[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Tue Jul 29 08:33:55 MDT 2014
I will checkout the module later. Working is my top priority as you
stated. However, you have me curious now. If this keytab is created,
where the heck is it created? I am looking for it in /var/lib/samba,
/etc, and other places. None of my member servers have it and they all
seem to work, minus this stubborn one of course.
Also, I did a test earlier and wanted to share the results. This thing
keeps complaining about an idmap ad backend not being found, and I
honestly believe that is the issue, not Kerberos. I am trying your
suggestion because maybe this backend is stored in Kerberos, who knows.
Either way, I am being flooded with errors about this "idmap backend ad"
not being found.
Anyway, I had already added winbind to nsswitch.conf for users and
groups, so I wanted to verify the same UID/GID was being pulled. I wiped
the winbind idmap tdb files and rebooted. Got the same IDs after it
rebooted and created the files again, so no issue there. For example,
the "Domain Users" group always has an ID of 70001. That much is
working. So what in the heck does the missing backend do? Something is
already mapping domain users and groups to IDs, so I am scratching my
head on this one.
On 07/29/2014 10:22 AM, Rowland Penny wrote:
> On 29/07/14 15:00, Ryan Ashley wrote:
>> I understand the basics of Kerberos, but the reason that I am asking
>> is because I have dozens of S4 servers in production environments and
>> have never had to create the keytab you mentioned. They all just worked.
>
> If, when you talk about S4 servers, you mean as an AD DC, then yes you
> do not require the keytab, but on a member server (or client) when you
> you join the domain with the net command, the keytab is created.
>>
>> Now, I do not mind modifying my pam settings as I have done on loads
>> of Linux workstations which are joined to an AD domain, but how would
>> I prevent the login of users? I have a home directory and cannot
>> remove it, so there is technically a place for their home
>> directories. In Windows I would simply modify group policy to deny
>> logon, but we both know Linux knows nothing of a GPO. So without
>> removing "/home", how would I prevent login?
>>
>> My plan now is to modify pam first, then if needed, do the keytab.
>
> I would do it the other way, get everything to work and then if need
> be, stop user login with PAM. If you install
> the packages I suggested, PAM will do all the work for you initially.
> You could also investigate a PAM module called 'pam_nologin' , you
> should be able to guess what this does ;-)
>
> Rowland
>
>
>>
>> On 07/29/2014 09:22 AM, Rowland Penny wrote:
>>> On 29/07/14 14:01, Ryan Ashley wrote:
>>>> I do not have libpam-krb5 installed, nor have I ever had it
>>>> installed anywhere, on any system. I also do not modify pam
>>>> settings because I do not want users being able to log into the
>>>> servers if one decided to be malicious. Currently each server only
>>>> has the root account on it and this was fine in S3.
>>>
>>> OK, you do not need any other users on the server and as long as
>>> there is nowhere for the users to call home, they will not be able
>>> to login. Having said that, the computer needs to authenticate users
>>> & groups from AD, this is where PAM comes in and you need PAM and
>>> kerberos to connect to an AD DC.
>>>
>>>>
>>>> Before I change anything, I would like to know what that keytab
>>>> file does. Just playing it safe. If I do not understand it I will
>>>> not be able to support it. Thanks for your time and effort, I do
>>>> appreciate it.
>>>
>>> If you are going to get involved with AD, you need to get involved
>>> with kerberos and keytabs, this subject is a bit involved to go into
>>> here, but you could start here:
>>>
>>> https://itservices.stanford.edu/service/kerberos/keytabs
>>>
>>> After that, perhaps the samba wiki and there is always the internet ;-)
>>>
>>> Rowland
>>>
>>>
>>>>
>>>> On 07/29/2014 03:50 AM, Rowland Penny wrote:
>>>>> On 28/07/14 23:33, Ryan Ashley wrote:
>>>>>> More information in another winbind log. I attempted to login to
>>>>>> a remote Windows 7 box with a normal user account which is in
>>>>>> both groups and should get both drives. Windows logs access
>>>>>> denied and does not map the drives, and I get this in the logs.
>>>>>> At this point I am fairly sure winbind is having issues speaking
>>>>>> to the DC due to a missing module which I can find nothing about
>>>>>> online. I did use Google for a while today and cannot find a
>>>>>> match for the phrases below, so I am stuck.
