[Samba] ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied

Andreas Zickner andreas at zickner.de
Sat Oct 3 10:28:51 MDT 2009

Hello all,

since some weeks I try to get the following configuration working

Windows 2003 AD (no R2!!) with SFU 3.5
Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
  Samba (samba-3.0.33-3.14.el5)
  nss_ldap (nss_ldap-253-21.el5)

So I wanted to implement the following setup:


The main reason using this combination is that I must maintain the 
UID/GID of users in the AD. The UIDs of the users must be the same on 
all UX systems. I have two samba servers and other UX only servers.

(let me know if you find a better way doing this type of integration)

I followed several manuals and howtos to get it running. It looks all 
working except that I can't mount shares within samba. From my point of 
view Samba returns me a strange error:

Here is the log (user tata -> UID 10000 from AD):

[2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
   UNIX token of user 10000
   Primary group is 10003 and contains 3 supplementary groups
   Group[  0]: 603
   Group[  1]: 600
   Group[  2]: 602
[2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
   change_to_user uid=(10000,10000) gid=(0,10003)
[2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
   '/home/tata' does not exist or permission denied when connecting to 
[share1] Error was Permission denied

I checked the source code and it looks to me that samba does a 'stat 
/home/tata' running as user tata (uid 10000) but is getting a 
'Permission denied' from the OS. Ok I thought this is simply a 
permission issue .... no success :-(

Ok what I already did & what is working:

* /home/tata is existing and has 777 (for test ... I tried also 755)
* su - tata and stat /home/tata are ok
* I can log on with the AD users on ux / ssh etc.; I have access etc.
* 'getent passwd' is fine
* 'wbinfo -u' and 'wbinfo -g' is fine
* mounting a share tmp with /tmp 
is working!!
* Kerberos and winbind look ok to me ...
* winbind authentication of the user seem to be fine (from the logs)
* all things I see with the 'net' command seem to be ok.

Here my samba conf:

    workgroup = W2K3
    password server = AD.W2K3.LOCAL
    realm = W2K3.LOCAL
    security = ads
    idmap uid = 600-33554431
    idmap gid = 600-33554431
    template shell = /bin/bash
    winbind use default domain = false
    winbind offline logon = false
    winbind nested groups = yes
    server string = Samba Server Version %v
    passdb backend = tdbsam
    load printers = yes
    cups options = raw

[homes] ; not working share
         comment = Home Directories
         browseable = no
         writable = yes

         comment = All Printers
         path = /var/spool/samba
         browseable = no
         guest ok = no
         writable = no
         printable = yes

[share1] ; not working share
         comment = Share 1
         path = /home/tata
         read only = yes

[tmp] ; working share
         comment = temporary files
         path = /tmp
         read only = yes

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns

I'm unable to mount share1 or homes .... but I can mount tmp. If I 
change the path in share1 to /tmp I can mount share1 as well. I changed 
the permissions of /home/tata to the exact values as /tmp -> no luck

In the code I did not really found a reference to /tmp but I'm not a 
samba guru .... (btw. I like the code!!, easy to read :D )

Unfortunate I have to get this also running on HP-UX11iv3 .... any input 
if this is even possible?

I'm also happy to get any alternative solutions that enable me to manage 
the uid in AD and having the accounts only in AD ....

I would appreciate any help here.


P.S: of course I can provide much more details / logs. Just tell me ....

More information about the samba mailing list