R: R: R: R: [Samba] security = ads --> invalide user

Gianluca Culot gianlucaculot at dmsware.com
Thu May 10 12:58:42 GMT 2007


here is

[Home]
        path = /home
        read only = No
[websites]
        path = /usr/local/www/
        valid users = DMSWARE\gianlucaculot
        write list = DMSWARE\gianlucaculot, @DMSWARE\software,
@DMSWARE\softwarespv
        read only = No
        create mask = 0775
        directory mask = 0775

and I'l bald enough to add an explanation (HEY ! I'm NOT a pro ! I started
with samba two weeks ago!)


[Home]
        path = /home
        read only = No

the home share is peculiar
it is open... as every subdirectory in it (user1 , user2 , user3)
is owned by each user and has 700 permission (only owner user can get in),
and the owner is
DOMAIN\userxxx
Please NOTE the \
Open means that every user could create a subdir in Home ???
well... at this right moment YES !
in the future I'll change it, when testing will be over.


[websites]
        path = /usr/local/www/
        valid users = DMSWARE\gianlucaculot
        write list = DMSWARE\gianlucaculot, @DMSWARE\software,
@DMSWARE\softwarespv
        read only = No
        create mask = 0775
        directory mask = 0775

that's more complicated  ;) nooooo...
I use it to manage websites (currently only webmail) from my intranet.
please note again the \ in the usernames
for groups use "@", which means "all users inside the file/group
IF the groupname (or username) has a space (or other special chars inside)
use
@"DOMAIN\spaced group name"

here is the listing of the /usr/local/www
drwxr-xr-x  11 root  wheel  512 May 10 11:30 .
drwxr-xr-x  19 root  wheel  512 May  7 15:16 ..
drwxr-xr-x   2 root  wheel  512 May  7 14:29 DMScmf
drwxr-xr-x   6 root  wheel  512 May  7 15:17 apache22
drwxr-xr-x   8 root  wheel  512 May  4 12:40 awstats
drwxr-xr-x   2 root  wheel  512 May  9 18:00 cgi-bin
drwxr-xr-x  11 root  wheel  512 May 10 14:35 downloads
drwxr-xr-x  14 root  wheel  512 May  3 15:32 squirrelmail

as you can see everything belongs to root:wheel
no user permission granted at OS level.


HEY... but these infos should be reserved...
;)

well I trust a LOT my firewalls :-D
and I trust a lot OpenSource community
;-P

Regards

And if some skilled guy notes something wrong...
PLEASE LET ME KNOW !


> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> conto di Urs Golla
> Inviato: giovedì 10 maggio 2007 13.14
> A: samba at lists.samba.org
> Oggetto: Re: R: R: R: [Samba] security = ads --> invalide user
>
>
> Hi Gianluca *
>
> *How did you define your shares in the smb.conf? Can you send me
> an example?
>
> thanks
> Urs
> *
> *
> On 5/10/07, Urs Golla <urs.golla at gmail.com> wrote:
> >
> > If I set client use spnego = no in the smb.conf it says:
> >
> >   Requested protocol [LANMAN2.1]
> > [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(487)
> >   Requested protocol [NT LM 0.12]
> > [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_nt1(357)
> >   using SPNEGO
> > [2007/05/10 13:00:57, 3] smbd/negprot.c:reply_negprot(580)
> >   Selected protocol NT LM 0.12
> > [2007/05/10 13:00:57, 3] smbd/process.c:process_smb(1110)
> >   Transaction 1 of length 250
> >
> > ...but testparm tells me, it is set to "no". What does that mean?
> >
> > On 5/10/07, Gianluca Culot < gianlucaculot at dmsware.com> wrote:
> > >
> > >  YES :D
> > > Remove spnego...
> > > I tried to use spnego... never worked
> > >
> > > without... runs smoothly and perfectly
> > >
> > >
> > >
> > > ----------------------------------------------
> > > *Gianluca Culot**
> > > **DMS Multimedia*
> > > Via delle Arti e dei Mestieri, 6
> > > 20050 Sulbiate (Mi) - Italy
> > > Tel: +39 039 5968925
> > > Fax: +39 039 3309813
> > > <mailto:gianlucaculot at dmsware.com <gianlucaculot at dmsware.com>>
> > > www.dmsware.com <http://www.dmsware.com/>
> > >
> > > Ai sensi del D.Lgs. 196/2003 si precisa che le informazioni
> contenute in
> > > questo messaggio sono riservate ed a uso esclusivo del
> destinatario. Qualora
> > > il messaggio Le fosse pervenuto per errore, La invitiamo ad
> eliminarlo senza
> > > copiarlo e a non inoltrarlo a terzi, dandocene gentilmente
> comunicazione. Il
> > > mittente comunica che il presente messaggio ed ogni suo
> allegato, al momento
> > > dell'invio, era esente da ogni tipo di virus, worm, trojan
> e/o ogni altri
> > > tipo di codice software dannoso. Questo messaggio e i suoi allegati
> > > potrebbero essere stati infettati durante la trasmissione. Leggendo il
> > > messaggio e/o aprendo gli allegati, il Destinatario si prende la piena
> > > responsabilità nei confronti di ogni azione protettiva o di
> rimedio per la
> > > rimozione di virus ed altri difetti. DMS Multimedia non potrà essere
> > > considerata responsabile per qualsivoglia danno o perdita
> derivata qualunque
> > > modo da questo messaggio o dai suoi allegati.
> > >
> > > The information in this electronic mail message, including any
> > > attachments, is confidential and may be legally privileged.
> It is intended
> > > solely for the addressee(s). Access to this Internet
> electronic mail message
> > > by anyone else is unauthorised. If you are not the intended
> recipient, any
> > > disclosure, copying, distribution or action taken or omitted
> to be taken in
> > > reliance on it is prohibited and may be unlawful. The sender
> believes that
> > > this E-mail and any attachments were free of any virus, worm,
> Trojan horse,
> > > and/or malicious code when sent. This message and its
> attachments could have
> > > been infected during transmission. By reading the message and
> opening the
> > > attachments, the recipient accepts full responsibility for
> taking protective
> > > and remedial action about viruses and other defects.DMS Multimedia is
> > > not liable for any loss or damage arising in any way from
> this message or
> > > its attachments
> > >
> > > -----Messaggio originale-----
> > > *Da:* Urs Golla [mailto:urs.golla at gmail.com]
> > > *Inviato:* giovedì 10 maggio 2007 11.47
> > > *A:* Gianluca Culot
> > > *Cc:* samba at lists.samba.org
> > > *Oggetto:* Re: R: R: [Samba] security = ads --> invalide user
> > >
> > > Hi Gianluca
> > >
> > > Thanks a lot for your response!
> > >
> > > spnego:
> > >
> > > *From the Official Samba-3 HOWTO (Section 6.6.3, page 80):
> > > *
> > > "Windows 2003 requires SMB signing.  Client-side SMB signing has been
> > >
> > > implemented in Samba 3.0.  Set client use spnego = yes when
> > > communicating with a Windows 2003 server."
> > >
> > >
> > > AD is 2003
> > >
> > > I map now groups AND users. --> It still does not work... any idea?
> > >
> > >
> > >
> > > On 5/10/07, Gianluca Culot <gianlucaculot at dmsware.com> wrote:
> > > >
> > > >
> > > > > -----Messaggio originale-----
> > > > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > > [mailto:
> samba-bounces+gianlucaculot=dmsware.com at lists.samba.org]Per
> > > > > conto di Urs Golla
> > > > > Inviato: giovedì 10 maggio 2007 10.04
> > > > > A: samba at lists.samba.org
> > > > > Oggetto: Re: R: [Samba] security = ads --> invalide user
> > > > >
> > > > >
> > > > > Hi
> > > > >
> > > > > Still the same problem...
> > > > >
> > > > > I think the connection to the domain is ok. because if i use a
> > > > > non existent
> > > > > user, the log says: "FAILED with error NT_STATUS_NO_SUCH_USER"
> > > > >
> > > > > If I use a wrong password is gives me also a different error
> > > > message.
> > > > >
> > > > > cheers
> > > > >
> > > > > On 5/10/07, Gianluca Culot <gianlucaculot at dmsware.com > wrote:
> > > > > >
> > > > > >
> > > > > > > -----Messaggio originale-----
> > > > > > > Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > > > > [mailto:
> samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> > > > ]Per
> > > > > > > conto di Urs Golla
> > > > > > > Inviato: giovedì 10 maggio 2007 9.44
> > > > > > > A: samba at lists.samba.org
> > > > > > > Oggetto: [Samba] security = ads --> invalide user
> > > > > > >
> > > > > > >
