[Samba] Cannot access shared home directories from linux machine

isofx ea4ml3f at gmx.at
Fri Jul 11 02:54:10 MDT 2014 

Am 10.07.2014 23:03, schrieb Rowland Penny:
>>>
>>> [global]
>>> netbios name = TS01
>>> workgroup = DOMAIN
>>> security = ADS
>>> realm = KARMEL.INTERN
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> server string = TS01
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind use default domain = yes
>>> winbind expand groups = 4
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = yes
>>> winbind normalize names = yes
>>> idmap config * : backend = tdb
>>> idmap config * : range = 2000-9999
>>> idmap config DOMAIN : backend = ad
>>> idmap config DOMAIN : range = 10000-15000
>>> idmap config DOMAIN : schema_mode = rfc2307
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> dns proxy = no
>>>
>>> It is based on one I know to work, stop samba, change smb.conf, 
>>> rejoin the domain, restart samba and try again. This all depends on 
>>> you having at least one AD user having a uidNumber and Domain Users 
>>> having a gidNumber.
>>>
>>> Rowland
>>>
>>
>> So after experimenting a little with different configurations, I 
>> ended up with the following smb.conf:
>>
>> [global]
>> netbios name = TS01
>> server string = TS01
>>
>> workgroup = KARMEL
>> realm = KARMEL.INTERN
>>
>> security = ADS
>> domain master = no
>> local master = no
>> preferred master = no
>> dns proxy = no
>>
>> encrypt passwords = true
>>
>> kerberos method = secrets and keytab
>>
>> winbind use default domain = yes
>> winbind trusted domains only = no
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind nss info = rfc2307
>>
>> idmap config * : backend = tdb
>> idmap config * : schema_mode = rfc2307
>> idmap config * : range = 10000 - 15000
>>
>> idmap config KARMEL : backend = ad
>> idmap config KARMEL : schema_mode = rfc2307
>> idmap config KARMEL : range = 15000 - 20000
>>
>> wbinfo -i is now showing information instead of an error, however 
>> it's not the UID/GID i configured via RSAT (14000/12000):
>>
>> root at ts01:/home/adm3f# wbinfo -i demo
>> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>>
>> These UID/GIDs are in the range configured for the * : backend = tdb. 
>> What I really want, are the UID/GID configured in AD right?
>>
>> Furthermore, how can I use these UID/GIDs to set permissions on 
>> shares? They won't be available on the DC locally, so I have to 
>> configure Windows ACLs?
>>
>> Kind regards,
>> Rainhard
> OK, try this smb.conf:
> Please try the smb.conf I posted earlier, you have a few errors in the 
> one that you are trying to use now, one of which is probably giving 
> you the problem you are having.
>
> The AD users and groups will be available on the samba 4 AD server, 
> you just need to set winbind correctly on the server, but you need to 
> get your client working first, one thing at a time.
>
> Rowland
>

Unfortunately, the configuration isn't working either. wbinfo -u and -g 
work. However i still get :

root at ts01:/home/adm3f# wbinfo -i demo
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user demo

I still think there could be a problem with the local PAM configuration. 
Testing authentication with wbinfo -a and -K (kerberos) both work fine, 
however logging into the machine using SSH, I get the following in 
/var/log/auth.log:

Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting 
password (0x00000000)
Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): request 
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), 
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): user 'demo' 
denied access (incorrect password or invalid membership)
Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user 
unknown
Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user 
unknown
Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting 
password (0x00000388)
Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): pam_get_item 
returned a password
Jul 11 10:49:39 ts01 sshd[3630]: Failed password for invalid user demo 
from 192.168.49.112 port 1388 ssh2

More information about the samba mailing list