[Samba] ADS / nsswitch.conf questions
Whit Blauvelt
whit+samba at transpect.com
Thu Feb 14 18:38:01 GMT 2008
Less confused than when I posted yesterday. But still not golden.
The ADS stuff works if I test with nsswitch.conf containing _only_ winbind,
like:
passwd: winbind
group: winbind
But if I have it as "files winbind" (of course necessary to not have the
local accounts time out and the system become unusable) then there are
problems. Trying a login with smbclient from another box with the same ADS
user which works when it's just winbind for passwd and group logs the error:
[2008/02/14 13:16:39, 2] smbd/service.c:make_connection_snum(616)
user 'whit' (from session setup) not permitted to access this share (BLAH)
While smbclient shows:
tree connect failed: NT_STATUS_ACCESS_DENIED
But 'whit' is in the valid users list in smb.conf for that share, and is
working with the winbind-only configuration of nsswitch.conf, as well as
with the smbpasswd-only configuration of samba. It works if I comment out
the ADS lines from smb.conf, and run against an smbpasswd file.
When Samba's doing ADS, even with "files winbind" in the nsswitch.conf
settings, and 'whit' in smbpasswd, running with the smbpasswd password for
'whit' produces:
session setup failed: NT_STATUS_LOGON_FAILURE
But "files" should have had it looking to system files first, right? So it
should have succeeded rather than fallen through to NT_STATUS at all?
Searching through the list archives, there's a hint this may be connected to
pam issues? Have others run into this?
Best,
Whit
More information about the samba
mailing list