[Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)

Martin Terber mterber at gmx.net
Wed May 27 18:49:59 GMT 2009 

Hi Max,

I have experienced something similar. First I considered this to be a 
bug, but as it seems it was a wrong approach.
As I am relatively new to Samba also, please do not consider this to be 
a perfect solution.
It just works ;):

    * In the Samba config and in local UNIX right management  (chmod)
      give free access  to all folders.
    * I transformed all UNIX users to Samba users (including AD
      users+groups)
    * Make sure you have ACL installed.
    * Then, modify the access rights for your shares via ACL regarding
      to your AD groups and users.
    * I configured it with the ACL module in Webmin - it's quite
      comfortable.

You might consider broaden the idmap to fit to the imported user IDs 
from AD:

        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431

Here is my complete smb.conf:
http://pastebin.com/f69fdd077


Here is one my Threads I posted in Ubuntuforums. It should make no 
difference if you are using Centos:
http://ubuntuforums.org/showthread.php?t=1162457

Martin Terber
Krefelder Wall 5
50670 Köln
0221 29873581
0174 4891653
www.jesuspresley.net 




>   
>
> ------------------------------------------------------------------------
>
> Betreff:
> [Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
> Von:
> Max León <mleon at wirewatchers.com>
> Datum:
> Tue, 26 May 2009 11:20:53 -0600
> An:
> samba at lists.samba.org
>
> An:
> samba at lists.samba.org
>
>
> Hi everyone,
>
> I have an issue with Samba agains Active Directory.
> The authentication works just fine but when it comes to shares I've ran into
> some problems.
>
> If I use any group mapping from the AD it won't let me access it so I figure
> that is where the problem lays.
> If I comment out "valid users", "force user" and "force group" then I have
> no problems and it goes by the file system restrictions.
> Does anyone ever run into the same problem?, is there a way to fix it?
>
> Thanks in advanced.
>
>
> Here is my smb.conf:
>
> [global]
> netbios name = filer
> workgroup = MYCOMPANY
> realm = MYCOMPANY.COM
> preferred master = no
> server string = mycompany Filer
> security = ADS
> map to guest = Bad User
> obey pam restrictions = Yes
> password server = *
> log level = 1 vfs:2
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins lmshosts bcast
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> os level = 33
> local master = no
> domain master = no
> wins server = 192.168.0.10
> allow trusted domains = no
> idmap backend = rid:MYCOMPANY=1000-11000
> idmap uid = 1000-11000
> idmap gid = 1000-11000
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> template homedir = /home/%U
> winbind separator = |
> winbind use default domain = Yes
> winbind cache time = 30
> use kerberos keytab = Yes
> printcap name = /etc/printcap
> unix extensions = no
>
> [homes]
>         comment = Home Directories
>         valid users = %D|%S
>         path = %H
>         read only = no
>         security mask = 0640
>         directory security mask = 0750
>         browsable = no
>         vfs objects = recycle
>                 recycle: keeptree = yes
>                 recycle: maxsize = 52428800
> [Internal]
>         comment = Internal Projects
>         path = /filer/internal
>         read only = yes
>         create mask = 0664
>         directory mask = 0775
>         browsable = yes
>         vfs object = recycle
>                 recycle: keeptree = yes
>                 recycle: maxsize = 52428800
>         valid users = @pm, @design
>         write list = @pm
>         force group = pm
>         force user = root
>         hide dot files = yes
>         msdfs root = yes
>
>
> Here is the error from the workstation that is trying to get access to the
> server.
> The user is part of the Group PM.
>
> Error from log.%m:
>
> [2009/05/26 10:36:55, 1] smbd/service.c:close_cnum(1230)
>   traveller (192.168.0.71) closed connection to service Internal
> [2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_administrators(844)
>   create_builtin_administrators: Failed to create Administrators
> [2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_users(810)
>   create_builtin_users: Failed to create Users
> [2009/05/26 10:36:58,id max.leon
> uid=2109(max.leon) gid=2216(mycompany)
> groups=2216(mycompany),2152(browse),2108(remote),2190(macadmin),2146(developers),2204(flashdev),2140(qa),2141(design),2180(it-tech),1513(domain
> users),2139(engineering),2177(pm),1512(domain admins)
>  1] smbd/service.c:make_connection_snum(1033)
>   traveller (192.168.0.71) connect to service Internal initially as user
> MYCOMPANY|max.leon (uid=2109, gid=2216) (pid 14369)
>
>   
>
> ------------------------------------------------------------------------
>
> Betreff:
> Re: [Samba] empty authentication string sent so samba-server
> Von:
> Volker Schwicking <vos at bee.de>
> Datum:
> Wed, 27 May 2009 09:32:37 +0200
>
> CC:
> samba at lists.samba.org
>
>
> Come on, somebodys got to have an at least an idea :-)
>
> Volker Schwicking wrote:
>> Hi,
>>
>> for the last two weeks ive been trying, to authenticate against a
>> samba-domain using a win2k3-server. the server joined the domain without
>> any problem and the basic login seems to work. but if i try to execute
>> programs from mapped network drive (mapped using a domain-logon-skript),
>> it fails with a message telling me, that i dont have sufficient rights
>> to do so.
>>
>> the share has a forced user and group like this;
>>
>> ...
>> [programm]
>>    comment = samba
>>    guest ok = yes
>>    path = /samba
>>    public = yes
>>    browseable = yes
>>    writable = yes
>>    force user = samba
>>    force group = users
>> ...
>>
>> this only happens on the win2k3-server, all xp-workstations work just
>> fine with domain-logons, network-drives, logon-skripts, etc. in the
>> samba-logs for the win2k3-server i found this:
>>
>> ...
>> [2009/05/22 09:20:51, 3] auth/auth.c:check_ntlm_password(219)
>>   check_ntlm_password:  Checking password for unmapped user
>> []\[]@[SRV_NAME] with the new password interface
>> ...
>>
>> compared to logons from an xp-workstation its missing the user/domain
>> part that should look like this:
>>
>> ...
>> [2009/05/22 09:15:45, 3] auth/auth.c:check_ntlm_password(219)
>>   check_ntlm_password:  Checking password for unmapped user
>> [WORKGROUP]\[kappen]@[BUCHHALTUNG] with the new password interface
>> ...
>>
>> does anyone have an idea what seems to be the problem with win2k3?
>> mabye its a switch i have to (de)activate on the win2k3-side?
>>
>> regards
>> volker
>>
>
> Mit freundlichen Grüßen
> Volker Schwicking
> ------------------------------------------------------------------------
>
> _______________________________________________
> samba mailing list
> samba at lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list