[Samba] Integrating samba with existing AD

Thibaut POUZET thibaut.pouzet at lyra-network.com
Mon Jul 25 09:26:05 MDT 2011


Hi all,

I just suceed in configuring my new samba server. My users in Active
Directory (Win2k3 R2) can successfully browse the shares they are able to
view, write in their home directory, etc.
But
 when trying to copy something inside one of the shared folder, I got an
error message  saying “You are not allowed to edit this share”.
I searched and found that when I do change the owner of the shared folder to
the user trying to copy something inside, it works !

Now the question is : how do I do to allow everyone to write in my shared
folders ?

This issue might be connected to another one I had. With this conf in
nsswitch :
/etc/nsswitch.conf
passwd file ldap winbind
group file ldap winbind
shadow file ldap
I have the following results : 

# wbinfo -n alfred
S-1-5-21-725345543-507921405-1202660629-3262 SID_USER (1)
# wbinfo -s S-1-5-21-725345543-507921405-1202660629-3262
WORKGROUP+alfred 1
# wbinfo -S S-1-5-21-725345543-507921405-1202660629-3262
5000002
# getent passwd |grep alfred
alfred:*:2033:1500:alfred Test:/home/alfred:/bin/bash
alfred:*:5000002:5000000:alfred Test:/home/WORKGROUP/alfred:/bin/false
# wbinfo -U 2033
Could not convert uid 2033 to sid
# wbinfo -U 5000002
S-1-5-21-725345543-507921405-1202660629-3262
And I can’t do anything with my shares, whatever is the user I use to
connect to them through explorer.

And with this conf : 
/etc/nsswitch.conf
passwd file ldap
group file ldap
shadow file ldap

# wbinfo -n alfred
S-1-5-21-725345543-507921405-1202660629-3262 SID_USER (1)
# wbinfo -s S-1-5-21-725345543-507921405-1202660629-3262
WORKGROUP+alfred 1
# wbinfo -S S-1-5-21-725345543-507921405-1202660629-3262
5000002
# getent passwd |grep alfred
alfred:*:2033:1500:alfred Test:/home/alfred:/bin/bash
# wbinfo -U 2033
Could not convert uid 2033 to sid
# wbinfo -U 5000002
S-1-5-21-725345543-507921405-1202660629-3262
And I have the situation described at the beginning of the mail : users can
view their shares, but cannot copy smthg inside of them. Furthermore, only
users with uid and gid given in LDAP can do that. 
# getent passwd | grep alfred2
alfred2:*:5000073:5000000:alfred2 Scow:/home/LYRA/alfred2:/bin/false

Alfred has uid&gid (in LDAP) and can connect, and Alfred2 doesn’t have
iud&gid (in LDAP), and he cannot connect.

I have an active directory synchronized with a LDAP server. Half of my users
have unix accounts (eg with uid-gid), and the other should not have uid-gid,
and therefore do not have ones.


Any sort of help would be appreciated !

Thank’s, Thibaut.

-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Thibaut POUZET
Envoyé : jeudi 21 juillet 2011 09:50
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD

I found an interesting thing this morning, just look at the commands :

# wbinfo -a alfred%Password1234
plaintext password authentication succeeded
challenge/response password authentication succeeded
# smbclient -L localhost -Ualfred%Password1234 -d 2> debug.log
session setup failed: NT_STATUS_LOGON_FAILURE

Gives me this output (I removed the useless beginning of the output).
http://pastebin.com/ScCVGsBK

But, I have this line in smb.conf :
hosts allow = 192.168.206., 127.

So, where is the trick ?

Thibaut POUZET

-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Thibaut POUZET
Envoyé : mercredi 20 juillet 2011 17:13
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD

Well thank you for noticing this error Jonathan, I didn't paid attention to
my samba version. We have quite a lot of centos machines on the network and
a poor internet connexion additionned with strong security policy.
Therefore, we have a rpm proxy and I did not noticed that the samba packages
available were out of date. Anyway, I fixed this issue and ran some more
tests. 

I still can observe my problem though : I can connect to the server with
smbclient or windows clients, but cannot parse my folders. I also created a
dummy user named Alfred in my active directory, but he cannot connect in any
way.

But now that I made this change, "# getent groups" does not gives me all my
local + ad groups (just some of them). 
I managed to connect to one of my folder by having "valid users = thibaut"
in my settings, but I don't really like this solution since I have a lot of
users which will have access to this server.

[2011/07/20 16:59:01.751433,  1] smbd/service.c:1070(make_connection_snum)
  192.168.206.145 (192.168.206.145) connect to service commercial initially
as user thibaut (uid=2032, gid=1500) (pid 3039)
[2011/07/20 16:59:02.771747,  1] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

And when accessing to another folder with "valid users = %S" :
[2011/07/20 16:58:53.584947,  2]
smbd/service.c:598(create_connection_server_info)
  user 'thibaut' (from session setup) not permitted to access this share
(dummy)

I use ldap to identify myself to the server, so I think that the iud+gid
numbers for the user thibaut comes from my logins to the server and might
have nothing to do with samba. 

I think I am a bit confused with all this and that I mix some different
concept.

Thibaut POUZET.


-----Message d'origine-----
De : samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] De
la part de Jonathan Buzzard
Envoyé : mercredi 20 juillet 2011 12:26
À : samba at lists.samba.org
Objet : Re: [Samba] Integrating samba with existing AD


On Wed, 2011-07-20 at 10:44 +0200, Thibaut POUZET wrote:

> The software involved : 
> 
> Server Linux CentOS 5.6
> 
> Windows 2003 Serveur R2 with working AD and another DNS server working
just
> fine.
> 
> # rpm -qa | grep samba
> 
> samba-3.0.33-3.29.el5_6.2
> 
> samba-common-3.0.33-3.29.el5_6.2
> 
> samba-client-3.0.33-3.29.el5_6.2
> 

Stop right there remove the samba packages and install the samba3x
packages. Then take a look at my previous post made yesterday.

[SNIP]

> So where am I going wrong ? L 
> 

You are persisting on using a woefully out of date version of Samba when
your distribution comes with a much more recent prepackaged version. Why
anyone would want to use the plain samba packages in RHEL/CentOS when
trying to intergrate to the AD is utterly beyond me.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list