[Samba] Cannot access shared home directories from linux machine

Rowland Penny rowlandpenny at googlemail.com
Fri Jul 11 05:22:56 MDT 2014


On 11/07/14 10:26, isofx wrote:
> Am 11.07.2014 11:06, schrieb L.P.H. van Belle:
>> this is wrong...
>>
>>>> idmap config * : range = 10000 - 15000
>>>>
>>>> idmap config KARMEL : backend = ad
>>>> idmap config KARMEL : schema_mode = rfc2307
>>>> idmap config KARMEL : range = 15000 - 20000
>> correct is...
>>>> idmap config * : range = 10000 - 14999
>>>>
>>>> idmap config KARMEL : backend = ad
>>>> idmap config KARMEL : schema_mode = rfc2307
>>>> idmap config KARMEL : range = 15000 - 20000
>> 1 overlap... ;-)
>>
>>> root at ts01:/home/adm3f# wbinfo -i demo
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user demo
>> for member server, correct, now add a UID on that user and wbinfo -i 
>> works fine..
>> for DC server, test it and you see it works without adding UID.
>>
>> dont ask me why.. ( i think this is because of the differences in 
>> winbind on DC and Member server )
>>
>> Louis
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: ea4ml3f at gmx.at [mailto:samba-bounces at lists.samba.org] Namens isofx
>>> Verzonden: vrijdag 11 juli 2014 10:54
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Cannot access shared home directories
>> >from linux machine
>>> Am 10.07.2014 23:03, schrieb Rowland Penny:
>>>>>> [global]
>>>>>> netbios name = TS01
>>>>>> workgroup = DOMAIN
>>>>>> security = ADS
>>>>>> realm = KARMEL.INTERN
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>> server string = TS01
>>>>>> winbind enum users = yes
>>>>>> winbind enum groups = yes
>>>>>> winbind use default domain = yes
>>>>>> winbind expand groups = 4
>>>>>> winbind nss info = rfc2307
>>>>>> winbind refresh tickets = yes
>>>>>> winbind normalize names = yes
>>>>>> idmap config * : backend = tdb
>>>>>> idmap config * : range = 2000-9999
>>>>>> idmap config DOMAIN : backend = ad
>>>>>> idmap config DOMAIN : range = 10000-15000
>>>>>> idmap config DOMAIN : schema_mode = rfc2307
>>>>>> domain master = no
>>>>>> local master = no
>>>>>> preferred master = no
>>>>>> dns proxy = no
>>>>>>
>>>>>> It is based on one I know to work, stop samba, change smb.conf,
>>>>>> rejoin the domain, restart samba and try again. This all
>>> depends on
>>>>>> you having at least one AD user having a uidNumber and
>>> Domain Users
>>>>>> having a gidNumber.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> So after experimenting a little with different configurations, I
>>>>> ended up with the following smb.conf:
>>>>>
>>>>> [global]
>>>>> netbios name = TS01
>>>>> server string = TS01
>>>>>
>>>>> workgroup = KARMEL
>>>>> realm = KARMEL.INTERN
>>>>>
>>>>> security = ADS
>>>>> domain master = no
>>>>> local master = no
>>>>> preferred master = no
>>>>> dns proxy = no
>>>>>
>>>>> encrypt passwords = true
>>>>>
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> winbind use default domain = yes
>>>>> winbind trusted domains only = no
>>>>> winbind enum groups = yes
>>>>> winbind enum users = yes
>>>>> winbind nss info = rfc2307
>>>>>
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : schema_mode = rfc2307
>>>>> idmap config * : range = 10000 - 15000
>>>>>
>>>>> idmap config KARMEL : backend = ad
>>>>> idmap config KARMEL : schema_mode = rfc2307
>>>>> idmap config KARMEL : range = 15000 - 20000
>>>>>
>>>>> wbinfo -i is now showing information instead of an error, however
>>>>> it's not the UID/GID i configured via RSAT (14000/12000):
>>>>>
>>>>> root at ts01:/home/adm3f# wbinfo -i demo
>>>>> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>>>>>
>>>>> These UID/GIDs are in the range configured for the * :
>>> backend = tdb.
>>>>> What I really want, are the UID/GID configured in AD right?
>>>>>
>>>>> Furthermore, how can I use these UID/GIDs to set permissions on
>>>>> shares? They won't be available on the DC locally, so I have to
>>>>> configure Windows ACLs?
>>>>>
>>>>> Kind regards,
>>>>> Rainhard
>>>> OK, try this smb.conf:
>>>> Please try the smb.conf I posted earlier, you have a few
>>> errors in the
>>>> one that you are trying to use now, one of which is probably giving
>>>> you the problem you are having.
>>>>
>>>> The AD users and groups will be available on the samba 4 AD server,
>>>> you just need to set winbind correctly on the server, but
>>> you need to
>>>> get your client working first, one thing at a time.
>>>>
>>>> Rowland
>>>>
>>> Unfortunately, the configuration isn't working either. wbinfo
>>> -u and -g
>>> work. However i still get :
>>>
>>> root at ts01:/home/adm3f# wbinfo -i demo
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user demo
>>>
>>> I still think there could be a problem with the local PAM
>>> configuration.
>>> Testing authentication with wbinfo -a and -K (kerberos) both
>>> work fine,
>>> however logging into the machine using SSH, I get the following in
>>> /var/log/auth.log:
>>>
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>>> password (0x00000000)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): request
>>> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
>>> NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): user 'demo'
>>> denied access (incorrect password or invalid membership)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>>> unknown
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_unix(sshd:auth): check pass; user
>>> unknown
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): getting
>>> password (0x00000388)
>>> Jul 11 10:49:36 ts01 sshd[3630]: pam_winbind(sshd:auth): pam_get_item
>>> returned a password
>>> Jul 11 10:49:39 ts01 sshd[3630]: Failed password for invalid user demo
>> >from 192.168.49.112 port 1388 ssh2
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> Still no luck :-(. Here's my current configuration:
>
> [global]
> netbios name = TS01
> server string = TS01
>
> workgroup = KARMEL
> realm = KARMEL.INTERN
>
> security = ADS
> domain master = no
> local master = no
> preferred master = no
> dns proxy = no
>
> encrypt passwords = true
>
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
>
> winbind use default domain = yes
> winbind enum groups = yes
> winbind enum users = yes
> winbind nss info = rfc2307
> winbind refresh tickets = yes
> winbind normalize names = yes
> winbind expand groups = 4
>
> idmap config * : backend = tdb
> idmap config * : range = 2000 - 9999
>
> idmap config KARMEL : backend = ad
> idmap config KARMEL : schema_mode = rfc2307
> idmap config KARMEL : range = 10000 - 15000
>
> I have a user "demo" configured with UID 14000, member of group "demo 
> group" GID 12000.
>
> Kind regards,
> Rainhard
OK, that smb.conf should work, after all it is based on the one on the 
laptop that I writing this on ;-)

What have you got in /etc/krb5.conf ?

Can you try running these two commands on the AD DC ? you may need to 
install  ldb-tools first.

ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=user)(sAMAccountName=demo))' uidNumber

ldbsearch -H /var/lib/samba/private/sam.ldb 
'(&(objectClass=group)(sAMAccountName=demo group))' gidNumber

They should return the DN of the user & group and 14000 & 12000

Rowland


More information about the samba mailing list