[Samba] Samba3.5 + OpenLDAP config/install problem
Wes Modes
wmodes at ucsc.edu
Tue Feb 12 15:04:01 MST 2013
System Summary:
centos 6.2
samba 3.5
smbldap-tools 0.9.6
openldap 2.4.23
Hello,
I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've
previously installed a similar configuration on RHEL4 using smb 3.0 but
CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations cannot be moved straight across.
Currently, when I attempt to connect to an smb share with a valid ldap
user and group on this host, I get "tree connect failed:
NT_STATUS_ACCESS_DENIED"
The LDAP server is currently serving as the directory server for the
existing Samba3.0 server. I can connect to the identical share on that
server as that user, so I know the user and group are okay.
With log level 2, I get:
[2013/02/11 17:11:00.701864, 2]
lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2013/02/11 17:11:00.704794, 2]
passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: wmodes
[2013/02/11 17:11:00.735092, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [wmodes] -> [wmodes]
-> [wmodes] succeeded
[2013/02/11 17:11:00.735608, 1]
passdb/pdb_ldap.c:2569(ldapsam_getgroup)
ldapsam_getgroup: Duplicate entries for filter
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
[2013/02/11 17:11:00.736254, 1]
passdb/pdb_ldap.c:2569(ldapsam_getgroup)
ldapsam_getgroup: Duplicate entries for filter
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
[2013/02/11 17:11:00.740024, 2] lib/access.c:409(check_access)
Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
[2013/02/11 17:11:00.741041, 2] lib/access.c:409(check_access)
Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
[2013/02/11 17:11:00.742383, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 30001
[2013/02/11 17:11:00.743305, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 30034
[2013/02/11 17:11:00.744600, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1001
[2013/02/11 17:11:00.745181, 2]
smbd/service.c:598(create_connection_server_info)
user 'wmodes' (from session setup) not permitted to access this
share (cns)
[2013/02/11 17:11:00.745225, 1]
smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
It seems like I was auth'd okay, my group was okay, but still it failed.
Here we are again at log level 3:
[root at edgar2 samba]# tail -n 0 -f log.smbd
2013/02/11 17:40:43.096677, 3]
smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego) NativeOS=[Unix]
NativeLanMan=[Samba] PrimaryDomain=[]
[2013/02/11 17:40:43.096780, 3]
libsmb/ntlmssp.c:747(ntlmssp_server_auth) Got user=[wmodes]
domain=[MYGROUP] workstation=[MONITOR] len1=24 len2=24
[2013/02/11 17:40:43.096974, 2]
lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection:
connection opened
[2013/02/11 17:40:43.099000, 3]
lib/smbldap.c:1166(smbldap_connect_system) ldap_connect_system:
successful connection to the LDAP server
[2013/02/11 17:40:43.099455, 3]
auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking
password for unmapped user [MYGROUP]\[wmodes]@[MONITOR] with the new
password interface
[2013/02/11 17:40:43.099475, 3]
auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped
user is: [MCHSTAFF]\[wmodes]@[MONITOR]
[2013/02/11 17:40:43.100076, 2]
passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry
found for user: wmodes
[2013/02/11 17:40:43.129095, 3]
auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam
authentication for user [wmodes] succeeded
[2013/02/11 17:40:43.129173, 2]
auth/auth.c:304(check_ntlm_password) check_ntlm_password:
authentication for user [wmodes] -> [wmodes] -> [wmodes] succeeded
[2013/02/11 17:40:43.129785, 1]
passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate
entries for filter
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
[2013/02/11 17:40:43.130779, 1]
passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate
entries for filter
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
[2013/02/11 17:40:43.133151, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-62278]
[2013/02/11 17:40:43.133176, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61151]
[2013/02/11 17:40:43.133200, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2013/02/11 17:40:43.133219, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID [S-1-5-11]
[2013/02/11 17:40:43.133239, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2642364908-3785178431-1037763545-3003]
