[Samba] Can join AD 2003 domain; can't list shares from other servers

Michael Leone turgon at mike-leone.com
Fri Apr 23 16:58:48 MDT 2010


No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
the console of dim-win2300 right now. And turgon is a Domain Admin. It
was the account I used to join the laptop to the domain with. And it
did join, as I see the laptop machine account in AD. So I think it
must be something else ...


On 4/23/10, grant little <grantliddle at gmail.com> wrote:
> On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com> wrote:
>
>> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
>> with my Win2003 AD domain that has MS Services for Unix installed.
>>
>> I can get a Kerberos ticket. I successfully added the laptop to the AD
>> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows me
>> all groups. wbinfo -a user%password returns successfully. "getent passwd"
>>  works as expected - I see local users, and domain users.
>>
>> "net ads info" works correctly, returning info.
>>
>> LDAP server: 10.0.0.60
>> LDAP server name: dim-win2300.DaCrib.local
>> Realm: DACRIB.LOCAL
>> Bind Path: dc=DACRIB,dc=LOCAL
>> LDAP port: 389
>> Server time: Fri, 23 Apr 2010 13:12:53 EDT
>> KDC server: 10.0.0.60
>> Server time offset: 1
>>
>> And yet:
>>
>> $ smbclient -L workhorse
>> Enter turgon's password:
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>> I have no idea why it's failing; I'm not seeing anything in the samba or
>> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
>> server)
>>
>> I can do the reverse; from "workhorse" I can see all the shares on the
>> laptop:
>>
>> turgon at workhorse:~$ smbclient -L turgon-laptop
>> Enter turgon's password:
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>>
>>        Sharename       Type      Comment
>>        ---------       ----      -------
>>        IPC$            IPC       IPC Service (turgon-laptop server (Samba
>> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>>        print$          Disk      Printer Drivers
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>>
>>        Server               Comment
>>        ---------            -------
>>        TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain: ,
>> Ser
>>
>>        Workgroup            Master
>>        ---------            -------
>>        DACRIB
>>
>> Hints as to where to go next? It must be something wrong on this specific
>> laptop, since it works from my other server,
>> but I dunno where, since all the other tests work. Firewall is off, on
>> both machines.
>>
>> ===============================
>> smb.conf:
>>
>> [global]
>>        workgroup = DACRIB
>>        realm = DACRIB.LOCAL
>>        server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>>        security = ads
>>        map to guest = Bad User
>>
>>        client use spnego = true
>>        client ntlmv2 auth = yes
>>
>>        eventlog list = Application System Security SyslogLinux
>>
>> # PAM AUTH
>>        encrypt passwords = yes
>>        obey pam restrictions = Yes
>>        pam password change = true
>>        password server = dim-win2300.DaCrib.local
>>        passwd program = /usr/bin/passwd %u
>>        passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>        unix password sync = Yes
>>
>>        log level = 3
>>        syslog = 0
>>        log file = /var/log/samba/log.%m
>>        max log size = 1000
>>
>>        domain master = No
>>        local master = No
>>        os level = 2
>>
>>        dns proxy = No
>>        usershare allow guests = Yes
>>        panic action = /usr/share/samba/panic-action %d
>>
>> # WINBIND
>>
>>        idmap config DACRIB: default = true
>>        idmap uid = 10000-20000
>>        idmap gid = 10000-20000
>>        idmap config DACRIB:schema_mode = rfc2307
>>
>>        winbind enum users = Yes
>>        winbind enum groups = Yes
>>        winbind use default domain = Yes
>>        winbind nested groups = Yes
>>        winbind refresh tickets = true
>>        winbind nss info = rfc2307
>>        winbind separator = +
>>
>>        template homedir = /home/%D/%u
>>        template shell = /bin/bash
>>
>> ;       invalid users = root
>>        create mask = 0700
>>        directory mask = 0775
>>        writable = Yes
>>        enable privileges = Yes
>>        restrict anonymous = 2
>>
>>        wide links = no
>>
>>        socket options = TCP_NODELAY
>>
>>
>> --
>>
>> I get the exact same thing happening on my Ubuntu 9.10 currently running
> 3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)
>
> However if I do
> smbclient -L mysambaserver  -UanADuserthatcanlogintothisserver
>
> it works just fine and returns the goods. So my guess is that
> dim-win2300.DaCrib.local doesn't know who turgon is...
>

-- 
Sent from my mobile device

Michael J. Leone, <mailto:turgon at mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>


More information about the samba mailing list