[Samba] make_connection: connection to ipc$ denied due to security
descriptor.
Marc-Henri PAMISEUX
marc-henri.pamiseux at libricks.org
Mon Nov 12 19:19:39 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi everybody,
I'm a french sysadmin and i'm using Samba from a long date.
Since my first use, i've write some usefull documentation, and usually,
i've just to follow this documentation and Samba works by itself ;)
Now, i'm trying to install Samba as the usuall but on a Debian-Etch
AMD64 plateform. All my previous install were done on an Debian-i386
plateform, and certainly a woody distribution.
This Samba version is 3.0.24, and uname -an gives me:
Linux rhea 2.6.18-5-amd64 #1 SMP Tue Oct 2 20:37:02 UTC 2007 x86_64
GNU/Linux
In all the case, i've install OpenLDAP, build my directory, parameter
nsswitch and so on. When i type a getent passwd, all my LDAP record are
seen and Samba authenticate well on LDAP; As the usual ;)
But, when i'm trying to join some workstation to this Samba seen as a
PDC server, sometime it works, and sometime not. I've search, changed a
lot of things in my configuration, and now, most workstation well join
the PDC, but i can't explore the network neighborhood, i've got an error
message, and when i give \\MYSERVER in the url, i can see my Server
Share. Another strange things, when two workstation join the domain,
they can't explore themselves their shares or printers...
In all the case, the most frequent error log message is:
"smbd/service.c:make_connection_snum(782)
make_connection: connection to ipc$ denied due to security descriptor."
For example, here is a portion of a log file:
[2007/11/08 08:40:16, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/08 08:40:16, 2] smbd/sesssetup.c:setup_new_vc_session(799)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/08 08:40:16, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/11/08 08:40:16, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:40:16, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:40:17, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.212)
[2007/11/08 08:40:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:40:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:40:17, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to ipc$ denied due to security descriptor.
[2007/11/08 08:43:21, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:43:21, 2] lib/access.c:check_access(323)
Allowed connection from (192.168.1.212)
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:43:21, 0] smbd/service.c:make_connection_snum(782)
make_connection: connection to ipc$ denied due to security descriptor.
I think you want to see my smb.conf ?
You've got it as smb.sample join to this message.
My server IP is 192.168.1.2 and i've got an LDAP server on 127.0.0.1 and
a replicat server on 192.168.1.3
I've define some group mapping, and all my users have for primary group
the group named SmbDomUsers (gid=513).
Sometime, when i'm using the pdbedit command i've got the following lines:
Unix username: loic
NT username: loic
Account Flags: [UX ]
User SID: S-1-5-21-3280060803-927162377-3199414824-3006
Primary Group SID: S-1-5-21-3280060803-927162377-3199414824-513
Full Name: Compte de Loic
Home Directory: \\RHEA\loic
HomeDir Drive: U:
Logon Script: logon.cmd
Profile Painit_sam_from_ldap: Entry found for user: ludovic
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: pascal
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: francois
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: jerome
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
th: \\RHEA\loic\.winprofile
Domain: MYWORKGROUP
Account desc: Compte Utilisateur du domaine MYWORKGROUP
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Thu, 25 Oct 2007 11:13:26 CEST
Password can change: 0
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
What could it be wrong ?
Do you have an idea ?
Some post seen on Internet make me think to upgrade and this is caused
by the 3.0.24 version...
Could it be true ?
Thanks for your propositions.
- --
Marc-Henri PAMISEUX
_ o _ o _
// // // __
//__ // / o) //o // ///° ( °
/___/// /__/ // // //\\ .__)
S.A.R.L. Libricks
Maison de la technopole
6, rue Léonard de Vinci - BP 0119
53001 LAVAL Cedex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHOKdLMJ9khz7GW8ERAuV5AJ9DJXfHCxXE3xB1qiGFiBfFifI3pwCfVYWH
ma+moVcQMf1fwpt1E5lQtKY=
=Ivyx
-----END PGP SIGNATURE-----
-------------- next part --------------
#======================= Global Settings =======================
[global]
;
## Browsing/Identification ###
workgroup = MYWORKGROUP
netbios name = RHEA
server string = Serveur-Fichiers
;
#### Debugging/Accounting ####
syslog = 0
syslog only = no
log level = 2
log file = /var/log/samba/log.%m
max log size = 1000
;
#### Browse Options ####
os level = 80
local master = yes
domain master = yes
preferred master = yes
;
########## Domains ###########
domain logons = yes
logon script = logon.cmd
logon drive = U:
logon home = \\%L\%U
# logon path = \\%L\%U\.winprofile
logon path =
;
########## Wins Options ##########
name resolve order = wins lmhosts hosts bcast
dns proxy = no
wins proxy = no
wins support = yes
;
####### Authentication #######
security = user
null passwords = no
unix password sync = no
encrypt passwords = true
