[Samba] Can join AD 2003 domain; can't list shares from other servers

grant little grantliddle at gmail.com
Sat Apr 24 13:36:11 MDT 2010


Also you say that other systems work fine. Are they the same version of
samba on the same OS and version? As in are we comparing apples with
apples...

On Sat, Apr 24, 2010 at 12:14 PM, grant little <grantliddle at gmail.com>wrote:

> maybe, but have you also tried
> smbclient -L workhorse  -Uturgon
>
>
> On Fri, Apr 23, 2010 at 3:58 PM, Michael Leone <turgon at mike-leone.com>wrote:
>
>> No, dim-win2300 knows who turgon is. ;-) in fact, I am logged in on
>> the console of dim-win2300 right now. And turgon is a Domain Admin. It
>> was the account I used to join the laptop to the domain with. And it
>> did join, as I see the laptop machine account in AD. So I think it
>> must be something else ...
>>
>>
>> On 4/23/10, grant little <grantliddle at gmail.com> wrote:
>> > On Fri, Apr 23, 2010 at 10:14 AM, Mike Leone <turgon at mike-leone.com>
>> wrote:
>> >
>> >> I set up an old laptop with Xubuntu 9.10. I configured Samba as to work
>> >> with my Win2003 AD domain that has MS Services for Unix installed.
>> >>
>> >> I can get a Kerberos ticket. I successfully added the laptop to the AD
>> >> domain. wbinfo -a shows me all users, domain and local. wbinfo -g shows
>> me
>> >> all groups. wbinfo -a user%password returns successfully. "getent
>> passwd"
>> >>  works as expected - I see local users, and domain users.
>> >>
>> >> "net ads info" works correctly, returning info.
>> >>
>> >> LDAP server: 10.0.0.60
>> >> LDAP server name: dim-win2300.DaCrib.local
>> >> Realm: DACRIB.LOCAL
>> >> Bind Path: dc=DACRIB,dc=LOCAL
>> >> LDAP port: 389
>> >> Server time: Fri, 23 Apr 2010 13:12:53 EDT
>> >> KDC server: 10.0.0.60
>> >> Server time offset: 1
>> >>
>> >> And yet:
>> >>
>> >> $ smbclient -L workhorse
>> >> Enter turgon's password:
>> >> session setup failed: NT_STATUS_ACCESS_DENIED
>> >>
>> >> I have no idea why it's failing; I'm not seeing anything in the samba
>> or
>> >> winbind logs. (workhorse is Ubuntu 9.10, configured as a domain member
>> >> server)
>> >>
>> >> I can do the reverse; from "workhorse" I can see all the shares on the
>> >> laptop:
>> >>
>> >> turgon at workhorse:~$ smbclient -L turgon-laptop
>> >> Enter turgon's password:
>> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> >>
>> >>        Sharename       Type      Comment
>> >>        ---------       ----      -------
>> >>        IPC$            IPC       IPC Service (turgon-laptop server
>> (Samba
>> >> 3.4.0, Domain: DACRIB, Server: turgon-laptop - NT1))
>> >>        print$          Disk      Printer Drivers
>> >> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> >>
>> >>        Server               Comment
>> >>        ---------            -------
>> >>        TURGON-LAPTOP        turgon-laptop server (Samba 3.4.0, Domain:
>> ,
>> >> Ser
>> >>
>> >>        Workgroup            Master
>> >>        ---------            -------
>> >>        DACRIB
>> >>
>> >> Hints as to where to go next? It must be something wrong on this
>> specific
>> >> laptop, since it works from my other server,
>> >> but I dunno where, since all the other tests work. Firewall is off, on
>> >> both machines.
>> >>
>> >> ===============================
>> >> smb.conf:
>> >>
>> >> [global]
>> >>        workgroup = DACRIB
>> >>        realm = DACRIB.LOCAL
>> >>        server string = %h server (Samba %v, Domain: %D, Server: %L - R)
>> >>        security = ads
>> >>        map to guest = Bad User
>> >>
>> >>        client use spnego = true
>> >>        client ntlmv2 auth = yes
>> >>
>> >>        eventlog list = Application System Security SyslogLinux
>> >>
>> >> # PAM AUTH
>> >>        encrypt passwords = yes
>> >>        obey pam restrictions = Yes
>> >>        pam password change = true
>> >>        password server = dim-win2300.DaCrib.local
>> >>        passwd program = /usr/bin/passwd %u
>> >>        passwd chat = *Enter\snew\s*\spassword:* %n\n
>> >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> >>        unix password sync = Yes
>> >>
>> >>        log level = 3
>> >>        syslog = 0
>> >>        log file = /var/log/samba/log.%m
>> >>        max log size = 1000
>> >>
>> >>        domain master = No
>> >>        local master = No
>> >>        os level = 2
>> >>
>> >>        dns proxy = No
>> >>        usershare allow guests = Yes
>> >>        panic action = /usr/share/samba/panic-action %d
>> >>
>> >> # WINBIND
>> >>
>> >>        idmap config DACRIB: default = true
>> >>        idmap uid = 10000-20000
>> >>        idmap gid = 10000-20000
>> >>        idmap config DACRIB:schema_mode = rfc2307
>> >>
>> >>        winbind enum users = Yes
>> >>        winbind enum groups = Yes
>> >>        winbind use default domain = Yes
>> >>        winbind nested groups = Yes
>> >>        winbind refresh tickets = true
>> >>        winbind nss info = rfc2307
>> >>        winbind separator = +
>> >>
>> >>        template homedir = /home/%D/%u
>> >>        template shell = /bin/bash
>> >>
>> >> ;       invalid users = root
>> >>        create mask = 0700
>> >>        directory mask = 0775
>> >>        writable = Yes
>> >>        enable privileges = Yes
>> >>        restrict anonymous = 2
>> >>
>> >>        wide links = no
>> >>
>> >>        socket options = TCP_NODELAY
>> >>
>> >>
>> >> --
>> >>
>> >> I get the exact same thing happening on my Ubuntu 9.10 currently
>> running
>> > 3.5.0rc2 (until I figure out how to manage 3.5.2 on Ubuntu 9.10)
>> >
>> > However if I do
>> > smbclient -L mysambaserver  -UanADuserthatcanlogintothisserver
>> >
>> > it works just fine and returns the goods. So my guess is that
>> > dim-win2300.DaCrib.local doesn't know who turgon is...
>> >
>>
>> --
>> Sent from my mobile device
>>
>> Michael J. Leone, <mailto:turgon at mike-leone.com>
>>
>> PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
>> Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list