[Samba] Can join AD 2003 domain; can't list shares from other servers
grant little
grantliddle at gmail.com
Fri Apr 23 15:08:55 MDT 2010
On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com> wrote:
> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> with my Win2003 AD domain that has MS Services for Unix installed.
>
> I can get a Kerberos ticket. I successfully added the laptop to the AD
> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me
> all groups. wbinfo -a user%password returns successfully. "getent passwd"
> works as expected - I see local users, and domain users.
>
> "net ads info" works correctly, returning info.
>
> LDAP server: 10.0.0.60
> LDAP server name: dim-win2300.DaCrib.local
> Realm: DACRIB.LOCAL
> Bind Path: dc=DACRIB,dc=LOCAL
> LDAP port: 389
> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> KDC server: 10.0.0.60
> Server time offset: 1
>
> And yet:
>
> $ smbclient -L workhorse
> Enter turgon's password:
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I have no idea why it's failing; I'm not seeing anything in the samba or
> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> server)
>
> I can do the reverse; from "workhorse" I can see all the shares on the
> laptop:
>
> turgon at workhorse:~$ smbclient -L turgon-laptop
> Enter turgon's password:
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
> Sharename Type Comment
> --------- ---- -------
> IPC$ IPC IPC Service (turgon-laptop server (Samba
> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
> print$ Disk Printer Drivers
> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>
> Server Comment
> --------- -------
> TURGON-LAPTOP turgon-laptop server (Samba 3.4.0, Domain: ,
> Ser
>
> Workgroup Master
> --------- -------
> DACRIB
>
> Hints as to where to go next? It must be something wrong on this specific
> laptop, since it works from my other server,
> but I dunno where, since all the other tests work. Firewall is off, on
> both machines.
>
> ===============================
> smb.conf:
>
> [global]
> workgroup = DACRIB
> realm = DACRIB.LOCAL
> server string = %h server (Samba %v, Domain: %D, Server: %L - R)
> security = ads
> map to guest = Bad User
>
> client use spnego = true
> client ntlmv2 auth = yes
>
> eventlog list = Application System Security SyslogLinux
>
> # PAM AUTH
> encrypt passwords = yes
> obey pam restrictions = Yes
> pam password change = true
> password server = dim-win2300.DaCrib.local
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> unix password sync = Yes
>
> log level = 3
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
>
> domain master = No
> local master = No
> os level = 2
>
> dns proxy = No
> usershare allow guests = Yes
> panic action = /usr/share/samba/panic-action %d
>
> # WINBIND
>
> idmap config DACRIB: default = true
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> idmap config DACRIB:schema_mode = rfc2307
>
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nested groups = Yes
> winbind refresh tickets = true
> winbind nss info = rfc2307
> winbind separator = +
>
> template homedir = /home/%D/%u
> template shell = /bin/bash
>
> ; invalid users = root
> create mask = 0700
> directory mask = 0775
> writable = Yes
> enable privileges = Yes
> restrict anonymous = 2
>
> wide links = no
>
> socket options = TCP_NODELAY
>
>
> --
>
> I get the exact same thing happening on my Ubuntu 9.10 currently running
3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)
However if I do
smbclient -L mysambaserver -UanADuserthatcanlogintothisserver
it works just fine and returns the goods. So my guess is that
dim-win2300.DaCrib.local doesn't know who turgon is...
More information about the samba
mailing list