[Samba] Samba3.5 + OpenLDAP config/install problem

Wes Modes wmodes at ucsc.edu
Tue Feb 12 15:04:01 MST 2013


System Summary:

centos 6.2
samba 3.5
smbldap-tools 0.9.6
openldap 2.4.23

Hello,

I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools.  I've
previously installed a similar configuration on RHEL4 using smb 3.0 but
CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations cannot be moved straight across.

Currently, when I attempt to connect to an smb share with a valid ldap
user and group on this host, I get "tree connect failed:
NT_STATUS_ACCESS_DENIED"

The LDAP server is currently serving as the directory server for the
existing Samba3.0 server.  I can connect to the identical share on that
server as that user, so I know the user and group are okay.

With log level 2, I get:

    [2013/02/11 17:11:00.701864,  2]
    lib/smbldap.c:950(smbldap_open_connection)
      smbldap_open_connection: connection opened
    [2013/02/11 17:11:00.704794,  2]
    passdb/pdb_ldap.c:572(init_sam_from_ldap)
      init_sam_from_ldap: Entry found for user: wmodes
    [2013/02/11 17:11:00.735092,  2] auth/auth.c:304(check_ntlm_password)
      check_ntlm_password:  authentication for user [wmodes] -> [wmodes]
    -> [wmodes] succeeded
    [2013/02/11 17:11:00.735608,  1]
    passdb/pdb_ldap.c:2569(ldapsam_getgroup)
      ldapsam_getgroup: Duplicate entries for filter
    (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
    [2013/02/11 17:11:00.736254,  1]
    passdb/pdb_ldap.c:2569(ldapsam_getgroup)
      ldapsam_getgroup: Duplicate entries for filter
    (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
    [2013/02/11 17:11:00.740024,  2] lib/access.c:409(check_access)
      Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
    [2013/02/11 17:11:00.741041,  2] lib/access.c:409(check_access)
      Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
    [2013/02/11 17:11:00.742383,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap)
      init_group_from_ldap: Entry found for group: 30001
    [2013/02/11 17:11:00.743305,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap)
      init_group_from_ldap: Entry found for group: 30034
    [2013/02/11 17:11:00.744600,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap)
      init_group_from_ldap: Entry found for group: 1001
    [2013/02/11 17:11:00.745181,  2]
    smbd/service.c:598(create_connection_server_info)
      user 'wmodes' (from session setup) not permitted to access this
    share (cns)
    [2013/02/11 17:11:00.745225,  1]
    smbd/service.c:678(make_connection_snum)
      create_connection_server_info failed: NT_STATUS_ACCESS_DENIED

It seems like I was auth'd okay, my group was okay, but still it failed.

Here we are again at log level 3:

