[Samba] Cannot access shared home directories from linux machine

L.P.H. van Belle belle at bazuin.nl
Fri Jul 11 03:06:06 MDT 2014


this is wrong...

>> idmap config * : range = 10000 - 15000
>>
>> idmap config KARMEL : backend = ad
>> idmap config KARMEL : schema_mode = rfc2307
>> idmap config KARMEL : range = 15000 - 20000

correct is...  
>> idmap config * : range = 10000 - 14999
>>
>> idmap config KARMEL : backend = ad
>> idmap config KARMEL : schema_mode = rfc2307
>> idmap config KARMEL : range = 15000 - 20000

1 overlap... ;-) 

>root at ts01:/home/adm3f# wbinfo -i demo
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user demo

for member server, correct, now add a UID on that user and wbinfo -i works fine.. 
for DC server, test it and you see it works without adding UID.

dont ask me why.. ( i think this is because of the differences in winbind on DC and Member server ) 

Louis




>-----Oorspronkelijk bericht-----
>Van: ea4ml3f at gmx.at [mailto:samba-bounces at lists.samba.org] Namens isofx
>Verzonden: vrijdag 11 juli 2014 10:54
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Cannot access shared home directories 
>from linux machine
>
>Am 10.07.2014 23:03, schrieb Rowland Penny:
>>>>
>>>> [global]
>>>> netbios name = TS01
>>>> workgroup = DOMAIN
>>>> security = ADS
>>>> realm = KARMEL.INTERN
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> server string = TS01
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind use default domain = yes
>>>> winbind expand groups = 4
>>>> winbind nss info = rfc2307
>>>> winbind refresh tickets = yes
>>>> winbind normalize names = yes
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> idmap config DOMAIN : backend = ad
>>>> idmap config DOMAIN : range = 10000-15000
>>>> idmap config DOMAIN : schema_mode = rfc2307
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> dns proxy = no
>>>>
>>>> It is based on one I know to work, stop samba, change smb.conf, 
>>>> rejoin the domain, restart samba and try again. This all 
>depends on 
>>>> you having at least one AD user having a uidNumber and 
>Domain Users 
>>>> having a gidNumber.
>>>>
>>>> Rowland
>>>>
>>>
>>> So after experimenting a little with different configurations, I 
>>> ended up with the following smb.conf:
>>>
>>> [global]
>>> netbios name = TS01
>>> server string = TS01
>>>
>>> workgroup = KARMEL
>>> realm = KARMEL.INTERN
>>>
>>> security = ADS
>>> domain master = no
>>> local master = no
>>> preferred master = no
>>> dns proxy = no
>>>
>>> encrypt passwords = true
>>>
>>> kerberos method = secrets and keytab
>>>
>>> winbind use default domain = yes
>>> winbind trusted domains only = no
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>> winbind nss info = rfc2307
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : schema_mode = rfc2307
>>> idmap config * : range = 10000 - 15000
>>>
>>> idmap config KARMEL : backend = ad
>>> idmap config KARMEL : schema_mode = rfc2307
>>> idmap config KARMEL : range = 15000 - 20000
>>>
>>> wbinfo -i is now showing information instead of an error, however 
>>> it's not the UID/GID i configured via RSAT (14000/12000):
>>>
>>> root at ts01:/home/adm3f# wbinfo -i demo
>>> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>>>
>>> These UID/GIDs are in the range configured for the * : 
>backend = tdb. 
>>> What I really want, are the UID/GID configured in AD right?
>>>
>>> Furthermore, how can I use these UID/GIDs to set permissions on 
>>> shares? They won't be available on the DC locally, so I have to 
>>> configure Windows ACLs?
>>>
>>> Kind regards,
>>> Rainhard
>> OK, try this smb.conf:
>> Please try the smb.conf I posted earlier, you have a few 
>errors in the 
>> one that you are trying to use now, one of which is probably giving 
>> you the problem you are having.
>>
>> The AD users and groups will be available on the samba 4 AD server, 
>> you just need to set winbind correctly on the server, but 
>you need to 
>> get your client working first, one thing at a time.
>>
>> Rowland
>>
>
>Unfortunately, the configuration isn't working either. wbinfo 
>-u and -g 
>work. However i still get :
>
>root at ts01:/home/adm3f# wbinfo -i demo
>failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>Could not get info for user demo
>
>I still think there could be a problem with the local PAM 
>configuration. 
>Testing authentication with wbinfo -a and -K (kerberos) both 
>work fine, 
>however logging into the machine using SSH, I get the following in 
>/var/log/auth.log:
>
>Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting 
>password (0x00000000)
>Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): request 
>wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), 
>NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
>Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): user 'demo' 
>denied access (incorrect password or invalid membership)
>Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user 
>unknown
>Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user 
>unknown
>Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting 
>password (0x00000388)
>Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): pam_get_item 
>returned a password
>Jul 11 10:49:39 ts01 sshd[3630]: Failed password for invalid user demo 
>from 192.168.49.112 port 1388 ssh2
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list