[Samba] Somehow Solved ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied

Andreas Zickner andreas at zickner.de
Wed Oct 14 12:49:45 MDT 2009 

Hi,

I found out that it works on a physical machine. Before I had 3 
Installations in vmware -- all where giving me a 'Permission denied' for 
the stat system call. Somehow there is an impact of having RedHat 
running in VMWare.

Andreas Zickner wrote:
> Hi,
> 
> in case I'm using Samba 3.0.22 based HP CIFS Server A.02.03.02 the setup 
> works. I can mount the home dir without any issues. I used exactly the 
> same smb.conf (except the line winbind offline logon = false).
> Any idea why this does not work with RH 5.4 (and 5.3)?
> 
> thanks for any help
> 
> Andreas
> 
> P.S.: on hp ux I'm using ldapux ... not nss_ldap; but nsswitch.conf is 
> the same and windbindd ist running.
> 
> Andreas Zickner wrote:
>> Hello all,
>>
>> since some weeks I try to get the following configuration working
>>
>> Windows 2003 AD (no R2!!) with SFU 3.5
>> Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
>>  Samba (samba-3.0.33-3.14.el5)
>>  nss_ldap (nss_ldap-253-21.el5)
>>
>> So I wanted to implement the following setup:
>>
>> http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783 
>>
>>
>> The main reason using this combination is that I must maintain the 
>> UID/GID of users in the AD. The UIDs of the users must be the same on 
>> all UX systems. I have two samba servers and other UX only servers.
>>
>> (let me know if you find a better way doing this type of integration)
>>
>> I followed several manuals and howtos to get it running. It looks all 
>> working except that I can't mount shares within samba. From my point 
>> of view Samba returns me a strange error:
>>
>> Here is the log (user tata -> UID 10000 from AD):
>>
>> [2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
>>   UNIX token of user 10000
>>   Primary group is 10003 and contains 3 supplementary groups
>>   Group[  0]: 603
>>   Group[  1]: 600
>>   Group[  2]: 602
>> [2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
>>   change_to_user uid=(10000,10000) gid=(0,10003)
>> [2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
>>   '/home/tata' does not exist or permission denied when connecting to 
>> [share1] Error was Permission denied
>>
>> I checked the source code and it looks to me that samba does a 'stat 
>> /home/tata' running as user tata (uid 10000) but is getting a 
>> 'Permission denied' from the OS. Ok I thought this is simply a 
>> permission issue .... no success :-(
>>
>> Ok what I already did & what is working:
>>
>> * /home/tata is existing and has 777 (for test ... I tried also 755)
>> * su - tata and stat /home/tata are ok
>> * I can log on with the AD users on ux / ssh etc.; I have access etc.
>> * 'getent passwd' is fine
>> * 'wbinfo -u' and 'wbinfo -g' is fine
>> * mounting a share tmp with /tmp 
>> (http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html) 
>> is working!!
>> * Kerberos and winbind look ok to me ...
>> * winbind authentication of the user seem to be fine (from the logs)
>> * all things I see with the 'net' command seem to be ok.
>>
>> Here my samba conf:
>>
>> [global]
>>    workgroup = W2K3
>>    password server = AD.W2K3.LOCAL
>>    realm = W2K3.LOCAL
>>    security = ads
>>    idmap uid = 600-33554431
>>    idmap gid = 600-33554431
>>    template shell = /bin/bash
>>    winbind use default domain = false
>>    winbind offline logon = false
>>    winbind nested groups = yes
>>    server string = Samba Server Version %v
>>    passdb backend = tdbsam
>>    load printers = yes
>>    cups options = raw
>>
>> [homes] ; not working share
>>         comment = Home Directories
>>         browseable = no
>>         writable = yes
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/spool/samba
>>         browseable = no
>>         guest ok = no
>>         writable = no
>>         printable = yes
>>
>> [share1] ; not working share
>>         comment = Share 1
>>         path = /home/tata
>>         read only = yes
>>
>> [tmp] ; working share
>>         comment = temporary files
>>         path = /tmp
>>         read only = yes
>>
>>
>> /etc/nsswitch.conf
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
>> hosts:      files dns
>>
>>
>>
>> I'm unable to mount share1 or homes .... but I can mount tmp. If I 
>> change the path in share1 to /tmp I can mount share1 as well. I 
>> changed the permissions of /home/tata to the exact values as /tmp -> 
>> no luck
>>
>> In the code I did not really found a reference to /tmp but I'm not a 
>> samba guru .... (btw. I like the code!!, easy to read :D )
>>
>> Unfortunate I have to get this also running on HP-UX11iv3 .... any 
>> input if this is even possible?
>>
>> I'm also happy to get any alternative solutions that enable me to 
>> manage the uid in AD and having the accounts only in AD ....
>>
>> I would appreciate any help here.
>>
>> thanks,
>> Andreas
>>
>> P.S: of course I can provide much more details / logs. Just tell me ....

More information about the samba mailing list