[Samba] ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied
Andreas Zickner
andreas at zickner.de
Mon Oct 5 09:59:15 MDT 2009
Hi,
in case I'm using Samba 3.0.22 based HP CIFS Server A.02.03.02 the setup
works. I can mount the home dir without any issues. I used exactly the
same smb.conf (except the line winbind offline logon = false).
Any idea why this does not work with RH 5.4 (and 5.3)?
thanks for any help
Andreas
P.S.: on hp ux I'm using ldapux ... not nss_ldap; but nsswitch.conf is
the same and windbindd ist running.
Andreas Zickner wrote:
> Hello all,
>
> since some weeks I try to get the following configuration working
>
> Windows 2003 AD (no R2!!) with SFU 3.5
> Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
> Samba (samba-3.0.33-3.14.el5)
> nss_ldap (nss_ldap-253-21.el5)
>
> So I wanted to implement the following setup:
>
> http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783
>
>
> The main reason using this combination is that I must maintain the
> UID/GID of users in the AD. The UIDs of the users must be the same on
> all UX systems. I have two samba servers and other UX only servers.
>
> (let me know if you find a better way doing this type of integration)
>
> I followed several manuals and howtos to get it running. It looks all
> working except that I can't mount shares within samba. From my point of
> view Samba returns me a strange error:
>
> Here is the log (user tata -> UID 10000 from AD):
>
> [2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
> UNIX token of user 10000
> Primary group is 10003 and contains 3 supplementary groups
> Group[ 0]: 603
> Group[ 1]: 600
> Group[ 2]: 602
> [2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
> change_to_user uid=(10000,10000) gid=(0,10003)
> [2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
> '/home/tata' does not exist or permission denied when connecting to
> [share1] Error was Permission denied
>
> I checked the source code and it looks to me that samba does a 'stat
> /home/tata' running as user tata (uid 10000) but is getting a
> 'Permission denied' from the OS. Ok I thought this is simply a
> permission issue .... no success :-(
>
> Ok what I already did & what is working:
>
> * /home/tata is existing and has 777 (for test ... I tried also 755)
> * su - tata and stat /home/tata are ok
> * I can log on with the AD users on ux / ssh etc.; I have access etc.
> * 'getent passwd' is fine
> * 'wbinfo -u' and 'wbinfo -g' is fine
> * mounting a share tmp with /tmp
> (http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html)
> is working!!
> * Kerberos and winbind look ok to me ...
> * winbind authentication of the user seem to be fine (from the logs)
> * all things I see with the 'net' command seem to be ok.
>
> Here my samba conf:
>
> [global]
> workgroup = W2K3
> password server = AD.W2K3.LOCAL
> realm = W2K3.LOCAL
> security = ads
> idmap uid = 600-33554431
> idmap gid = 600-33554431
> template shell = /bin/bash
> winbind use default domain = false
> winbind offline logon = false
> winbind nested groups = yes
> server string = Samba Server Version %v
> passdb backend = tdbsam
> load printers = yes
> cups options = raw
>
> [homes] ; not working share
> comment = Home Directories
> browseable = no
> writable = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
> [share1] ; not working share
> comment = Share 1
> path = /home/tata
> read only = yes
>
> [tmp] ; working share
> comment = temporary files
> path = /tmp
> read only = yes
>
>
> /etc/nsswitch.conf
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
>
>
>
> I'm unable to mount share1 or homes .... but I can mount tmp. If I
> change the path in share1 to /tmp I can mount share1 as well. I changed
> the permissions of /home/tata to the exact values as /tmp -> no luck
>
> In the code I did not really found a reference to /tmp but I'm not a
> samba guru .... (btw. I like the code!!, easy to read :D )
>
> Unfortunate I have to get this also running on HP-UX11iv3 .... any input
> if this is even possible?
>
> I'm also happy to get any alternative solutions that enable me to manage
> the uid in AD and having the accounts only in AD ....
>
> I would appreciate any help here.
>
> thanks,
> Andreas
>
> P.S: of course I can provide much more details / logs. Just tell me ....
>
--
Andreas Zickner
Gotenstr. 2 - 71065 Sindelfingen - andreas at zickner.de - 015771968553
==
Es ist ein Unterschied ob man seinen Weg kennt ...
... oder ob man ihn beschreitet
More information about the samba
mailing list