[Samba] winbind is not taking default domain
Marco Huang
marco.huang at auckland.ac.nz
Wed Mar 30 14:34:47 MDT 2011
Not sure if you import all the users and groups into your /etc/passwd and /etc/group file respectively, would fix your problem.
On 29/03/2011, at 11:39 PM, Werner Durgarten wrote:
> Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without typing in the default domain does not work any more.
>
>
> -------- Original-Nachricht --------
>> Datum: Mon, 28 Mar 2011 16:34:19 +1300
>> Von: Marco Huang <marco.huang at auckland.ac.nz>
>> An: samba at lists.samba.org
>> Betreff: [Samba] winbind is not taking default domain
>
>> Hi,
>>
>> We have been running samba file server about 2 years without this problem.
>> The problem appeared at the same time on our debian and centos servers.
>> Not sure if it's related to any updates on our windows AD servers.
>>
>> Debian Squeeze
>> sernet-samba-3.5.8-27
>>
>> Centos 5.5
>> samba3-3.5.5-43.el5
>>
>> Use Active Directory for user login authentication
>> Use uid/gid from ldap
>> The reason we still want winbind is for managing permissions from client
>> end.
>>
>> Since last week, users failed on login with "valid users = @staff" until I
>> stopped winbind. I found if I change to valid users = @"ABC\staff", users
>> can login, however the change can not resolve the problem of ACLs on the
>> folders/files. Of cause, if I stop winbind, works ok - user can login, and
>> following the current permissions, but we do need winbind for managing
>> permissions from client end.
>>
>> # smb.conf
>>
>> [global]
>> realm = ad.mydomain
>> workgroup = ABC
>> server string = %h server
>> enable privileges = yes
>> dns proxy = no
>> netbios name = linfiles
>> smb ports = 139 445
>>
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> log file = /var/log/samba/%U.log
>> log level = 10 winbind:10
>> debug timestamp = yes
>> max log size = 1000
>> syslog only = no
>> syslog = 2
>> panic action = /usr/share/samba/panic-action %d
>>
>> security = ADS
>> encrypt passwords = true
>> obey pam restrictions = no
>> invalid users = root
>>
>> unix extensions = no
>>
>> idmap backend = nss
>> idmap config ABC : default = yes
>> idmap config ABC : backend = nss
>> idmap alloc backend = nss
>> idmap cache time = 30
>> allow trusted domains = no
>>
>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
>> SO_RCVBUF=65536 SO_SNDBUF=65536
>> locking = yes
>> strict locking = no
>> posix locking = yes
>> kernel oplocks = no
>> oplocks = yes
>> level2 oplocks = yes
>>
>> winbind trusted domains only = yes
>> winbind use default domain = yes
>> winbind enum users = no
>> winbind enum groups = no
>> winbind cache time = 3600
>>
>> acl compatibility = auto
>>
>> [sit]
>> comment = Shares
>> browseable = yes
>> writable = yes
>> create mask = 0770
>> directory mask = 0770
>> acl group control = yes
>> acl check permissions = True
>> nt acl support = yes
>> force directory security mode = 770
>> inherit permissions = yes
>> inherit acls = yes
>> inherit owner = no
>> map acl inherit = yes
>> path = /mnt/sit
>> valid users = @staff
>>
>> # /etc/nsswitch.conf
>> passwd: files ldap
>> shadow: files
>> group: files ldap
>>
>> # getent group staff returns group members with testuser.
>>
>> # wbinfo --own-domain
>> ABC
>>
>> # Here are some logs from debug mode, winbind just trying to lookup domain
>> LINFILES and Unix Group rather than ABC.
>>
>> [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid)
>> string_to_sid: Sid @staff does not start with 'S-'.
>> [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup)
>> Unable to get default yp domain, let's try without specifying it
>> [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup)
>> looking for user testuser of domain (ANY) in netgroup staff
>> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name)
>> lookup_name: LINFILES\staff => LINFILES (domain), staff (name)
>> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name)
>> lookup_name: flags = 0x077
>> [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2011/03/25 12:43:50.645783, 5]
>> auth/token_util.c:525(debug_nt_user_token)
>> NT user token: (NULL)
>> [2011/03/25 12:43:50.645792, 5]
>> auth/token_util.c:551(debug_unix_user_token)
>> UNIX token of user 0
>> Primary group is 0 and contains 0 supplementary groups
>> [2011/03/25 12:43:50.645825, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name)
>> lookup_name: Unix Group\staff => Unix Group (domain), staff (name)
>> [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name)
>> lookup_name: flags = 0x077
>> [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token)
>> User testuser not in 'valid users'
>> [2011/03/25 12:43:50.647820, 2]
>> smbd/service.c:598(create_connection_server_info)
>> user 'testuser' (from session setup) not permitted to access this share
>> (sit)
>> [2011/03/25 12:43:50.647832, 1] smbd/service.c:678(make_connection_snum)
>> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
>> [2011/03/25 12:43:50.647882, 3] smbd/error.c:80(error_packet_set)
>> error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>>
>>
>> cheers
>> --
>> Marco
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
More information about the samba
mailing list