[Samba] Can join AD 2003 domain; can't list shares from other servers
Michael Leone
turgon at mike-leone.com
Fri Apr 23 16:58:48 MDT 2010
No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
the console of dim-win2300 right now. And turgon is a Domain Admin. It
was the account I used to join the laptop to the domain with. And it
did join, as I see the laptop machine account in AD. So I think it
must be something else ...
On 4/23/10, grant little <grantliddle at gmail.com> wrote:
> On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com> wrote:
>
>> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
>> with my Win2003 AD domain that has MS Services for Unix installed.
>>
>> I can get a Kerberos ticket. I successfully added the laptop to the AD
>> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me
>> all groups. wbinfo -a user%password returns successfully. "getent passwd"
>> works as expected - I see local users, and domain users.
>>
>> "net ads info" works correctly, returning info.
>>
>> LDAP server: 10.0.0.60
>> LDAP server name: dim-win2300.DaCrib.local
>> Realm: DACRIB.LOCAL
>> Bind Path: dc=DACRIB,dc=LOCAL
>> LDAP port: 389
>> Server time: Fri, 23 Apr 2010 13:12:53 EDT
>> KDC server: 10.0.0.60
>> Server time offset: 1
>>
>> And yet:
>>
>> $ smbclient -L workhorse
>> Enter turgon's password:
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>> I have no idea why it's failing; I'm not seeing anything in the samba or
>> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
>> server)
>>
>> I can do the reverse; from "workhorse" I can see all the shares on the
>> laptop:
>>
>> turgon at workhorse:~$ smbclient -L turgon-laptop
>> Enter turgon's password:
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>>
>> Sharename Type Comment
>> --------- ---- -------
>> IPC$ IPC IPC Service (turgon-laptop server (Samba
>> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>> print$ Disk Printer Drivers
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>>
>> Server Comment
>> --------- -------
>> TURGON-LAPTOP turgon-laptop server (Samba 3.4.0, Domain: ,
>> Ser
>>
>> Workgroup Master
>> --------- -------
>> DACRIB
>>
>> Hints as to where to go next? It must be something wrong on this specific
>> laptop, since it works from my other server,
>> but I dunno where, since all the other tests work. Firewall is off, on
>> both machines.
>>
>> ===============================
>> smb.conf:
>>
>> [global]
>> workgroup = DACRIB
>> realm = DACRIB.LOCAL
>> server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>> security = ads
>> map to guest = Bad User
>>
>> client use spnego = true
>> client ntlmv2 auth = yes
>>
>> eventlog list = Application System Security SyslogLinux
>>
>> # PAM AUTH
>> encrypt passwords = yes
>> obey pam restrictions = Yes
>> pam password change = true
>> password server = dim-win2300.DaCrib.local
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> unix password sync = Yes
>>
>> log level = 3
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>>
>> domain master = No
>> local master = No
>> os level = 2
>>
>> dns proxy = No
>> usershare allow guests = Yes
>> panic action = /usr/share/samba/panic-action %d
>>
>> # WINBIND
>>
>> idmap config DACRIB: default = true
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> idmap config DACRIB:schema_mode = rfc2307
>>
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nested groups = Yes
>> winbind refresh tickets = true
>> winbind nss info = rfc2307
>> winbind separator = +
>>
>> template homedir = /home/%D/%u
>> template shell = /bin/bash
>>
>> ; invalid users = root
>> create mask = 0700
>> directory mask = 0775
>> writable = Yes
>> enable privileges = Yes
>> restrict anonymous = 2
>>
>> wide links = no
>>
>> socket options = TCP_NODELAY
>>
>>
>> --
>>
>> I get the exact same thing happening on my Ubuntu 9.10 currently running
> 3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)
>
> However if I do
> smbclient -L mysambaserver -UanADuserthatcanlogintothisserver
>
> it works just fine and returns the goods. So my guess is that
> dim-win2300.DaCrib.local doesn't know who turgon is...
>
--
Sent from my mobile device
Michael J. Leone, <mailto:turgon at mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
More information about the samba
mailing list