[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Tue Jul 29 08:51:59 MDT 2014
On 29/07/14 15:33, Ryan Ashley wrote:
> I will checkout the module later. Working is my top priority as you
> stated. However, you have me curious now. If this keytab is created,
> where the heck is it created? I am looking for it in /var/lib/samba,
> /etc, and other places. None of my member servers have it and they all
> seem to work, minus this stubborn one of course.
If you set smb.conf up correctly and the run 'net ads join -U
Administrator at EXAMPLE.COM' , you should find that /etc/krb5.keytab is
created.
>
> Also, I did a test earlier and wanted to share the results. This thing
> keeps complaining about an idmap ad backend not being found, and I
> honestly believe that is the issue, not Kerberos. I am trying your
> suggestion because maybe this backend is stored in Kerberos, who
> knows. Either way, I am being flooded with errors about this "idmap
> backend ad" not being found.
The 'idmap backend ad' is part of winbind, and as such, should be
available. If I remember correctly you are using a S4 AD DC, can you
remember how you provisioned it ?
>
>
> Anyway, I had already added winbind to nsswitch.conf for users and
> groups, so I wanted to verify the same UID/GID was being pulled. I
> wiped the winbind idmap tdb files and rebooted. Got the same IDs after
> it rebooted and created the files again, so no issue there. For
> example, the "Domain Users" group always has an ID of 70001. That much
> is working. So what in the heck does the missing backend do? Something
> is already mapping domain users and groups to IDs, so I am scratching
> my head on this one.
The 'idmap backend ad' is one that pulls all the user and group info
from RFC2307 attributes on the AD server.
Rowland
>
> On 07/29/2014 10:22 AM, Rowland Penny wrote:
>> On 29/07/14 15:00, Ryan Ashley wrote:
>>> I understand the basics of Kerberos, but the reason that I am asking
>>> is because I have dozens of S4 servers in production environments
>>> and have never had to create the keytab you mentioned. They all just
>>> worked.
>>
>> If, when you talk about S4 servers, you mean as an AD DC, then yes
>> you do not require the keytab, but on a member server (or client)
>> when you you join the domain with the net command, the keytab is
>> created.
>>>
>>> Now, I do not mind modifying my pam settings as I have done on loads
>>> of Linux workstations which are joined to an AD domain, but how
>>> would I prevent the login of users? I have a home directory and
>>> cannot remove it, so there is technically a place for their home
>>> directories. In Windows I would simply modify group policy to deny
>>> logon, but we both know Linux knows nothing of a GPO. So without
>>> removing "/home", how would I prevent login?
>>>
>>> My plan now is to modify pam first, then if needed, do the keytab.
>>
>> I would do it the other way, get everything to work and then if need
>> be, stop user login with PAM. If you install
>> the packages I suggested, PAM will do all the work for you initially.
>> You could also investigate a PAM module called 'pam_nologin' , you
>> should be able to guess what this does ;-)
>>
>> Rowland
>>
>>
>>>
>>> On 07/29/2014 09:22 AM, Rowland Penny wrote:
>>>> On 29/07/14 14:01, Ryan Ashley wrote:
>>>>> I do not have libpam-krb5 installed, nor have I ever had it
>>>>> installed anywhere, on any system. I also do not modify pam
>>>>> settings because I do not want users being able to log into the
>>>>> servers if one decided to be malicious. Currently each server only
>>>>> has the root account on it and this was fine in S3.
>>>>
>>>> OK, you do not need any other users on the server and as long as
>>>> there is nowhere for the users to call home, they will not be able
>>>> to login. Having said that, the computer needs to authenticate
>>>> users & groups from AD, this is where PAM comes in and you need PAM
>>>> and kerberos to connect to an AD DC.
>>>>
>>>>>
>>>>> Before I change anything, I would like to know what that keytab
>>>>> file does. Just playing it safe. If I do not understand it I will
>>>>> not be able to support it. Thanks for your time and effort, I do
>>>>> appreciate it.