    [root at edgar2 samba]# tail -n 0 -f log.smbd
    2013/02/11 17:40:43.096677,  3]
    smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego) NativeOS=[Unix]
    NativeLanMan=[Samba] PrimaryDomain=[]
    [2013/02/11 17:40:43.096780,  3]
    libsmb/ntlmssp.c:747(ntlmssp_server_auth) Got user=[wmodes]
    domain=[MYGROUP] workstation=[MONITOR] len1=24 len2=24
    [2013/02/11 17:40:43.096974,  2]
    lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection:
    connection opened
    [2013/02/11 17:40:43.099000,  3]
    lib/smbldap.c:1166(smbldap_connect_system) ldap_connect_system:
    successful connection to the LDAP server
    [2013/02/11 17:40:43.099455,  3]
    auth/auth.c:216(check_ntlm_password) check_ntlm_password:  Checking
    password for unmapped user [MYGROUP]\[wmodes]@[MONITOR] with the new
    password interface
    [2013/02/11 17:40:43.099475,  3]
    auth/auth.c:219(check_ntlm_password) check_ntlm_password:  mapped
    user is: [MCHSTAFF]\[wmodes]@[MONITOR]
    [2013/02/11 17:40:43.100076,  2]
    passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry
    found for user: wmodes
    [2013/02/11 17:40:43.129095,  3]
    auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam
    authentication for user [wmodes] succeeded
    [2013/02/11 17:40:43.129173,  2]
    auth/auth.c:304(check_ntlm_password) check_ntlm_password: 
    authentication for user [wmodes] -> [wmodes] -> [wmodes] succeeded
    [2013/02/11 17:40:43.129785,  1]
    passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate
    entries for filter
    (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
    [2013/02/11 17:40:43.130779,  1]
    passdb/pdb_ldap.c:2569(ldapsam_getgroup) ldapsam_getgroup: Duplicate
    entries for filter
    (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544)): count=2
    [2013/02/11 17:40:43.133151,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-62278]
    [2013/02/11 17:40:43.133176,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61151]
    [2013/02/11 17:40:43.133200,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID [S-1-5-2]
    [2013/02/11 17:40:43.133219,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID [S-1-5-11]
    [2013/02/11 17:40:43.133239,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2642364908-3785178431-1037763545-3003]
    [2013/02/11 17:40:43.133259,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2642364908-3785178431-1037763545-61003]
    [2013/02/11 17:40:43.133279,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-509675986-796770002-1500055658-61055]
    [2013/02/11 17:40:43.133299,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61137]
    [2013/02/11 17:40:43.133320,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61139]
    [2013/02/11 17:40:43.133354,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61141]
    [2013/02/11 17:40:43.133382,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61143]
    [2013/02/11 17:40:43.133404,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61171]
    [2013/02/11 17:40:43.133424,  3] lib/privileges.c:63(get_privileges)
    get_privileges: No privileges assigned to SID
    [S-1-5-21-2154974163-3334587364-3558233830-61277]
    [2013/02/11 17:40:43.135112,  3]
    smbd/password.c:282(register_existing_vuid) register_existing_vuid:
    User name: wmodes     Real name: Wes Modes
    [2013/02/11 17:40:43.135129,  3]
    smbd/password.c:292(register_existing_vuid) register_existing_vuid:
    UNIX uid 502 is UNIX user wmodes, and will be vuid 100
    [2013/02/11 17:40:43.135202,  3]
    smbd/password.c:223(register_homes_share) Adding homes service for
    user 'wmodes' using home directory: '/home/wmodes'
    [2013/02/11 17:40:43.135254,  3] param/loadparm.c:6290(lp_add_home)
    adding home's share [wmodes] for user 'wmodes' at '/data/home/%S'
    [2013/02/11 17:40:43.135644,  3]
    lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list
    has non-ip address (127.)
    [2013/02/11 17:40:43.135683,  3] lib/access.c:399(check_access)
    check_access: hostnames in host allow/deny list.
    [2013/02/11 17:40:43.135779,  2] lib/access.c:409(check_access)
    Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
    [2013/02/11 17:40:43.136056,  3]
    smbd/service.c:807(make_connection_snum) Connect path is '/tmp' for
    service [IPC$]
    [2013/02/11 17:40:43.136462,  3]
    smbd/service.c:1070(make_connection_snum) monitor
    (::ffff:128.114.163.34) connect to service IPC$ initially as user
    wmodes (uid=502, gid=503) (pid 14343)
    [2013/02/11 17:40:43.136899,  3] smbd/msdfs.c:840(get_referred_path)
    get_referred_path: |cns| in dfs path \edgar2\cns is not a dfs root.
    [2013/02/11 17:40:43.136922,  3] smbd/error.c:80(error_packet_set)
    error packet at smbd/trans2.c(8056) cmd=50 (SMBtrans2)
    NT_STATUS_NOT_FOUND
    [2013/02/11 17:40:43.137259,  3] smbd/service.c:1251(close_cnum)
    monitor (::ffff:128.114.163.34) closed connection to service IPC$
    [2013/02/11 17:40:43.137277,  3]
    smbd/connection.c:31(yield_connection) Yielding connection to IPC$
    [2013/02/11 17:40:43.137619,  3]
    lib/access.c:365(only_ipaddrs_in_list) only_ipaddrs_in_list: list
    has non-ip address (127.)
    [2013/02/11 17:40:43.137638,  3] lib/access.c:399(check_access)
    check_access: hostnames in host allow/deny list.
    [2013/02/11 17:40:43.137673,  2] lib/access.c:409(check_access)
    Allowed connection from ::ffff:128.114.163.34 (::ffff:128.114.163.34)
    [2013/02/11 17:40:43.137788,  3] lib/util_sid.c:228(string_to_sid)
    string_to_sid: Sid @cns does not start with 'S-'.
    [2013/02/11 17:40:43.139344,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
    Entry found for group: 30001
    [2013/02/11 17:40:43.139894,  3] lib/util_sid.c:228(string_to_sid)
    string_to_sid: Sid @cns-read does not start with 'S-'.
    [2013/02/11 17:40:43.141015,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
    Entry found for group: 30034
    [2013/02/11 17:40:43.141528,  3] lib/util_sid.c:228(string_to_sid)
    string_to_sid: Sid @admin does not start with 'S-'.
    [2013/02/11 17:40:43.142516,  2]
    passdb/pdb_ldap.c:2446(init_group_from_ldap) init_group_from_ldap:
    Entry found for group: 1001
    [2013/02/11 17:40:43.143057,  2]
    smbd/service.c:598(create_connection_server_info) user 'wmodes'
    (from session setup) not permitted to access this share (cns)
    [2013/02/11 17:40:43.143087,  1]
    smbd/service.c:678(make_connection_snum)
    create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
    [2013/02/11 17:40:43.143105,  3] smbd/error.c:80(error_packet_set)
    error packet at smbd/reply.c(795) cmd=117 (SMBtconX)
    NT_STATUS_ACCESS_DENIED
    [2013/02/11 17:40:43.143414,  3]
    smbd/connection.c:31(yield_connection) Yielding connection to
    [2013/02/11 17:40:43.143470,  3]
    smbd/server.c:924(exit_server_common) Server exit (failed to receive
    smb request)

Any clues as to what my problem here is?

Wes


-- 
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz



More information about the samba mailing list