>>>>>>
>>>>>> log.wb-TRUEVINE:
>>>>>> [2014/07/28 18:24:52.880743, 3]
>>>>>> ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>>>> ads: query_user
>>>>>> [2014/07/28 18:24:52.883979, 1]
>>>>>> ../source3/winbindd/winbindd_ads.c:710(query_user)
>>>>>> nss_get_info_cached failed: NT_STATUS_NOT_FOUND
>>>>>>
>>>>>> log.winbind-idmap:
>>>>>> [2014/07/28 18:24:52.883979, 3]
>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>>>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>> [2014/07/28 18:24:52.883991, 0]
>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>> Got sig[15] terminate (is_parent=0)
>>>>>> [2014/07/28 18:24:52.884011, 3]
>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>> idmap backend ad not found
>>>>>> [2014/07/28 18:24:52.884072, 3]
>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>> Could not probe idmap module ad
>>>>>>
>>>>>> On 7/28/2014 11:16 AM, Ryan Ashley wrote:
>>>>>>> Found the problem, I believe
>>>>>>>
>>>>>>> [2014/07/28 10:14:44.828015, 3]
>>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>>>>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>>> [2014/07/28 10:31:37.274435, 0]
>>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>>> Got sig[15] terminate (is_parent=0)
>>>>>>> [2014/07/28 11:02:32.032341, 3]
>>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>>> idmap backend ad not found
>>>>>>> [2014/07/28 11:02:32.051673, 3]
>>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>>> Could not probe idmap module ad
>>>>>>>
>>>>>>> As you can see, winbind is having issues with AD. What could
>>>>>>> cause this? Currently I have set share permissions in Linux to
>>>>>>> 777 and am running S4 4.1.10 from the v4-1-stable branch. Is
>>>>>>> this something I can fix?
>>>>>>>
>>>>>>> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>>>>>>>> Great, so by doing "git clone git://git.samba.org/samba.git
>>>>>>>> samba-master" I am by default cloning the testing branch. I am
>>>>>>>> going to do a checkout on stable and try again.
>>>>>>>>
>>>>>>>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>>>>>>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>>>>>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>>>>>>>
>>>>>>>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>>>>>>>> 4.2.0pre1-GIT-d097898
>>>>>>>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>> root at fs01:/usr/src/samba-master#
>>>>>>>>>>
>>>>>>>>>> I normally clone, configure, and build. Is the stable branch
>>>>>>>>>> not default? Am I building a testing branch? Should I
>>>>>>>>>> checkout on the stable branch?
>>>>>>>>>>
>>>>>>>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>>>>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>>>>>>>> Alright, I was poking around this morning trying to make
>>>>>>>>>>>> this work, and noticed something odd. Loads of zombie nmbd
>>>>>>>>>>>> processes. Check out the dump below and tell me, what is
>>>>>>>>>>>> going on here? Is this my problem?
>>>>>>>>>>>>
>>>>>>>>>>>> root at fs01:~# ps x
>>>>>>>>>>>> PID TTY STAT TIME COMMAND
>>>>>>>>>>>> 1 ? Ss 0:02 init [2]
>>>>>>>>>>>> 2 ? S 0:00 [kthreadd]
>>>>>>>>>>>> 3 ? S 0:00 [ksoftirqd/0]
>>>>>>>>>>>> 5 ? S 0:00 [kworker/u:0]
>>>>>>>>>>>> 6 ? S 0:00 [migration/0]
>>>>>>>>>>>> 7 ? S 0:01 [watchdog/0]
>>>>>>>>>>>> 8 ? S< 0:00 [cpuset]
>>>>>>>>>>>> 9 ? S< 0:00 [khelper]
>>>>>>>>>>>> 10 ? S 0:00 [kdevtmpfs]
>>>>>>>>>>>> 11 ? S< 0:00 [netns]
>>>>>>>>>>>> 12 ? S 0:00 [xenwatch]
>>>>>>>>>>>> 13 ? S 0:00 [xenbus]
>>>>>>>>>>>> 14 ? S 0:01 [sync_supers]
>>>>>>>>>>>> 15 ? S 0:00 [bdi-default]
>>>>>>>>>>>> 16 ? S< 0:00 [kintegrityd]
>>>>>>>>>>>> 17 ? S< 0:00 [kblockd]
>>>>>>>>>>>> 19 ? S 0:00 [khungtaskd]
>>>>>>>>>>>> 20 ? S 0:00 [kswapd0]
>>>>>>>>>>>> 21 ? SN 0:00 [ksmd]
>>>>>>>>>>>> 22 ? SN 0:00 [khugepaged]
>>>>>>>>>>>> 23 ? S 0:00 [fsnotify_mark]
>>>>>>>>>>>> 24 ? S< 0:00 [crypto]
>>>>>>>>>>>> 173 ? S 0:00 [jbd2/xvda1-8]
>>>>>>>>>>>> 174 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 183 ? S 0:00 [kworker/u:1]
>>>>>>>>>>>> 313 ? Ss 0:00 udevd --daemon
>>>>>>>>>>>> 420 ? S 0:00 udevd --daemon
>>>>>>>>>>>> 425 ? S 0:00 udevd --daemon
>>>>>>>>>>>> 433 ? S 0:00 [khubd]
>>>>>>>>>>>> 438 ? S< 0:00 [kpsmoused]
>>>>>>>>>>>> 445 ? S< 0:00 [ata_sff]
>>>>>>>>>>>> 471 ? S 0:00 [scsi_eh_0]
>>>>>>>>>>>> 472 ? S 0:00 [scsi_eh_1]
>>>>>>>>>>>> 1295 ? S 0:00 [jbd2/xvda2-8]
>>>>>>>>>>>> 1296 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1297 ? S 0:01 [flush-202:0]
>>>>>>>>>>>> 1298 ? S 0:00 [jbd2/xvda9-8]
>>>>>>>>>>>> 1299 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1300 ? S 0:00 [jbd2/xvda10-8]
>>>>>>>>>>>> 1301 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1302 ? S 0:00 [jbd2/xvda8-8]
>>>>>>>>>>>> 1303 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1307 ? S 0:00 [jbd2/xvda11-8]
>>>>>>>>>>>> 1308 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1309 ? S 0:00 [jbd2/xvda3-8]
>>>>>>>>>>>> 1310 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1311 ? S 0:00 [jbd2/xvda4-8]
>>>>>>>>>>>> 1312 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1313 ? S 0:00 [jbd2/xvda5-8]
>>>>>>>>>>>> 1314 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1315 ? S 0:00 [jbd2/xvda6-8]
>>>>>>>>>>>> 1316 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1317 ? S 0:00 [jbd2/xvda7-8]
>>>>>>>>>>>> 1318 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1319 ? S 0:00 [jbd2/xvdb1-8]
>>>>>>>>>>>> 1320 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>> 1780 ? Sl 0:00 /usr/sbin/rsyslogd -c5
>>>>>>>>>>>> 1811 ? Ss 0:00 /usr/sbin/acpid
>>>>>>>>>>>> 1903 ? Ss 0:00 /usr/sbin/cron
>>>>>>>>>>>> 1998 ? Ss 0:00 /usr/sbin/sshd
>>>>>>>>>>>> 2022 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
>>>>>>>>>>>> 2023 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
>>>>>>>>>>>> 2024 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
>>>>>>>>>>>> 2025 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
>>>>>>>>>>>> 2026 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
>>>>>>>>>>>> 2027 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
>>>>>>>>>>>> 2041 ? Ss 0:03 nmbd
>>>>>>>>>>>> 2043 ? Ss 0:03 smbd
>>>>>>>>>>>> 2045 ? Ss 0:00 winbindd
>>>>>>>>>>>> 2046 ? S 0:02 winbindd
>>>>>>>>>>>> 2047 ? S 0:00 winbindd
>>>>>>>>>>>> 2048 ? S 0:00 winbindd
>>>>>>>>>>>> 2049 ? S 0:00 smbd