[2013/02/11 17:40:43.133259, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2642364908-3785178431-1037763545-61003]
[2013/02/11 17:40:43.133279, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-509675986-796770002-1500055658-61055]
[2013/02/11 17:40:43.133299, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61137]
[2013/02/11 17:40:43.133320, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61139]
[2013/02/11 17:40:43.133354, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61141]
[2013/02/11 17:40:43.133382, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61143]
[2013/02/11 17:40:43.133404, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61171]
[2013/02/11 17:40:43.133424, 3] lib/privileges.c:63(get_privileges)
get_privileges: No privileges assigned to SID
[S-1-5-21-2154974163-3334587364-3558233830-61277]
[2013/02/11 17:40:43.135112, 3]
smbd/password.c:282(register_existing_vuid) register_existing_vuid:
User name: wmodes Real name: Wes Modes
[2013/02/11 17:40:43.135129, 3]
smbd/password.c:292(register_existing_vuid) register_existing_vuid:
UNIX uid 502 is UNIX user wmodes, and will be vuid 100
[2013/02/11 17:40:43.135202, 3]
smbd/password.c:223(register_homes_share) Adding homes service for
user 'wmodes' using home directory: '/home/wmodes'
[2013/02/11 17:40:43.135254, 3] param/loadparm.c:6290(lp_add_home)
adding home's share [wmodes] for user 'wmodes' at '/data/home/%S'
[2013/02/11 17:40:43.135644, 3]
lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list
has non-ip address (127.)
[2013/02/11 17:40:43.135683, 3] lib/access.c:399(check_access)
check_access: hostnames in host allow/deny list.
[2013/02/11 17:40:43.135779, 2] lib/access.c:409(check_access)
Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
[2013/02/11 17:40:43.136056, 3]
smbd/service.c:807(make_connection_snum) Connect path is '/tmp' for
service [IPC$]
[2013/02/11 17:40:43.136462, 3]
smbd/service.c:1070(make_connection_snum) monitor
(::ffff:128.114.163.34) connect to service IPC$ initially as user
wmodes (uid=502, gid=503) (pid 14343)
[2013/02/11 17:40:43.136899, 3] smbd/msdfs.c:840(get_referred_path)
get_referred_path: |cns| in dfs path \edgar2\cns is not a dfs root.
[2013/02/11 17:40:43.136922, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/trans2.c(8056) cmd=50 (SMBtrans2)
NT_STATUS_NOT_FOUND
[2013/02/11 17:40:43.137259, 3] smbd/service.c:1251(close_cnum)
monitor (::ffff:128.114.163.34) closed connection to service IPC$
[2013/02/11 17:40:43.137277, 3]
smbd/connection.c:31(yield_connection) Yielding connection to IPC$
[2013/02/11 17:40:43.137619, 3]
lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list
has non-ip address (127.)
[2013/02/11 17:40:43.137638, 3] lib/access.c:399(check_access)
check_access: hostnames in host allow/deny list.
[2013/02/11 17:40:43.137673, 2] lib/access.c:409(check_access)
Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
[2013/02/11 17:40:43.137788, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @cns does not start with 'S-'.
[2013/02/11 17:40:43.139344, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
Entry found for group: 30001
[2013/02/11 17:40:43.139894, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @cns-read does not start with 'S-'.
[2013/02/11 17:40:43.141015, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
Entry found for group: 30034
[2013/02/11 17:40:43.141528, 3] lib/util_sid.c:228(string_to_sid)
string_to_sid: Sid @admin does not start with 'S-'.
[2013/02/11 17:40:43.142516, 2]
passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
Entry found for group: 1001
[2013/02/11 17:40:43.143057, 2]
smbd/service.c:598(create_connection_server_info) user 'wmodes'
(from session setup) not permitted to access this share (cns)
[2013/02/11 17:40:43.143087, 1]
smbd/service.c:678(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2013/02/11 17:40:43.143105, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2013/02/11 17:40:43.143414, 3]
smbd/connection.c:31(yield_connection) Yielding connection to
[2013/02/11 17:40:43.143470, 3]
smbd/server.c:924(exit_server_common) Server exit (failed to receive
smb request)
Any clues as to what my problem here is?
Wes
--
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz
More information about the samba
mailing list