> > > > > > > Hello
> > > > > > >
> > > > > > > I try to run SAMBA with security = ads on AIX 5.3 with SAMBA
> > > > 3.0.23d.
> > > > > > > "net ads join" was successful and the machine is now
> visible in
> > > > the
> > > > > > Domain
> > > > > > > with the netbios name.
> > > > > > >
> > > > > > > When I try to access the shares on the machine the log.smbd
> > > > > files says:
> > > > > > >
> > > > > > > (...)
> > > > > > > [2007/05/10 08:58:16, 1]
> > > > smbd/sesssetup.c:reply_spnego_kerberos(310)
> > > > > > >   Username MYDOMAIN/MYUSERNAME is invalid on this system
> > > > > > > [2007/05/10 08:58:16, 3] smbd/error.c:error_packet(146)
> > > > > > >   error packet at smbd/sesssetup.c(315) cmd=115
> (SMBsesssetupX)
> > > > > > > NT_STATUS_LOGON_FAILURE
> > > > > > > (...)
> > > > > > >
> > > > > > >
> > > > > > > ******************************************************
> > > > > > > smb.conf:
> > > > > > >
> > > > > > > [global]
> > > > > > > winbind separator = /
> > > > > > > netbios name = MYNETBIOSNAME
> > > > > > > winbind enum users = yes
> > > > > > > workgroup = MYDOMAIN
> > > > > > > winbind enum groups = yes
> > > > > > > #password server = *
> > > > > > > password server = MYPASSWORDSERVER
> > > > > > > encrypt passwords = yes
> > > > > > > dns proxy = no
> > > > > > > realm = MYREALM
> > > > > > > security = ADS
> > > > > > > wins proxy = no
> > > > > > > winbind use default domain = Yes
> > > > > > > client use spnego = yes
> > > > > > > #idmap uid = 10000-20000
> > > > > > > #winbind gid = 10000-20000
> > > > > > > preferred master = no
> > > > > > > log level = 3
> > > > > > > wins server = x.x.x.x
> > > > > > > #auth methods = guest sam winbind
> > > > > > > #idmap uid = 10000-20000
> > > > > > > idmap gid = 10000-20000
> > > > > > >
> > > > > > >
> > > > > > > [testsamba]
> > > > > > >      comment = Samba testfolder
> > > > > > >      path = /testsamba
> > > > > > >      read only = no
> > > > > > >      valid users = MYDOMAIN/USERNAME
> > > > > > >
> > > > > > > ******************************************************
> > > > > > >
> > > > > > > I also maped the domain groups with "net groupmap"
> > > > > > >
> > > > > > > # ./net groupmap list
> > > > > > > Domain Users
> (S-1-5-21-3687956107-1621720357-3427760348-513) ->
> > > > > > > domainusers
> > > > > > > Domain Guests (S-1-5-21-3687956107-1621720357-3427760348-997)
> > > > > -> nobody
> > > > > > > Administrators (S-1-5-32-544) -> 5000
> > > > > > > mygroup (S-1-5-21-3687956107-1621720357-3427760348-14001) ->
> > > > mygroup
> > > > > > > Users (S-1-5-32-545) -> 5001
> > > > > > >
> > > > > > > --> MYDOMAIN/USERNAME is a member of MYDOMAIN/mygroup
> > > > > > >
> ****************************************************************
> > > > > > >
> > > > > > > Why does it say "invalide user"? I think I should also be able
> > > > to
> > > > > > > browse the
> > > > > > > shares without a valid user...
> > > > > > >
> > > > > > > any help is much appreciated!!!
> > > > > > >
> > > > > > > Regards
> > > > > > > Urs
> > > > > > > --
> > > > > > > To unsubscribe from this list go to the following URL and read
> > > > the
> > > > > > > instructions:  https://lists.samba.org/mailman/listinfo/samba
> > > > > > >
> > > > > >
> > > > > > I would check
> > > > > > winbind separator = /
> > > > > >
> > > > > > to my knowlegde it should be
> > > > > > winbind separator = \
> > > > > >
> > > > > > or could be commented as its default is  \
> > > > > >
> > > > > > I've setup a samba 3.0.24,1 on freebsd with ads against a
> > > > Windows2003
> > > > > > Server
> > > > > > and I did not specified Winbind Separator
> > > > > >
> > > > > >
> > > > > >
> > > > > --
> > > > > To unsubscribe from this list go to the following URL and read the
> > > > > instructions:   https://lists.samba.org/mailman/listinfo/samba
> > > > >
> > > >
> > > > Why did you mapped only GROUPS
> > > > idmap gid = 10000-20000
> > > > and NOT users ?
> > > > #idmap uid = 10000-20000
> > > >
> > > > why have you set
> > > > client use spnego = yes
> > > >
> > > > what AD server are you connecting to ?
> > > >
> > > > Here is my copy of smb.conf
> > > > have a look, and check differences...
> > > > My only problem at the moment is that LS (list file) comand doesn't
> > > > show me
> > > > AD users and group names, but only IDs. not a Problem, but makes
> > > > server
> > > > management extremely dificult to not Pro people.
> > > >
> > > > [global]
> > > >         workgroup = MYDOMAIN
> > > >         realm = MYDOMAIN.IT
> > > >         server string = mail
> > > >         security = ADS
> > > >         password server = server.MYDOMAIN.it
> > > >         passdb backend = tdbsam
> > > >         log file = /var/log/samba/log.%m
> > > >         add user script = /usr/sbin/pw useradd %u
> > > >         delete user script = /usr/sbin/pw userdel %u
> > > >         add group script = /usr/sbin/groupadd %g
> > > >         delete group script = /usr/sbin/pw groupdel %g
> > > >         preferred master = No
> > > >         idmap uid = 10000-49999
> > > >         idmap gid = 10000-49999
> > > >         template homedir = /home/%U
> > > >         template shell = /bin/csh
> > > >         winbind cache time = 3600
> > > >         winbind enum users = Yes
> > > >         winbind enum groups = Yes
> > > >         winbind use default domain = Yes
> > > >         winbind nss info = rfc2307
> > > >         idmap config DMSWARE:range = 10000 - 49999
> > > >         idmap config DMSWARE:base_rid = 1000
> > > >         idmap config DMSWARE:backend = ad
> > > >
> > > >
> > > >
> > > >
> > >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>




More information about the samba mailing list