>>>>>>>>>>>> 2067 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2085 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2109 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2127 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2145 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2163 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2185 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2203 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2223 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2241 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2263 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2281 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2299 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2317 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2339 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2357 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2375 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2393 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2415 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2433 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2451 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2469 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2491 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2509 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2527 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2545 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2567 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2585 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2603 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2621 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2643 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2661 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2679 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2697 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2719 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2737 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2755 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2773 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2795 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2813 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2831 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2849 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2871 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2889 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2907 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2925 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2946 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2964 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 2982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3022 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3040 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3098 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3116 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3174 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3192 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3250 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3268 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3380 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3402 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3420 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3438 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3456 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3574 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3592 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3610 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3628 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3650 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3668 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3686 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3704 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3726 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3744 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3762 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3780 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3802 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3820 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3838 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3856 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3878 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3896 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3914 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3932 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3954 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3972 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 3990 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4008 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4030 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4048 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4066 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4084 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4106 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4124 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4142 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4160 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4182 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4200 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4220 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4261 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4279 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4297 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4315 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4337 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4355 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4373 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4391 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4413 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4431 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4449 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4467 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4489 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4507 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4565 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4583 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4601 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4619 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4641 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4659 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4677 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4716 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4734 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4792 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4811 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4869 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4887 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4905 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4923 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4945 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4963 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4981 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 4999 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5021 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5039 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5057 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5075 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5097 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5115 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5133 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5151 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5173 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5191 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5209 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5227 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5249 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5267 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5379 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5571 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5589 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5611 