[Samba] Samba with ADS (cont.)

McGranahan, Jamen jamen.mcgranahan at Vanderbilt.Edu
Tue Jun 16 18:17:22 GMT 2009 

Thank you everyone for your advice / suggestions. I have made a little progress, but still not able to map to my share through Active Directory. I wanted to post some of the things that I tried:

Replaced /usr/lib/nss_winbind.so with what was in the source directory for Samba-3.3.3.
Created softlink to /usr/lib/nss_winbind.so.1 from /usr/lib/nss_winbind.so.
Replaced /lib/libnss_winbind.so with what was in the source directory for Samba-3.3.3.
Created softlink to /lib/libnss_winbind.so.2 from /lib/libnss_winbind.so (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html)
I added winbind enum users = yes & winbind enum groups = yes to smb.conf (though my other setups do not have this) and still nothing.

After a server reboot, I got getent passwd to work - for about 5 minutes - and then nothing. One of the error logs said my idmap was full, so I increased the size in my smb.conf file from 1000-2000 to 1000-200000. However, that has had no effect.

I'm not able to map to the share drive (though someone said that winbind is not necessary). I did finally get getent to produce results by stopping nscd service. I discovered this document where it details the NSCD issue - http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html (bottom of the page). Once I stopped that service, getent passwd & getent group produced results from my AD.

Now the issue is that I am still not able to mount to the share folder on the server. My machine name log file also has this, which has me concerned:

[2009/06/16 12:48:21,  0] lib/util.c:smb_panic(1673)
  PANIC (pid 1853): sys_setgroups failed
[2009/06/16 12:48:21,  0] lib/util.c:log_stack_trace(1827)
  unable to produce a stack trace on this platform
[2009/06/16 12:48:21,  0] lib/fault.c:dump_core(231)
  dumping core in /usr/local/samba/var/cores/smbd

In the log file for my IP address, I show this:
[2009/06/16 13:04:57,  1] smbd/sesssetup.c:reply_spnego_kerberos(350)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

I thought maybe my Kerberos ticket had expired, so I reissued it, but this message continues to display. I also thought it might be a firewall issue on the server, so I modified the ipf.conf file, added my IP address (with ports 139/445), and restarted it. Still nothing.

In my log file for my domain, I have this (last few entries):
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_ACCESS_DENIED received from host DC-1.ds.vanderbilt.edu, pipe \samr, fnum 0x800b!

My other installs of this setup work well, so I'm not sure what is going on here. I did try the suggestion of not even using winbind, modifying my smb.conf file accordingly, but that didn't work either. I'm really at a loss here.

***********************************
* Jamen McGranahan
* Systems Services Librarian
* Library Information Technology Services
* Vanderbilt University
* Suite 700
* 110 21st Avenue South
* Nashville, TN  37240
* (615) 343-1614
* (615) 343-8834 (fax)
* jamen.mcgranahan at vanderbilt.edu
***********************************

More information about the samba mailing list