update encrypted = yes
map to guest = Bad User
passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://192.168.1.3/"
passwd program = /usr/sbin/smbldap-passwd ?u %u
admin users = administrateur, at SmbDomAdmins
guest account = guest
username map = /etc/samba/smbusers
password level = 5
username level = 5
valid users = administrateur,guest, at SmbDomAdmins, at SmbDomUsers, at SmbUsers
client ntlmv2 auth = no
# auth methods =
# obey pam restrictions = yes
# restrict anonymous = 1
# invalid users = root
# pam pasword change = no
# acl group control = yes
;
#### Ldap Options ####
ldap delete dn = yes
ldap admin dn = "cn=admin,ou=ldapadmins,dc=local,dc=mydomain,dc=org"
ldap suffix = dc=local,dc=mydomain,dc=org
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap idmap suffix = ou=users
ldap ssl = no
ldap passwd sync = yes
;
#### Scripts Options ####
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w -i "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
# delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
panic action = /usr/share/samba/panic-action %d
;
#### Networking ####
bind interfaces only = true
interfaces = 127.0.0.1 192.168.1.2
remote announce = 192.168.1.255/HAPTION
socket options = IPTOS_LOWDELAY SO_KEEPALIVE TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
hosts allow = 127.0.0.1 192.168.1.0/24
hosts deny = 0.0.0.0/0
time server = yes
include = /etc/samba/dhcp.conf
;
#### Filename Handling ####
preserve case = yes
short preserve case = yes
case sensitive = no
# default case = lower
dos charset = 850
unix charset = UTF-8
hide files = /.*/desktop.ini/ntuser.ini/NTUSER.*/
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xml/*.mdb/
create mode = 0660
force create mode = 660
directory mode = 0770
force directory mode = 770
;
#### Locking Options ####
oplocks = yes
level2 oplocks = yes
strict locking = yes
posix locking = yes
kernel oplocks = yes
oplock contention limit = 2
share modes = yes
;
#### Protocol Options ####
smb ports = 139 445
announce version = 5.2
announce as = NT Server
;
#### Winbind Options ####
idmap backend =
winbind use default domain = yes
# winbind nested groups = no
;
############ Misc ############
acl compatibility = win2k
nt acl support = yes
map acl inherit = yes
passdb expand explicit = no
use spnego = yes
disable netbios = no
client schannel = yes
server schannel = yes
host msdfs = yes
unix extensions = no
utmp = yes
browseable = yes
writable = no
available = yes
force group = SmbDomUsers
### FIN DE LA PARTIE GLOBALE #####
#======================= Share Definitions =======================
[ipc$]
path = /tmp
comment = Partage de maintenance systeme
#
[netlogon]
path = /home/shared/netlogon
comment = Partage des scripts de demarrage Windows
browseable = no
writable = yes
available = yes
guest ok = yes
share modes = no
locking = no
write list = administrateur, at SmbDomAdmins
valid users = administrateur, at SmbDomGuests, at SmbDomAdmins, at SmbDomUsers
;
[profiles]
path = %H/.winprofile
comment = Repertoire des profils
browseable = no
writeable = yes
available = yes
profile acls = yes
write list = %U, at SmbDomAdmins, at SmbDomUsers
valid users = %U, at SmbDomAdmins, at SmbDomUsers
force group = SmbDomUsers
directory mode = 0700
force directory mode = 700
create mode = 0600
force create mode = 600
#
[homes]
comment = Repertoire Personnel
browseable = no
writeable = yes
available = yes
valid users = %U
force group = SmbDomUsers
directory mode = 0700
force directory mode = 700
create mode = 0600
force create mode = 600
#
[achats]
path = /home/data/fournisseurs
comment = Gestion des fournisseurs
browseable = yes
writeable = yes
available = yes
write list = user1, at Secretariat, at SmbDomAdmins, at SmbAdministrators
valid users = user1, at Secretariat, at SmbDomAdmins, at SmbAdministrators, at SmbBackupOperators
force group = SmbDomUsers
#
[administratif]
path = /home/data/administratif
comment = Gestion et administration
browseable = yes
writeable = yes
available = yes
write list = @Secretariat, at Direction, at SmbDomAdmins, at SmbAdministrators
valid users = @Secretariat, at Direction, at SmbDomAdmins, at SmbAdministrators, at SmbBackupOperators
force group = SmbDomUsers
#
[bureau_etudes]
path = /home/data/bureau_etudes
comment = Bureau d'etudes mecanique et electronique
browseable = yes
writeable = yes
available = yes
write list = user2, at Mecanique, at Electronique, at SmbDomAdmins, at SmbAdministrators
valid users = user2, at Mecanique, at Electronique, at SmbDomAdmins, at SmbAdministrators, at SmbBackupOperators
force group = SmbDomUsers
#
[commercial]
path = /home/data/commercial
comment = Partage de Gestion commerciale
browseable = yes
writeable = yes
available = yes
write list = @Commercial, at Direction, at SmbDomAdmins, at SmbAdministrators
valid users = @Commercial, at Direction, at SmbDomAdmins, at SmbAdministrators, at SmbBackupOperators
force group = Commercial
#
[public]
path = /home/data/public
comment = Public Stuff
browseable = yes
writable = yes
available = yes
public = yes
write list = @SmbDomUsers, at SmbDomAdmins, at SmbAdministrators
valid users = @SmbDomUsers, at SmbDomAdmins, at SmbAdministrators, at SmbBackupOperators
force group = SmbDomUsers
force user = public
#
More information about the samba
mailing list