[Samba] winbind is not taking default domain

Werner Durgarten wernerdurgarten at gmx.de
Tue Mar 29 04:39:30 MDT 2011 

Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without typing in the default domain does not work any more.


-------- Original-Nachricht --------
> Datum: Mon, 28 Mar 2011 16:34:19 +1300
> Von: Marco Huang <marco.huang at auckland.ac.nz>
> An: samba at lists.samba.org
> Betreff: [Samba] winbind is not taking default domain

> Hi,
> 
> We have been running samba file server about 2 years without this problem.
> The problem appeared at the same time on our debian and centos servers.
> Not sure if it's related to any updates on our windows AD servers.
> 
> Debian Squeeze
> sernet-samba-3.5.8-27
> 
> Centos 5.5
> samba3-3.5.5-43.el5
> 
> Use Active Directory for user login authentication
> Use uid/gid from ldap
> The reason we still want winbind is for managing permissions from client
> end. 
> 
> Since last week, users failed on login with "valid users = @staff" until I
> stopped winbind. I found if I change to valid users = @"ABC\staff", users
> can login, however the change can not resolve the problem of ACLs on the
> folders/files. Of cause, if I stop winbind, works ok - user can login, and
> following the current permissions, but we do need winbind for managing
> permissions from client end.
> 
> # smb.conf
> 
>   [global]
>    realm = ad.mydomain
>    workgroup = ABC
>    server string = %h server 
>    enable privileges = yes 
>    dns proxy = no
>    netbios name = linfiles
>    smb ports = 139 445
>    
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 	
>    log file = /var/log/samba/%U.log
>    log level = 10 winbind:10
>    debug timestamp = yes
>    max log size = 1000
>    syslog only = no
>    syslog = 2
>    panic action = /usr/share/samba/panic-action %d
> 
>    security = ADS
>    encrypt passwords = true
>    obey pam restrictions = no
>    invalid users = root
> 
>    unix extensions = no
>    
>    idmap backend = nss
>    idmap config ABC : default = yes
>    idmap config ABC : backend = nss
>    idmap alloc backend = nss
>    idmap cache time = 30
>    allow trusted domains = no
> 
>    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
> SO_RCVBUF=65536 SO_SNDBUF=65536
>    locking = yes
>    strict locking = no
>    posix locking = yes
>    kernel oplocks = no
>    oplocks = yes
>    level2 oplocks = yes
> 
>    winbind trusted domains only =  yes
>    winbind use default domain = yes
>    winbind enum users = no
>    winbind enum groups = no
>    winbind cache time = 3600
> 	
>    acl compatibility = auto
> 
> [sit]
>    comment = Shares
>    browseable = yes
>    writable = yes
>    create mask = 0770
>    directory mask = 0770
>    acl group control = yes
>    acl check permissions = True
>    nt acl support = yes
>    force directory security mode = 770
>    inherit permissions = yes
>    inherit acls = yes
>    inherit owner = no
>    map acl inherit = yes
>    path = /mnt/sit
>    valid users = @staff
> 
> # /etc/nsswitch.conf
> passwd:     files ldap
> shadow:     files
> group:      files ldap
> 
> # getent group staff returns group members with testuser.
> 
> # wbinfo --own-domain
> ABC
> 
> # Here are some logs from debug mode, winbind just trying to lookup domain
> LINFILES and Unix Group rather than ABC.
> 
> [2011/03/25 12:43:50.645636,  3] lib/util_sid.c:228(string_to_sid)
>   string_to_sid: Sid @staff does not start with 'S-'.
> [2011/03/25 12:43:50.645683,  5] smbd/password.c:423(user_in_netgroup)
>   Unable to get default yp domain, let's try without specifying it
> [2011/03/25 12:43:50.645694,  5] smbd/password.c:430(user_in_netgroup)
>   looking for user testuser of domain (ANY) in netgroup staff
> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name)
>   lookup_name: LINFILES\staff => LINFILES (domain), staff (name)
> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name)
>   lookup_name: flags = 0x077
> [2011/03/25 12:43:50.645753,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2011/03/25 12:43:50.645764,  3] smbd/uid.c:429(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2011/03/25 12:43:50.645773,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2011/03/25 12:43:50.645783,  5]
> auth/token_util.c:525(debug_nt_user_token)
>   NT user token: (NULL)
> [2011/03/25 12:43:50.645792,  5]
> auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2011/03/25 12:43:50.645825,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name)
>   lookup_name: Unix Group\staff => Unix Group (domain), staff (name)
> [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name)
>   lookup_name: flags = 0x077
> [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token)
>   User testuser not in 'valid users'
> [2011/03/25 12:43:50.647820,  2]
> smbd/service.c:598(create_connection_server_info)
>   user 'testuser' (from session setup) not permitted to access this share
> (sit)
> [2011/03/25 12:43:50.647832,  1] smbd/service.c:678(make_connection_snum)
>   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> [2011/03/25 12:43:50.647882,  3] smbd/error.c:80(error_packet_set)
>   error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> 
> cheers
> --
> Marco 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de

More information about the samba mailing list