[Samba] Can join AD 2003 domain; can't list shares from other servers

grant little grantliddle at gmail.com
Sat Apr 24 13:14:47 MDT 2010 

maybe, but have you also tried
smbclient -L workhorse  -Uturgon

On Fri, Apr 23, 2010 at 3:58 PM, Michael Leone <turgon at mike-leone.com>wrote:

> No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
> the console of dim-win2300 right now. And turgon is a Domain Admin. It
> was the account I used to join the laptop to the domain with. And it
> did join, as I see the laptop machine account in AD. So I think it
> must be something else ...
>
>
> On 4/23/10, grant little <grantliddle at gmail.com> wrote:
> > On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com>
> wrote:
> >
> >> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
> >> with my Win2003 AD domain that has MS Services for Unix installed.
> >>
> >> I can get a Kerberos ticket. I successfully added the laptop to the AD
> >> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
> me
> >> all groups. wbinfo -a user%password returns successfully. "getent
> passwd"
> >>  works as expected - I see local users, and domain users.
> >>
> >> "net ads info" works correctly, returning info.
> >>
> >> LDAP server: 10.0.0.60
> >> LDAP server name: dim-win2300.DaCrib.local
> >> Realm: DACRIB.LOCAL
> >> Bind Path: dc=DACRIB,dc=LOCAL
> >> LDAP port: 389
> >> Server time: Fri, 23 Apr 2010 13:12:53 EDT
> >> KDC server: 10.0.0.60
> >> Server time offset: 1
> >>
> >> And yet:
> >>
> >> $ smbclient -L workhorse
> >> Enter turgon's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >>
> >> I have no idea why it's failing; I'm not seeing anything in the samba or
> >> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
> >> server)
> >>
> >> I can do the reverse; from "workhorse" I can see all the shares on the
> >> laptop:
> >>
> >> turgon at workhorse:~$ smbclient -L turgon-laptop
> >> Enter turgon's password:
> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> >>
> >>        Sharename       Type      Comment
> >>        ---------       ----      -------
> >>        IPC$            IPC       IPC Service (turgon-laptop server
> (Samba
> >> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
> >>        print$          Disk      Printer Drivers
> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
> >>
> >>        Server               Comment
> >>        ---------            -------
> >>        TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain: ,
> >> Ser
> >>
> >>        Workgroup            Master
> >>        ---------            -------
> >>        DACRIB
> >>
> >> Hints as to where to go next? It must be something wrong on this
> specific
> >> laptop, since it works from my other server,
> >> but I dunno where, since all the other tests work. Firewall is off, on
> >> both machines.
> >>
> >> ===============================
> >> smb.conf:
> >>
> >> [global]
> >>        workgroup = DACRIB
> >>        realm = DACRIB.LOCAL
> >>        server string = %h server (Samba %v, Domain: %D, Server: %L - R)
> >>        security = ads
> >>        map to guest = Bad User
> >>
> >>        client use spnego = true
> >>        client ntlmv2 auth = yes
> >>
> >>        eventlog list = Application System Security SyslogLinux
> >>
> >> # PAM AUTH
> >>        encrypt passwords = yes
> >>        obey pam restrictions = Yes
> >>        pam password change = true
> >>        password server = dim-win2300.DaCrib.local
> >>        passwd program = /usr/bin/passwd %u
> >>        passwd chat = *Enter\snew\s*\spassword:* %n\n
> >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> >>        unix password sync = Yes
> >>
> >>        log level = 3
> >>        syslog = 0
> >>        log file = /var/log/samba/log.%m
> >>        max log size = 1000
> >>
> >>        domain master = No
> >>        local master = No
> >>        os level = 2
> >>
> >>        dns proxy = No
> >>        usershare allow guests = Yes
> >>        panic action = /usr/share/samba/panic-action %d
> >>
> >> # WINBIND
> >>
> >>        idmap config DACRIB: default = true
> >>        idmap uid = 10000-20000
> >>        idmap gid = 10000-20000
> >>        idmap config DACRIB:schema_mode = rfc2307
> >>
> >>        winbind enum users = Yes
> >>        winbind enum groups = Yes
> >>        winbind use default domain = Yes
> >>        winbind nested groups = Yes
> >>        winbind refresh tickets = true
> >>        winbind nss info = rfc2307
> >>        winbind separator = +
> >>
> >>        template homedir = /home/%D/%u
> >>        template shell = /bin/bash
> >>
> >> ;       invalid users = root
> >>        create mask = 0700
> >>        directory mask = 0775
> >>        writable = Yes
> >>        enable privileges = Yes
> >>        restrict anonymous = 2
> >>
> >>        wide links = no
> >>
> >>        socket options = TCP_NODELAY
> >>
> >>
> >> --
> >>
> >> I get the exact same thing happening on my Ubuntu 9.10 currently running
> > 3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)
> >
> > However if I do
> > smbclient -L mysambaserver  -UanADuserthatcanlogintothisserver
> >
> > it works just fine and returns the goods. So my guess is that
> > dim-win2300.DaCrib.local doesn't know who turgon is...
> >
>
> --
> Sent from my mobile device
>
> Michael J. Leone, <mailto:turgon at mike-leone.com>
>
> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
> Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list