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5630 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5648 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5666 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5688 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5706 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5724 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5742 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5764 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5782 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5800 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5818 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5840 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5858 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5876 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5894 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5916 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5934 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5952 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5970 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 5992 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6010 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6028 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6046 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6068 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6086 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6104 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6122 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6144 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6161 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6179 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6197 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6219 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6256 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6274 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6296 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6314 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6332 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6350 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6372 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6390 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6408 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6426 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6448 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6466 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6484 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6502 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6524 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6542 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6560 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6578 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6600 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6618 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6636 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6654 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6676 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6712 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6730 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6789 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6807 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6852 ? S 0:01 [kworker/0:0]
>>>>>>>>>>>> 6867 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6885 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6906 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6924 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6942 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6960 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 6982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7018 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7036 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7094 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7112 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7170 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7188 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7246 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7264 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7286 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7304 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7322 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7340 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7458 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7476 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7494 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7512 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7534 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7552 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7569 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7587 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7609 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7627 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7645 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7665 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7676 ? S 0:00 [kworker/0:2]
>>>>>>>>>>>> 7687 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>> 7697 ? Ss 0:00 sshd: root at pts/0
>>>>>>>>>>>> 7699 pts/0 Ss 0:00 -bash
>>>>>>>>>>>> 7711 ? S 0:00 [kworker/0:1]
>>>>>>>>>>>> 7718 ? S 0:00 [flush-202:16]
>>>>>>>>>>>> 7721 pts/0 R+ 0:00 ps x
>>>>>>>>>>>>
>>>>>>>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>>>>>>>> I have never even played with apparmor. I do my Debian
>>>>>>>>>>>>> installs using a net CD and doing the expert 64bit
>>>>>>>>>>>>> install. I disable recommended and suggested packages and
>>>>>>>>>>>>> install only exactly what I need, so I do not have
>>>>>>>>>>>>> apparmor or selinux. Good thought though. I also tried
>>>>>>>>>>>>> disabling the firewall on a test PC and still no go. This
>>>>>>>>>>>>> has NEVER happened before so I am lost.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So where else should I look? The system in question is a
>>>>>>>>>>>>> domain member server, can resolve users and groups, and
>>>>>>>>>>>>> can set ACLs with user and groups from AD. It is simply
>>>>>>>>>>>>> denying access to group members of said shares.
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>>>>>>>> I understand and I should have stated more clearly that
>>>>>>>>>>>>>>> I have been going through those results for over a week
>>>>>>>>>>>>>>> now. Nothing seems to help. Funny thing is that creating
>>>>>>>>>>>>>>> a second virtual file-server and using share
>>>>>>>>>>>>>>> authentication works fine. Yet another reason I am
>>>>>>>>>>>>>>> leaning towards group issues. If the file-server is
>>>>>>>>>>>>>>> share-level the Windows 7 boxes are happy. As soon as it
>>>>>>>>>>>>>>> goes AD and uses AD groups, they stop working. I have
>>>>>>>>>>>>>>> not tried user-level security yet. Then again I may have
>>>>>>>>>>>>>>> user-level and share-level confused. It has been a long
>>>>>>>>>>>>>>> week. I will keep searching but so far nothing I have
>>>>>>>>>>>>>>> found and tried works.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Is there a way to get an actual reason for the denial?
