[Samba] Can join AD 2003 domain; can't list shares from other servers
Mike Leone
turgon at mike-leone.com
Fri Apr 23 11:14:17 MDT 2010
I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
with my Win2003 AD domain that has MS Services for Unix installed.
I can get a Kerberos ticket. I successfully added the laptop to the AD
domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
me all groups. wbinfo -a user%password returns successfully. "getent
passwd" works as expected - I see local users, and domain users.
"net ads info" works correctly, returning info.
LDAP server: 10.0.0.60
LDAP server name: dim-win2300.DaCrib.local
Realm: DACRIB.LOCAL
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Fri, 23 Apr 2010 13:12:53 EDT
KDC server: 10.0.0.60
Server time offset: 1
And yet:
$ smbclient -L workhorse
Enter turgon's password:
session setup failed: NT_STATUS_ACCESS_DENIED
I have no idea why it's failing; I'm not seeing anything in the samba or
winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
server)
I can do the reverse; from "workhorse" I can see all the shares on the
laptop:
turgon at workhorse:~$ smbclient -L turgon-laptop
Enter turgon's password:
Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (turgon-laptop server (Samba
3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
print$ Disk Printer Drivers
Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
Server Comment
--------- -------
TURGON-LAPTOP turgon-laptop server (Samba 3.4.0, Domain: , Ser
Workgroup Master
--------- -------
DACRIB
Hints as to where to go next? It must be something wrong on this
specific laptop, since it works from my other server,
but I dunno where, since all the other tests work. Firewall is off, on
both machines.
===============================
smb.conf:
[global]
workgroup = DACRIB
realm = DACRIB.LOCAL
server string = %h server (Samba %v, Domain: %D, Server: %L - R)
security = ads
map to guest = Bad User
client use spnego = true
client ntlmv2 auth = yes
eventlog list = Application System Security SyslogLinux
# PAM AUTH
encrypt passwords = yes
obey pam restrictions = Yes
pam password change = true
password server = dim-win2300.DaCrib.local
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
domain master = No
local master = No
os level = 2
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
# WINBIND
idmap config DACRIB: default = true
idmap uid = 10000-20000
idmap gid = 10000-20000
idmap config DACRIB:schema_mode = rfc2307
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind refresh tickets = true
winbind nss info = rfc2307
winbind separator = +
template homedir = /home/%D/%u
template shell = /bin/bash
; invalid users = root
create mask = 0700
directory mask = 0775
writable = Yes
enable privileges = Yes
restrict anonymous = 2
wide links = no
socket options = TCP_NODELAY
More information about the samba
mailing list