[Samba] Having problem with "valid users" in Active Directory/Samba environment

Eric Peterson ericrpeterson at sbcglobal.net
Tue Feb 9 21:45:46 MST 2010


We have a Ubuntu/Samba setup to serve Windows-XP users using Active Directory credentials.
The application is a backup service using rsync from their workstations to the server.
Ubuntu: 9.10, Samba: 3.4.0. 
The backups work fine, and individual users logged onto XP with AD credentials can see the contents of their shares on the server. 
However, we have been unable to configure Samba to allow specified users (domain admins) access to Samba shares, which is needed for administration of the shares. 

The "valid user" and "admin user" constructs are not working in our environment.
When smb.conf is configured with these constructs (see testparm output below), which should allow access, instead we get an error message on the XP side and the following messages in /var/log/samba: (in the example, trying to access the share \\<server>\wirt)

[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No such file or directory
[2010/02/08 21:31:21,  0] smbd/service.c:1188(make_connection) __ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt

The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the spelling and try again...."

Is there something wrong with the smb.conf settings, or something else that needs to be done to allow domain admins access to user shares?
Could something with the pam or winbind settings explain this behavior?

One clue is that when we cranked the log level to 3, the log messages indicated that the Samba connection was being made to a UNIX user DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name of the admin's XP computer is "lfvr3tk1". The logfile is quite large so I did not include it here.

What's going on????

Thanks,
Eric Peterson


======output from testparm=========

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[public]"
Processing section "[public_rw]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = %h server (Samba, Ubuntu)
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        unix password sync = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
 
[homes]
        comment = Home Directories
        valid users = DOMAIN\%S, DOMAIN\admin
        admin users = DOMAIN\admin
 
[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No
        browsable = No
 
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
 
[public]
        path = /export/public
        guest ok = Yes
 
[public_rw]
        path = /export/public_rw
        read only = No
        guest ok = Yes



More information about the samba mailing list