R: R: [Samba] security = ads --> invalide user
Urs Golla
urs.golla at gmail.com
Thu May 10 09:46:46 GMT 2007
Hi Gianluca
Thanks a lot for your response!
spnego:
*From the Official Samba-3 HOWTO (Section 6.6.3, page 80):
*
"Windows 2003 requires SMB signing. Client-side SMB signing has been
implemented in Samba 3.0. Set client use spnego = yes when
communicating with a Windows 2003 server."
AD is 2003
I map now groups AND users. --> It still does not work... any idea?
On 5/10/07, Gianluca Culot <gianlucaculot at dmsware.com> wrote:
>
>
> > -----Messaggio originale-----
> > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > conto di Urs Golla
> > Inviato: giovedì 10 maggio 2007 10.04
> > A: samba at lists.samba.org
> > Oggetto: Re: R: [Samba] security = ads --> invalide user
> >
> >
> > Hi
> >
> > Still the same problem...
> >
> > I think the connection to the domain is ok. because if i use a
> > non existent
> > user, the log says: "FAILED with error NT_STATUS_NO_SUCH_USER"
> >
> > If I use a wrong password is gives me also a different error message.
> >
> > cheers
> >
> > On 5/10/07, Gianluca Culot <gianlucaculot at dmsware.com> wrote:
> > >
> > >
> > > > -----Messaggio originale-----
> > > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > > conto di Urs Golla
> > > > Inviato: giovedì 10 maggio 2007 9.44
> > > > A: samba at lists.samba.org
> > > > Oggetto: [Samba] security = ads --> invalide user
> > > >
> > > >
> > > > Hello
> > > >
> > > > I try to run SAMBA with security = ads on AIX 5.3 with SAMBA 3.0.23d
> .
> > > > "net ads join" was successful and the machine is now visible in the
> > > Domain
> > > > with the netbios name.
> > > >
> > > > When I try to access the shares on the machine the log.smbd
> > files says:
> > > >
> > > > (...)
> > > > [2007/05/10 08:58:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
> > > > Username MYDOMAIN/MYUSERNAME is invalid on this system
> > > > [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146)
> > > > error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX)
> > > > NT_STATUS_LOGON_FAILURE
> > > > (...)
> > > >
> > > >
> > > > ******************************************************
> > > > smb.conf:
> > > >
> > > > [global]
> > > > winbind separator = /
> > > > netbios name = MYNETBIOSNAME
> > > > winbind enum users = yes
> > > > workgroup = MYDOMAIN
> > > > winbind enum groups = yes
> > > > #password server = *
> > > > password server = MYPASSWORDSERVER
> > > > encrypt passwords = yes
> > > > dns proxy = no
> > > > realm = MYREALM
> > > > security = ADS
> > > > wins proxy = no
> > > > winbind use default domain = Yes
> > > > client use spnego = yes
> > > > #idmap uid = 10000-20000
> > > > #winbind gid = 10000-20000
> > > > preferred master = no
> > > > log level = 3
> > > > wins server = x.x.x.x
> > > > #auth methods = guest sam winbind
> > > > #idmap uid = 10000-20000
> > > > idmap gid = 10000-20000
> > > >
> > > >
> > > > [testsamba]
> > > > comment = Samba testfolder
> > > > path = /testsamba
> > > > read only = no
> > > > valid users = MYDOMAIN/USERNAME
> > > >
> > > > ******************************************************
> > > >
> > > > I also maped the domain groups with "net groupmap"
> > > >
> > > > # ./net groupmap list
> > > > Domain Users (S-1-5-21-3687956107-1621720357-3427760348-513) ->
> > > > domainusers
> > > > Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997)
> > -> nobody
> > > > Administrators (S-1-5-32-544) -> 5000
> > > > mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) -> mygroup
> > > > Users (S-1-5-32-545) -> 5001
> > > >
> > > > --> MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup
> > > > ****************************************************************
> > > >
> > > > Why does it say "invalide user"? I think I should also be able to
> > > > browse the
> > > > shares without a valid user...
> > > >
> > > > any help is much appreciated!!!
> > > >
> > > > Regards
> > > > Urs
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions: https://lists.samba.org/mailman/listinfo/samba
> > > >
> > >
> > > I would check
> > > winbind separator = /
> > >
> > > to my knowlegde it should be
> > > winbind separator = \
> > >
> > > or could be commented as its default is \
> > >
> > > I've setup a samba 3.0.24,1 on freebsd with ads against a Windows2003
> > > Server
> > > and I did not specified Winbind Separator
> > >
> > >
> > >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
>
> Why did you mapped only GROUPS
> idmap gid = 10000-20000
> and NOT users ?
> #idmap uid = 10000-20000
>
> why have you set
> client use spnego = yes
>
> what AD server are you connecting to ?
>
> Here is my copy of smb.conf
> have a look, and check differences...
> My only problem at the moment is that LS (list file) comand doesn't show
> me
> AD users and group names, but only IDs. not a Problem, but makes server
> management extremely dificult to not Pro people.
>
> [global]
> workgroup = MYDOMAIN
> realm = MYDOMAIN.IT
> server string = mail
> security = ADS
> password server = server.MYDOMAIN.it
> passdb backend = tdbsam
> log file = /var/log/samba/log.%m
> add user script = /usr/sbin/pw useradd %u
> delete user script = /usr/sbin/pw userdel %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/pw groupdel %g
> preferred master = No
> idmap uid = 10000-49999
> idmap gid = 10000-49999
> template homedir = /home/%U
> template shell = /bin/csh
> winbind cache time = 3600
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> idmap config DMSWARE:range = 10000 - 49999
> idmap config DMSWARE:base_rid = 1000
> idmap config DMSWARE:backend = ad
>
>
>
>
More information about the samba
mailing list