[Samba] Cannot access shared home directories from linux machine

isofx ea4ml3f at gmx.at
Fri Jul 11 03:26:11 MDT 2014 

Am 11.07.2014 11:06, schrieb L.P.H. van Belle:
> this is wrong...
>
>>> idmap config * : range = 10000 - 15000
>>>
>>> idmap config KARMEL : backend = ad
>>> idmap config KARMEL : schema_mode = rfc2307
>>> idmap config KARMEL : range = 15000 - 20000
> correct is...
>>> idmap config * : range = 10000 - 14999
>>>
>>> idmap config KARMEL : backend = ad
>>> idmap config KARMEL : schema_mode = rfc2307
>>> idmap config KARMEL : range = 15000 - 20000
> 1 overlap... ;-)
>
>> root at ts01:/home/adm3f# wbinfo -i demo
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user demo
> for member server, correct, now add a UID on that user and wbinfo -i works fine..
> for DC server, test it and you see it works without adding UID.
>
> dont ask me why.. ( i think this is because of the differences in winbind on DC and Member server )
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: ea4ml3f at gmx.at [mailto:samba-bounces at lists.samba.org] Namens isofx
>> Verzonden: vrijdag 11 juli 2014 10:54
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Cannot access shared home directories
> >from linux machine
>> Am 10.07.2014 23:03, schrieb Rowland Penny:
>>>>> [global]
>>>>> netbios name = TS01
>>>>> workgroup = DOMAIN
>>>>> security = ADS
>>>>> realm = KARMEL.INTERN
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> server string = TS01
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = yes
>>>>> winbind normalize names = yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config DOMAIN : backend = ad
>>>>> idmap config DOMAIN : range = 10000-15000
>>>>> idmap config DOMAIN : schema_mode = rfc2307
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> dns proxy = no
>>>>>
>>>>> It is based on one I know to work, stop samba, change smb.conf,
>>>>> rejoin the domain, restart samba and try again. This all
>> depends on
>>>>> you having at least one AD user having a uidNumber and
>> Domain Users
>>>>> having a gidNumber.
>>>>>
>>>>> Rowland
>>>>>
>>>> So after experimenting a little with different configurations, I
>>>> ended up with the following smb.conf:
>>>>
>>>> [global]
>>>> netbios name = TS01
>>>> server string = TS01
>>>>
>>>> workgroup = KARMEL
>>>> realm = KARMEL.INTERN
>>>>
>>>> security = ADS
>>>> domain master = no
>>>> local master = no
>>>> preferred master = no
>>>> dns proxy = no
>>>>
>>>> encrypt passwords = true
>>>>
>>>> kerberos method = secrets and keytab
>>>>
>>>> winbind use default domain = yes
>>>> winbind trusted domains only = no
>>>> winbind enum groups = yes
>>>> winbind enum users = yes
>>>> winbind nss info = rfc2307
>>>>
>>>> idmap config * : backend = tdb
>>>> idmap config * : schema_mode = rfc2307
>>>> idmap config * : range = 10000 - 15000
>>>>
>>>> idmap config KARMEL : backend = ad
>>>> idmap config KARMEL : schema_mode = rfc2307
>>>> idmap config KARMEL : range = 15000 - 20000
>>>>
>>>> wbinfo -i is now showing information instead of an error, however
>>>> it's not the UID/GID i configured via RSAT (14000/12000):
>>>>
>>>> root at ts01:/home/adm3f# wbinfo -i demo
>>>> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>>>>
>>>> These UID/GIDs are in the range configured for the * :
>> backend = tdb.
>>>> What I really want, are the UID/GID configured in AD right?
>>>>
>>>> Furthermore, how can I use these UID/GIDs to set permissions on
>>>> shares? They won't be available on the DC locally, so I have to
>>>> configure Windows ACLs?
>>>>
>>>> Kind regards,
>>>> Rainhard
>>> OK, try this smb.conf:
>>> Please try the smb.conf I posted earlier, you have a few
>> errors in the
>>> one that you are trying to use now, one of which is probably giving
>>> you the problem you are having.
>>>
>>> The AD users and groups will be available on the samba 4 AD server,
>>> you just need to set winbind correctly on the server, but
>> you need to
>>> get your client working first, one thing at a time.
>>>
>>> Rowland
>>>
>> Unfortunately, the configuration isn't working either. wbinfo
>> -u and -g
>> work. However i still get :
>>
>> root at ts01:/home/adm3f# wbinfo -i demo
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user demo
>>
>> I still think there could be a problem with the local PAM
>> configuration.
>> Testing authentication with wbinfo -a and -K (kerberos) both
>> work fine,
>> however logging into the machine using SSH, I get the following in
>> /var/log/auth.log:
>>
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>> password (0x00000000)
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): request
>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
>> NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): user 'demo'
>> denied access (incorrect password or invalid membership)
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>> unknown
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>> password (0x00000388)
>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): pam_get_item
>> returned a password
>> Jul 11 10:49:39 ts01 sshd[3630]: Failed password for invalid user demo
> >from 192.168.49.112 port 1388 ssh2
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

Still no luck :-(. Here's my current configuration:

[global]
netbios name = TS01
server string = TS01

workgroup = KARMEL
realm = KARMEL.INTERN

security = ADS
domain master = no
local master = no
preferred master = no
dns proxy = no

encrypt passwords = true

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind normalize names = yes
winbind expand groups = 4

idmap config * : backend = tdb
idmap config * : range = 2000 - 9999

idmap config KARMEL : backend = ad
idmap config KARMEL : schema_mode = rfc2307
idmap config KARMEL : range = 10000 - 15000

I have a user "demo" configured with UID 14000, member of group "demo 
group" GID 12000.

Kind regards,
Rainhard

More information about the samba mailing list