[global]
workgroup = mydomain
domain master = no
...
passdb backend = ldapsam:"ldaps://...
security = domain
netbios name = p505
...

And I have a share set up like the following:
[shared]    
  comment = shared files    
  path = /tmp/shares/testshare    
  valid users = test     
  read only = no   
  write list = test    
  browseable = Yes

(It will be good to note that user 'test' belongs to group 'testers'.  Both
'test' and 'testers' are in the LDAP directory)The problem I am having is that I
get an "Access is denied" error when I try to connect as user test.  However, if
I change the share to the following:
[shared]
  comment = shared files
  path = /tmp/shares/testshare
  valid users = +testers 
  read only = no
  write list = +testers
  browseable = Yes

I can log in as user 'test' just fine.  So, naturally, I went digging into the
log file and found the following issues:
1) It is successfully authenticating user 'test' and getting the correct SID
values for the user and group 'testers', but they don't have any privileges:
...
get_privileges: No privileges assigned to SID [insert-test-SID-here]
...
get_privileges: No privileges assigned to SID [insert-testers-SID-here]
...
User test with invalid SID [insert-test-SID-here] in passdb
...
user 'test' (from session setup_ not permitted to access this share (shared)
...
NT_STATUS_ACCESS_DENIED

So, I then went on to run the smbd process in interactive mode (with the -i
option) to see what was going on there and discovered following:
...
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=P505))]
...

I think that this is where the problem is.  For some reason it is searching for
sambaDomainName P505 (which is the host name of the machine, and specified as
netbios name in smb.conf) instead of sambaDomainName mydomain (which is the
domain that the machine belongs to, and is specified as the workgroup name in
smb.conf).Is there a way to set what domain it is searching for?  If so, where
and when does that happen?

On a side note, when I start smbd, it is currently creating a P505 domain object
in the LDAP directory if it doesn't already exist.  So, if I delete it, it just
keeps recreating it.  My guess is that if I can get this samba installation to
look at the mydomain object instead, things will start working.Any thoughts,
help, wisdom or insight would be greatly appreciated.  Thanks!

-Matt

More information about the samba mailing list