[Samba] winbind is not taking default domain

Marco Huang marco.huang at auckland.ac.nz
Sun Mar 27 21:34:19 MDT 2011


Hi,

We have been running samba file server about 2 years without this problem. The problem appeared at the same time on our debian and centos servers. Not sure if it's related to any updates on our windows AD servers.

Debian Squeeze
sernet-samba-3.5.8-27

Centos 5.5
samba3-3.5.5-43.el5

Use Active Directory for user login authentication
Use uid/gid from ldap
The reason we still want winbind is for managing permissions from client end. 

Since last week, users failed on login with "valid users = @staff" until I stopped winbind. I found if I change to valid users = @"ABC\staff", users can login, however the change can not resolve the problem of ACLs on the folders/files. Of cause, if I stop winbind, works ok - user can login, and following the current permissions, but we do need winbind for managing permissions from client end.

# smb.conf

  [global]
   realm = ad.mydomain
   workgroup = ABC
   server string = %h server 
   enable privileges = yes 
   dns proxy = no
   netbios name = linfiles
   smb ports = 139 445
   
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
	
   log file = /var/log/samba/%U.log
   log level = 10 winbind:10
   debug timestamp = yes
   max log size = 1000
   syslog only = no
   syslog = 2
   panic action = /usr/share/samba/panic-action %d

   security = ADS
   encrypt passwords = true
   obey pam restrictions = no
   invalid users = root

   unix extensions = no
   
   idmap backend = nss
   idmap config ABC : default = yes
   idmap config ABC : backend = nss
   idmap alloc backend = nss
   idmap cache time = 30
   allow trusted domains = no

   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536
   locking = yes
   strict locking = no
   posix locking = yes
   kernel oplocks = no
   oplocks = yes
   level2 oplocks = yes

   winbind trusted domains only =  yes
   winbind use default domain = yes
   winbind enum users = no
   winbind enum groups = no
   winbind cache time = 3600
	
   acl compatibility = auto

[sit]
   comment = Shares
   browseable = yes
   writable = yes
   create mask = 0770
   directory mask = 0770
   acl group control = yes
   acl check permissions = True
   nt acl support = yes
   force directory security mode = 770
   inherit permissions = yes
   inherit acls = yes
   inherit owner = no
   map acl inherit = yes
   path = /mnt/sit
   valid users = @staff

# /etc/nsswitch.conf
passwd:     files ldap
shadow:     files
group:      files ldap

# getent group staff returns group members with testuser.

# wbinfo --own-domain
ABC

# Here are some logs from debug mode, winbind just trying to lookup domain LINFILES and Unix Group rather than ABC.

[2011/03/25 12:43:50.645636,  3] lib/util_sid.c:228(string_to_sid)
  string_to_sid: Sid @staff does not start with 'S-'.
[2011/03/25 12:43:50.645683,  5] smbd/password.c:423(user_in_netgroup)
  Unable to get default yp domain, let's try without specifying it
[2011/03/25 12:43:50.645694,  5] smbd/password.c:430(user_in_netgroup)
  looking for user testuser of domain (ANY) in netgroup staff
[2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name)
  lookup_name: LINFILES\staff => LINFILES (domain), staff (name)
[2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name)
  lookup_name: flags = 0x077
[2011/03/25 12:43:50.645753,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/03/25 12:43:50.645764,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/03/25 12:43:50.645773,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/03/25 12:43:50.645783,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)
[2011/03/25 12:43:50.645792,  5] auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/03/25 12:43:50.645825,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name)
  lookup_name: Unix Group\staff => Unix Group (domain), staff (name)
[2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name)
  lookup_name: flags = 0x077
[2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token)
  User testuser not in 'valid users'
[2011/03/25 12:43:50.647820,  2] smbd/service.c:598(create_connection_server_info)
  user 'testuser' (from session setup) not permitted to access this share (sit)
[2011/03/25 12:43:50.647832,  1] smbd/service.c:678(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2011/03/25 12:43:50.647882,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


cheers
--
Marco 


More information about the samba mailing list