[Samba] Cannot access shared home directories from linux machine

Chan Min Wai dcmwai at gmail.com
Fri Jul 11 04:27:01 MDT 2014 

Dear Rainhard,

I feel that your smb.conf are mixed up..

Part from PDC
Part from member server...

Would you be able to remove all (or just rename the files)
including all files in /var/lib/samba/* and /var/lib/samba/private/*
But the folder need to be there...

To try to join the domain again?

Also put in this in the smb.conf after join

(Not for actual production usage, it should be about 300 to 3600 in value
for actual production)
This will refresh winbind connection to AD every seconds... meaning the
refresh is going to be overwhelming for your AD DC.

idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1




On Fri, Jul 11, 2014 at 5:26 PM, isofx <ea4ml3f at gmx.at> wrote:

> Am 11.07.2014 11:06, schrieb L.P.H. van Belle:
>
>  this is wrong...
>>
>>  idmap config * : range = 10000 - 15000
>>>>
>>>> idmap config KARMEL : backend = ad
>>>> idmap config KARMEL : schema_mode = rfc2307
>>>> idmap config KARMEL : range = 15000 - 20000
>>>>
>>> correct is...
>>
>>> idmap config * : range = 10000 - 14999
>>>>
>>>> idmap config KARMEL : backend = ad
>>>> idmap config KARMEL : schema_mode = rfc2307
>>>> idmap config KARMEL : range = 15000 - 20000
>>>>
>>> 1 overlap... ;-)
>>
>>  root at ts01:/home/adm3f# wbinfo -i demo
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user demo
>>>
>> for member server, correct, now add a UID on that user and wbinfo -i
>> works fine..
>> for DC server, test it and you see it works without adding UID.
>>
>> dont ask me why.. ( i think this is because of the differences in winbind
>> on DC and Member server )
>>
>> Louis
>>
>>
>>
>>
>>  -----Oorspronkelijk bericht-----
>>> Van: ea4ml3f at gmx.at [mailto:samba-bounces at lists.samba.org] Namens isofx
>>> Verzonden: vrijdag 11 juli 2014 10:54
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Cannot access shared home directories
>>>
>> >from linux machine
>>
>>> Am 10.07.2014 23:03, schrieb Rowland Penny:
>>>
>>>> [global]
>>>>>> netbios name = TS01
>>>>>> workgroup = DOMAIN
>>>>>> security = ADS
>>>>>> realm = KARMEL.INTERN
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> server string = TS01
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind use default domain = yes
>>>>>> winbind expand groups = 4
>>>>>> winbind nss info = rfc2307
>>>>>> winbind refresh tickets = yes
>>>>>> winbind normalize names = yes
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config DOMAIN : backend = ad
>>>>>> idmap config DOMAIN : range = 10000-15000
>>>>>> idmap config DOMAIN : schema_mode = rfc2307
>>>>>> domain master = no
>>>>>> local master = no
>>>>>> preferred master = no
>>>>>> dns proxy = no
>>>>>>
>>>>>> It is based on one I know to work, stop samba, change smb.conf,
>>>>>> rejoin the domain, restart samba and try again. This all
>>>>>>
>>>>> depends on
>>>
>>>> you having at least one AD user having a uidNumber and
>>>>>>
>>>>> Domain Users
>>>
>>>> having a gidNumber.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>  So after experimenting a little with different configurations, I
>>>>> ended up with the following smb.conf:
>>>>>
>>>>> [global]
>>>>> netbios name = TS01
>>>>> server string = TS01
>>>>>
>>>>> workgroup = KARMEL
>>>>> realm = KARMEL.INTERN
>>>>>
>>>>> security = ADS
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> dns proxy = no
>>>>>
>>>>> encrypt passwords = true
>>>>>
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> winbind use default domain = yes
>>>>> winbind trusted domains only = no
>>>>> winbind enum groups = yes
>>>>> winbind enum users = yes
>>>>> winbind nss info = rfc2307
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : schema_mode = rfc2307
>>>>> idmap config * : range = 10000 - 15000
>>>>>
>>>>> idmap config KARMEL : backend = ad
>>>>> idmap config KARMEL : schema_mode = rfc2307
>>>>> idmap config KARMEL : range = 15000 - 20000
>>>>>
>>>>> wbinfo -i is now showing information instead of an error, however
>>>>> it's not the UID/GID i configured via RSAT (14000/12000):
>>>>>
>>>>> root at ts01:/home/adm3f# wbinfo -i demo
>>>>> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>>>>>
>>>>> These UID/GIDs are in the range configured for the * :
>>>>>
>>>> backend = tdb.
>>>
>>>> What I really want, are the UID/GID configured in AD right?
>>>>>
>>>>> Furthermore, how can I use these UID/GIDs to set permissions on
>>>>> shares? They won't be available on the DC locally, so I have to
>>>>> configure Windows ACLs?
>>>>>
>>>>> Kind regards,
>>>>> Rainhard
>>>>>
>>>> OK, try this smb.conf:
>>>> Please try the smb.conf I posted earlier, you have a few
>>>>
>>> errors in the
>>>
>>>> one that you are trying to use now, one of which is probably giving
>>>> you the problem you are having.
>>>>
>>>> The AD users and groups will be available on the samba 4 AD server,
>>>> you just need to set winbind correctly on the server, but
>>>>
>>> you need to
>>>
>>>> get your client working first, one thing at a time.
>>>>
>>>> Rowland
>>>>
>>>>  Unfortunately, the configuration isn't working either. wbinfo
>>> -u and -g
>>> work. However i still get :
>>>
>>> root at ts01:/home/adm3f# wbinfo -i demo
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user demo
>>>
>>> I still think there could be a problem with the local PAM
>>> configuration.
>>> Testing authentication with wbinfo -a and -K (kerberos) both
>>> work fine,
>>> however logging into the machine using SSH, I get the following in
>>> /var/log/auth.log:
>>>
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>>> password (0x00000000)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): request
>>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
>>> NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): user 'demo'
>>> denied access (incorrect password or invalid membership)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>>> unknown
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>>> unknown
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>>> password (0x00000388)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): pam_get_item
>>> returned a password
>>> Jul 11 10:49:39 ts01 sshd[3630]: Failed password for invalid user demo
>>>
>> >from 192.168.49.112 port 1388 ssh2
>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
> Still no luck :-(. Here's my current configuration:
>
>
> [global]
> netbios name = TS01
> server string = TS01
>
> workgroup = KARMEL
> realm = KARMEL.INTERN
>
> security = ADS
> domain master = no
> local master = no
> preferred master = no
> dns proxy = no
>
> encrypt passwords = true
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> winbind use default domain = yes
> winbind enum groups = yes
> winbind enum users = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind normalize names = yes
> winbind expand groups = 4
>
> idmap config * : backend = tdb
> idmap config * : range = 2000 - 9999
>
> idmap config KARMEL : backend = ad
> idmap config KARMEL : schema_mode = rfc2307
> idmap config KARMEL : range = 10000 - 15000
>
> I have a user "demo" configured with UID 14000, member of group "demo
> group" GID 12000.
>
> Kind regards,
> Rainhard
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list