[Samba] Having problem with "valid users" in Active Directory/Samba environment
Eric Peterson
ericrpeterson at sbcglobal.net
Tue Feb 9 21:45:46 MST 2010
We have a Ubuntu/Samba setup to serve Windows-XP users using Active Directory credentials.
The application is a backup service using rsync from their workstations to the server.
Ubuntu: 9.10, Samba: 3.4.0.
The backups work fine, and individual users logged onto XP with AD credentials can see the contents of their shares on the server.
However, we have been unable to configure Samba to allow specified users (domain admins) access to Samba shares, which is needed for administration of the shares.
The "valid user" and "admin user" constructs are not working in our environment.
When smb.conf is configured with these constructs (see testparm output below), which should allow access, instead we get an error message on the XP side and the following messages in /var/log/samba: (in the example, trying to access the share \\<server>\wirt)
[2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied
[2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied
[2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No such file or directory
[2010/02/08 21:31:21, 0] smbd/service.c:1188(make_connection) __ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt
The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the spelling and try again...."
Is there something wrong with the smb.conf settings, or something else that needs to be done to allow domain admins access to user shares?
Could something with the pam or winbind settings explain this behavior?
One clue is that when we cranked the log level to 3, the log messages indicated that the Samba connection was being made to a UNIX user DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name of the admin's XP computer is "lfvr3tk1". The logfile is quite large so I did not include it here.
What's going on????
Thanks,
Eric Peterson
======output from testparm=========
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[public]"
Processing section "[public_rw]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = DOMAIN
realm = DOMAIN.COM
server string = %h server (Samba, Ubuntu)
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
[homes]
comment = Home Directories
valid users = DOMAIN\%S, DOMAIN\admin
admin users = DOMAIN\admin
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[public]
path = /export/public
guest ok = Yes
[public_rw]
path = /export/public_rw
read only = No
guest ok = Yes
More information about the samba
mailing list