[Samba] ADS / nsswitch.conf questions

Whit Blauvelt whit+samba at transpect.com
Thu Feb 14 18:38:01 GMT 2008

Less confused than when I posted yesterday. But still not golden.

The ADS stuff works if I test with nsswitch.conf containing _only_ winbind,

passwd:         winbind
group:          winbind

But if I have it as "files winbind" (of course necessary to not have the
local accounts time out and the system become unusable) then there are
problems. Trying a login with smbclient from another box with the same ADS
user which works when it's just winbind for passwd and group logs the error:

[2008/02/14 13:16:39, 2] smbd/service.c:make_connection_snum(616)   
  user 'whit' (from session setup) not permitted to access this share (BLAH)

While smbclient shows:

tree connect failed: NT_STATUS_ACCESS_DENIED

But 'whit' is in the valid users list in smb.conf for that share, and is
working with the winbind-only configuration of nsswitch.conf, as well as
with the smbpasswd-only configuration of samba. It works if I comment out
the ADS lines from smb.conf, and run against an smbpasswd file.

When Samba's doing ADS, even with "files winbind" in the nsswitch.conf
settings, and 'whit' in smbpasswd, running with the smbpasswd password for
'whit' produces:

session setup failed: NT_STATUS_LOGON_FAILURE

But "files" should have had it looking to system files first, right? So it
should have succeeded rather than fallen through to NT_STATUS at all? 

Searching through the list archives, there's a hint this may be connected to
pam issues? Have others run into this?


More information about the samba mailing list