No subject

Fri Nov 27 03:00:06 MST 2009

su testuser11 
cd /storage/CME/test 

No problem. But when I try to access the same directory in windows I get these entries in my logs.... 

[2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) 
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! 

log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be working correctly. 
I know this because the minute I give access to this share to testgroup9 the windows users can immediately access the folder. ie. setfacl -m g:testgroup9:r-x /storage/CME/test 

Testshare on Samba FS 
getfacl testshare 

# file: storage/CME/test 
# owner: root 
# group: Domain Users 

I've poured through documentation for weeks including these articles among others: 
man smb.conf 

Here are my final questions. 

Has anyone got the "winbind expand groups" option to funtion properly with Windows clients? 
Am I using the proper idmap settings? 
Would setting up an LDAP backend with the editposix option help anything? 
Is there something I need to do on the Windows server side? (I have installed Unix Extentions but not sure how to assign UID/GID's) 

It seems that everything is working how it's supposed to 'cept I'm probably missing something very simple. Anyone with any kind of help would be appreciated. 

workgroup = CME 
security = ads 
passdb backend = tdbsam:/etc/samba/passdb.tdb 
idmap backend = rid (have tested with tdb also with no luck) 
idmap uid = 110000-119999 
idmap gid = 110000-119999 
idmap cache time = 3600 
idmap negative cache time = 300 
winbind cache time = 900 
winbind expand groups = 10 
winbind enum users = Yes 
winbind enum groups = Yes 
winbind use default domain = true 
template shell = /bin/bash 
template homedir = /home/%D/%U 
machine password timeout = 2592000 
realm = CME.COM 
use kerberos keytab = yes 
password server = 
nt acl support = yes 
map acl inherit = yes 
winbind nss info = rcf2307 
allow trusted domains = no 

path = /storage/CME 
writeable = yes 
inherit acls = yes 
inherit permissions = yes 
security mask = 0770 
force security mode = 0770 
directory security mask = 0770 
force directory security mode = 0770 
force create mode = 0770 
map archive = yes 
store dos attributes = yes 

passwd: files winbind 
shadow: files winbind 
group: files winbind 
hosts: files wins dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers: files 
netmasks: files 
networks: files 
protocols: files winbind 
rpc: files winbind 
services: files 
netgroup: files winbind 
publickey: nisplus 
automount: files 
aliases: files nisplus winbind 

default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log 

default_realm = CME.COM 
dns_lookup_realm = true 
dns_lookup_kdc = true 
ticket_lifetime = 24h 
forwardable = yes 

CME.COM = { 
kdc = 
admin_server = 
default_domain = 
kdc = 

[domain_realm] = CME.COM = CME.COM 

pam = { 
debug = false 
ticket_lifetime = 36000 
renew_lifetime = 36000 
forwardable = true 
krb4_convert = false 

Joined Domain 
net ads testjoin 
Join is OK 

NTP is setup on both Windows and Linux and time is always in sync. 

Samba Server's nameserver is the AD PDC. 

Authconfig --test output 
caching is disabled 
nss_files is always enabled 
nss_compat is disabled 
nss_db is disabled 
nss_hesiod is disabled 
hesiod LHS = "" 
hesiod RHS = "" 
nss_ldap is disabled 
LDAP+TLS is disabled 
LDAP server = "ldap://" 
LDAP base DN = "dc=example,dc=com" 
nss_nis is disabled 
NIS server = "" 
NIS domain = "" 
nss_nisplus is disabled 
nss_winbind is enabled 
SMB workgroup = "CME" 
SMB servers = "" 
SMB security = "ads" 
SMB realm = "CME.COM" 
Winbind template shell = "/bin/bash" 
SMB idmap uid = "110000-119999" 
SMB idmap gid = "110000-119999" 
nss_wins is enabled 
pam_unix is always enabled 
shadow passwords are enabled 
password hashing algorithm is md5 
pam_krb5 is enabled 
krb5 realm = "CME.COM" 
krb5 realm via dns is enabled 
krb5 kdc = "," 
krb5 kdc via dns is enabled 
krb5 admin server = "" 
pam_ldap is disabled 

LDAP+TLS is disabled 
LDAP server = "ldap://" 
LDAP base DN = "dc=example,dc=com" 
pam_pkcs11 is disabled 

use only smartcard for login is disabled 
smartcard module = "coolkey" 
smartcard removal action = "Ignore" 
pam_smb_auth is enabled 
SMB workgroup = "CME" 
SMB servers = "" 
pam_winbind is enabled 
SMB workgroup = "CME" 
SMB servers = "" 
SMB security = "ads" 
SMB realm = "CME.COM" 
pam_cracklib is enabled (try_first_pass retry=3) 
pam_passwdqc is disabled () 
pam_access is disabled () 
pam_mkhomedir is enabled () 
Always authorize local users is enabled () 
Authenticate system accounts against network services is disabled 

Charles Johnson 
Information Technology 
Custom Manufacturing & Engineering 
2904 44th Ave. N 
St. Petersburg, FL 33714 
P: 727-548-0522 ext 1759 
F: 727-541-8822 

More information about the samba mailing list