[Samba] ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied
Andreas Zickner
andreas at zickner.de
Sat Oct 3 10:28:51 MDT 2009
Hello all,
since some weeks I try to get the following configuration working
Windows 2003 AD (no R2!!) with SFU 3.5
Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
Samba (samba-3.0.33-3.14.el5)
nss_ldap (nss_ldap-253-21.el5)
So I wanted to implement the following setup:
http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783
The main reason using this combination is that I must maintain the
UID/GID of users in the AD. The UIDs of the users must be the same on
all UX systems. I have two samba servers and other UX only servers.
(let me know if you find a better way doing this type of integration)
I followed several manuals and howtos to get it running. It looks all
working except that I can't mount shares within samba. From my point of
view Samba returns me a strange error:
Here is the log (user tata -> UID 10000 from AD):
[2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 10000
Primary group is 10003 and contains 3 supplementary groups
Group[ 0]: 603
Group[ 1]: 600
Group[ 2]: 602
[2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
change_to_user uid=(10000,10000) gid=(0,10003)
[2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
'/home/tata' does not exist or permission denied when connecting to
[share1] Error was Permission denied
I checked the source code and it looks to me that samba does a 'stat
/home/tata' running as user tata (uid 10000) but is getting a
'Permission denied' from the OS. Ok I thought this is simply a
permission issue .... no success :-(
Ok what I already did & what is working:
* /home/tata is existing and has 777 (for test ... I tried also 755)
* su - tata and stat /home/tata are ok
* I can log on with the AD users on ux / ssh etc.; I have access etc.
* 'getent passwd' is fine
* 'wbinfo -u' and 'wbinfo -g' is fine
* mounting a share tmp with /tmp
(http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html)
is working!!
* Kerberos and winbind look ok to me ...
* winbind authentication of the user seem to be fine (from the logs)
* all things I see with the 'net' command seem to be ok.
Here my samba conf:
[global]
workgroup = W2K3
password server = AD.W2K3.LOCAL
realm = W2K3.LOCAL
security = ads
idmap uid = 600-33554431
idmap gid = 600-33554431
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
winbind nested groups = yes
server string = Samba Server Version %v
passdb backend = tdbsam
load printers = yes
cups options = raw
[homes] ; not working share
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[share1] ; not working share
comment = Share 1
path = /home/tata
read only = yes
[tmp] ; working share
comment = temporary files
path = /tmp
read only = yes
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
I'm unable to mount share1 or homes .... but I can mount tmp. If I
change the path in share1 to /tmp I can mount share1 as well. I changed
the permissions of /home/tata to the exact values as /tmp -> no luck
In the code I did not really found a reference to /tmp but I'm not a
samba guru .... (btw. I like the code!!, easy to read :D )
Unfortunate I have to get this also running on HP-UX11iv3 .... any input
if this is even possible?
I'm also happy to get any alternative solutions that enable me to manage
the uid in AD and having the accounts only in AD ....
I would appreciate any help here.
thanks,
Andreas
P.S: of course I can provide much more details / logs. Just tell me ....
More information about the samba
mailing list