[Samba] ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied

Andreas Zickner andreas at zickner.de
Mon Oct 5 09:59:15 MDT 2009 

Hi,

in case I'm using Samba 3.0.22 based HP CIFS Server A.02.03.02 the setup 
works. I can mount the home dir without any issues. I used exactly the 
same smb.conf (except the line winbind offline logon = false).
Any idea why this does not work with RH 5.4 (and 5.3)?

thanks for any help

Andreas

P.S.: on hp ux I'm using ldapux ... not nss_ldap; but nsswitch.conf is 
the same and windbindd ist running.

Andreas Zickner wrote:
> Hello all,
> 
> since some weeks I try to get the following configuration working
> 
> Windows 2003 AD (no R2!!) with SFU 3.5
> Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
>  Samba (samba-3.0.33-3.14.el5)
>  nss_ldap (nss_ldap-253-21.el5)
> 
> So I wanted to implement the following setup:
> 
> http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783 
> 
> 
> The main reason using this combination is that I must maintain the 
> UID/GID of users in the AD. The UIDs of the users must be the same on 
> all UX systems. I have two samba servers and other UX only servers.
> 
> (let me know if you find a better way doing this type of integration)
> 
> I followed several manuals and howtos to get it running. It looks all 
> working except that I can't mount shares within samba. From my point of 
> view Samba returns me a strange error:
> 
> Here is the log (user tata -> UID 10000 from AD):
> 
> [2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
>   UNIX token of user 10000
>   Primary group is 10003 and contains 3 supplementary groups
>   Group[  0]: 603
>   Group[  1]: 600
>   Group[  2]: 602
> [2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
>   change_to_user uid=(10000,10000) gid=(0,10003)
> [2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
>   '/home/tata' does not exist or permission denied when connecting to 
> [share1] Error was Permission denied
> 
> I checked the source code and it looks to me that samba does a 'stat 
> /home/tata' running as user tata (uid 10000) but is getting a 
> 'Permission denied' from the OS. Ok I thought this is simply a 
> permission issue .... no success :-(
> 
> Ok what I already did & what is working:
> 
> * /home/tata is existing and has 777 (for test ... I tried also 755)
> * su - tata and stat /home/tata are ok
> * I can log on with the AD users on ux / ssh etc.; I have access etc.
> * 'getent passwd' is fine
> * 'wbinfo -u' and 'wbinfo -g' is fine
> * mounting a share tmp with /tmp 
> (http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html) 
> is working!!
> * Kerberos and winbind look ok to me ...
> * winbind authentication of the user seem to be fine (from the logs)
> * all things I see with the 'net' command seem to be ok.
> 
> Here my samba conf:
> 
> [global]
>    workgroup = W2K3
>    password server = AD.W2K3.LOCAL
>    realm = W2K3.LOCAL
>    security = ads
>    idmap uid = 600-33554431
>    idmap gid = 600-33554431
>    template shell = /bin/bash
>    winbind use default domain = false
>    winbind offline logon = false
>    winbind nested groups = yes
>    server string = Samba Server Version %v
>    passdb backend = tdbsam
>    load printers = yes
>    cups options = raw
> 
> [homes] ; not working share
>         comment = Home Directories
>         browseable = no
>         writable = yes
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         browseable = no
>         guest ok = no
>         writable = no
>         printable = yes
> 
> [share1] ; not working share
>         comment = Share 1
>         path = /home/tata
>         read only = yes
> 
> [tmp] ; working share
>         comment = temporary files
>         path = /tmp
>         read only = yes
> 
> 
> /etc/nsswitch.conf
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> hosts:      files dns
> 
> 
> 
> I'm unable to mount share1 or homes .... but I can mount tmp. If I 
> change the path in share1 to /tmp I can mount share1 as well. I changed 
> the permissions of /home/tata to the exact values as /tmp -> no luck
> 
> In the code I did not really found a reference to /tmp but I'm not a 
> samba guru .... (btw. I like the code!!, easy to read :D )
> 
> Unfortunate I have to get this also running on HP-UX11iv3 .... any input 
> if this is even possible?
> 
> I'm also happy to get any alternative solutions that enable me to manage 
> the uid in AD and having the accounts only in AD ....
> 
> I would appreciate any help here.
> 
> thanks,
> Andreas
> 
> P.S: of course I can provide much more details / logs. Just tell me ....
> 

-- 
Andreas Zickner
Gotenstr. 2 - 71065 Sindelfingen - andreas at zickner.de - 015771968553
==
Es ist ein Unterschied ob man seinen Weg kennt ...
  ... oder ob man ihn beschreitet

More information about the samba mailing list