>>>>>>>>>>>>>>> If it flat-out told me a reason I could troubleshoot.
>>>>>>>>>>>>>>> Right now I am just shooting in random directions hoping
>>>>>>>>>>>>>>> to hit something since all I get is "Access Denied". Is
>>>>>>>>>>>>>>> it possible to see is S4 is denying the connection via a
>>>>>>>>>>>>>>> log or something, or if Windows 7 is being stupid... again?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>>>>>>>> That solution is for Windows 8. That also is not our
>>>>>>>>>>>>>>>>> issue. The WIndows 7 Pro 64bit workstations see the
>>>>>>>>>>>>>>>>> server and shares, and they map the shares according
>>>>>>>>>>>>>>>>> to group policy, but then everybody gets access
>>>>>>>>>>>>>>>>> denied, despite being in the domain groups for which
>>>>>>>>>>>>>>>>> the shares were created. Funny thing is that if I
>>>>>>>>>>>>>>>>> logon as domain admin, I get to access the shares. Due
>>>>>>>>>>>>>>>>> to this, I fully believe the S4 server is ignoring or
>>>>>>>>>>>>>>>>> not accounting for group membership. The "reachfp"
>>>>>>>>>>>>>>>>> account is the domain admin. This is also the default
>>>>>>>>>>>>>>>>> owner of files on the shares. The group
>>>>>>>>>>>>>>>>> "administration" contains many members and does not
>>>>>>>>>>>>>>>>> grant access, despite the group being granted full
>>>>>>>>>>>>>>>>> control. This lead e into believing I am still dealing
>>>>>>>>>>>>>>>>> with a permissions issue and not another issue. If it
>>>>>>>>>>>>>>>>> was the other issue, I would assume domain admin could
>>>>>>>>>>>>>>>>> not see the share or access it. Is that about right?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You are missing the point, I probably could have chosen
>>>>>>>>>>>>>>>> a better target but I only spent about 30secs on the
>>>>>>>>>>>>>>>> search:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Try looking into this before dismissing it out of hand
>>>>>>>>>>>>>>>> and insisting that samba is the problem.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, after more thought and re-reading your posts, a
>>>>>>>>>>>>>> thought has popped into my head, apparmor, do you have
>>>>>>>>>>>>>> this running on the server ?
>>>>>>>>>>>>>> I have been caught out by this a few times, not being
>>>>>>>>>>>>>> allowed to do things that I thought I should be able to
>>>>>>>>>>>>>> do, or packages not running correctly because they were
>>>>>>>>>>>>>> not allowed access, in every case it was apparmor. As I
>>>>>>>>>>>>>> could never get apparmor to play ball with me (I thought
>>>>>>>>>>>>>> that I had found all rights that needed modding and then
>>>>>>>>>>>>>> another one would pop its head up and what is in the logs
>>>>>>>>>>>>>> bares no resemblance to what you need to put in the conf
>>>>>>>>>>>>>> file), I now disable apparmor straight after installing a
>>>>>>>>>>>>>> new system.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Somebody else reported this problem, he went to 4.1.8 and
>>>>>>>>>>> the zombie nmbd problem went away, if you upgrade to the
>>>>>>>>>>> latest samba4 you may hit two birds with one stone, the nmbd
>>>>>>>>>>> problem and your group problem ;-)
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> Hi, what you are using is not the stable branch, it is the
>>>>>>>>> branch that will become the next release i.e. 4.2. This does
>>>>>>>>> not mean that you shouldn't use it, it just means that it
>>>>>>>>> could be upgraded at any time until it is 'frozen' just before
>>>>>>>>> release. These upgrades 'could' break something, not saying
>>>>>>>>> they will, just that they could, for production use I would
>>>>>>>>> use the latest version from here:
>>>>>>>>>
>>>>>>>>> https://ftp.samba.org/pub/samba/stable/
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>> Do you have all of these packages installed:
>>>>>
>>>>> samba libnss-winbind winbind libpam-winbind krb5-config
>>>>> libpam-krb5 krb5-user
>>>>>
>>>>> If not, install what is missing and add these lines to smb.conf:
>>>>>
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> Restart samba and try again, you may have to join the machine to
>>>>> the domain again.
>>>>>
>>>>> Rowland
>>>>
>>>
>>
>
More information about the samba
mailing list