No subject


Fri Nov 27 03:00:06 MST 2009 

su testuser11 
cd /storage/CME/test 

No problem. But when I try to access the same directory in windows I get these entries in my logs.... 

/var/log/samba/log.smbd 
------------------ 
[2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) 
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! 

log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be working correctly. 
I know this because the minute I give access to this share to testgroup9 the windows users can immediately access the folder. ie. setfacl -m g:testgroup9:r-x /storage/CME/test 


Testshare on Samba FS 
----------------- 
getfacl testshare 

# file: storage/CME/test 
# owner: root 
# group: Domain Users 
user::rwx 
group::rwx 
group:testgroup10:r-x 
mask::rwx 
other::--- 

I've poured through documentation for weeks including these articles among others: 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598913 
http://www.samba.org/samba/history/samba-3.3.0.html 
man smb.conf 

Here are my final questions. 

Has anyone got the "winbind expand groups" option to funtion properly with Windows clients? 
Am I using the proper idmap settings? 
Would setting up an LDAP backend with the editposix option help anything? 
Is there something I need to do on the Windows server side? (I have installed Unix Extentions but not sure how to assign UID/GID's) 

It seems that everything is working how it's supposed to 'cept I'm probably missing something very simple. Anyone with any kind of help would be appreciated. 

SMB.CONF 
--------------- 
[global] 
workgroup = CME 
security = ads 
passdb backend = tdbsam:/etc/samba/passdb.tdb 
idmap backend = rid (have tested with tdb also with no luck) 
idmap uid = 110000-119999 
idmap gid = 110000-119999 
idmap cache time = 3600 
idmap negative cache time = 300 
winbind cache time = 900 
winbind expand groups = 10 
winbind enum users = Yes 
winbind enum groups = Yes 
winbind use default domain = true 
template shell = /bin/bash 
template homedir = /home/%D/%U 
machine password timeout = 2592000 
realm = CME.COM 
use kerberos keytab = yes 
password server = prod-srv-8.cme.com 
nt acl support = yes 
map acl inherit = yes 
winbind nss info = rcf2307 
allow trusted domains = no 

[CME] 
path = /storage/CME 
writeable = yes 
inherit acls = yes 
inherit permissions = yes 
security mask = 0770 
force security mode = 0770 
directory security mask = 0770 
force directory security mode = 0770 
force create mode = 0770 
map archive = yes 
store dos attributes = yes 



NSSWITCH.CONF 
---------------------- 
passwd: files winbind 
shadow: files winbind 
group: files winbind 
hosts: files wins dns 
bootparams: nisplus [NOTFOUND=return] files 
ethers: files 
netmasks: files 
networks: files 
protocols: files winbind 
rpc: files winbind 
services: files 
netgroup: files winbind 
publickey: nisplus 
automount: files 
aliases: files nisplus winbind 


KRB5.CONF 
---------------------- 
[logging] 
default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log 

[libdefaults] 
default_realm = CME.COM 
dns_lookup_realm = true 
dns_lookup_kdc = true 
ticket_lifetime = 24h 
forwardable = yes 

[realms] 
CME.COM = { 
kdc = prod-srv-8.cme.com:88 
admin_server = prod-srv-8.cme.com:749 
default_domain = cme.com 
kdc = prod-srv-8.cme.com 
} 

[domain_realm] 
.cme.com = CME.COM 
cme.com = CME.COM 

[appdefaults] 
pam = { 
debug = false 
ticket_lifetime = 36000 
renew_lifetime = 36000 
forwardable = true 
krb4_convert = false 
} 


Joined Domain 
---------------------- 
net ads testjoin 
Join is OK 


Time 
--------------------- 
NTP is setup on both Windows and Linux and time is always in sync. 


Samba Server's nameserver is the AD PDC. 

Authconfig --test output 
------------------------------------------ 
caching is disabled 
nss_files is always enabled 
nss_compat is disabled 
nss_db is disabled 
nss_hesiod is disabled 
hesiod LHS = "" 
hesiod RHS = "" 
nss_ldap is disabled 
LDAP+TLS is disabled 
LDAP server = "ldap://127.0.0.1/" 
LDAP base DN = "dc=example,dc=com" 
nss_nis is disabled 
NIS server = "" 
NIS domain = "" 
nss_nisplus is disabled 
nss_winbind is enabled 
SMB workgroup = "CME" 
SMB servers = "prod-srv-8.cme.com" 
SMB security = "ads" 
SMB realm = "CME.COM" 
Winbind template shell = "/bin/bash" 
SMB idmap uid = "110000-119999" 
SMB idmap gid = "110000-119999" 
nss_wins is enabled 
pam_unix is always enabled 
shadow passwords are enabled 
password hashing algorithm is md5 
pam_krb5 is enabled 
krb5 realm = "CME.COM" 
krb5 realm via dns is enabled 
krb5 kdc = "prod-srv-8.cme.com:88,prod-srv-8.cme.com" 
krb5 kdc via dns is enabled 
krb5 admin server = "prod-srv-8.cme.com:749" 
pam_ldap is disabled 

LDAP+TLS is disabled 
LDAP server = "ldap://127.0.0.1/" 
LDAP base DN = "dc=example,dc=com" 
pam_pkcs11 is disabled 

use only smartcard for login is disabled 
smartcard module = "coolkey" 
smartcard removal action = "Ignore" 
pam_smb_auth is enabled 
SMB workgroup = "CME" 
SMB servers = "prod-srv-8.cme.com" 
pam_winbind is enabled 
SMB workgroup = "CME" 
SMB servers = "prod-srv-8.cme.com" 
SMB security = "ads" 
SMB realm = "CME.COM" 
pam_cracklib is enabled (try_first_pass retry=3) 
pam_passwdqc is disabled () 
pam_access is disabled () 
pam_mkhomedir is enabled () 
Always authorize local users is enabled () 
Authenticate system accounts against network services is disabled 











Charles Johnson 
Information Technology 
Custom Manufacturing & Engineering 
2904 44th Ave. N 
St. Petersburg, FL 33714 
P: 727-548-0522 ext 1759 
F: 727-541-8822 
www.custom-mfg-eng.com

More information about the samba mailing list