>>>>
>>>> If you are going to get involved with AD, you need to get involved
>>>> with kerberos and keytabs, this subject is a bit involved to go
>>>> into here, but you could start here:
>>>>
>>>> https://itservices.stanford.edu/service/kerberos/keytabs
>>>>
>>>> After that, perhaps the samba wiki and there is always the internet
>>>> ;-)
>>>>
>>>> Rowland
>>>>
>>>>
>>>>>
>>>>> On 07/29/2014 03:50 AM, Rowland Penny wrote:
>>>>>> On 28/07/14 23:33, Ryan Ashley wrote:
>>>>>>> More information in another winbind log. I attempted to login to
>>>>>>> a remote Windows 7 box with a normal user account which is in
>>>>>>> both groups and should get both drives. Windows logs access
>>>>>>> denied and does not map the drives, and I get this in the logs.
>>>>>>> At this point I am fairly sure winbind is having issues speaking
>>>>>>> to the DC due to a missing module which I can find nothing about
>>>>>>> online. I did use Google for a while today and cannot find a
>>>>>>> match for the phrases below, so I am stuck.
>>>>>>>
>>>>>>> log.wb-TRUEVINE:
>>>>>>> [2014/07/28 18:24:52.880743, 3]
>>>>>>> ../source3/winbindd/winbindd_ads.c:597(query_user)
>>>>>>> ads: query_user
>>>>>>> [2014/07/28 18:24:52.883979, 1]
>>>>>>> ../source3/winbindd/winbindd_ads.c:710(query_user)
>>>>>>> nss_get_info_cached failed: NT_STATUS_NOT_FOUND
>>>>>>>
>>>>>>> log.winbind-idmap:
>>>>>>> [2014/07/28 18:24:52.883979, 3]
>>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>>>>>>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>>> [2014/07/28 18:24:52.883991, 0]
>>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>>> Got sig[15] terminate (is_parent=0)
>>>>>>> [2014/07/28 18:24:52.884011, 3]
>>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>>> idmap backend ad not found
>>>>>>> [2014/07/28 18:24:52.884072, 3]
>>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>>> Could not probe idmap module ad
>>>>>>>
>>>>>>> On 7/28/2014 11:16 AM, Ryan Ashley wrote:
>>>>>>>> Found the problem, I believe
>>>>>>>>
>>>>>>>> [2014/07/28 10:14:44.828015, 3]
>>>>>>>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>>>>>>>> ads_cleanup_expired_creds: Ticket in
>>>>>>>> ccache[MEMORY:cliconnect] expiration Mon, 28 Jul 2014 20:14:44 EDT
>>>>>>>> [2014/07/28 10:31:37.274435, 0]
>>>>>>>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>>>>>>>> Got sig[15] terminate (is_parent=0)
>>>>>>>> [2014/07/28 11:02:32.032341, 3]
>>>>>>>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>>>>>>>> idmap backend ad not found
>>>>>>>> [2014/07/28 11:02:32.051673, 3]
>>>>>>>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>>>>>>>> Could not probe idmap module ad
>>>>>>>>
>>>>>>>> As you can see, winbind is having issues with AD. What could
>>>>>>>> cause this? Currently I have set share permissions in Linux to
>>>>>>>> 777 and am running S4 4.1.10 from the v4-1-stable branch. Is
>>>>>>>> this something I can fix?
>>>>>>>>
>>>>>>>> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>>>>>>>>> Great, so by doing "git clone git://git.samba.org/samba.git
>>>>>>>>> samba-master" I am by default cloning the testing branch. I am
>>>>>>>>> going to do a checkout on stable and try again.
>>>>>>>>>
>>>>>>>>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>>>>>>>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>>>>>>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>>>>>>>>
>>>>>>>>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>>>>>>>>> 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>>>>>>>>> Version 4.2.0pre1-GIT-d097898
>>>>>>>>>>> root at fs01:/usr/src/samba-master#
>>>>>>>>>>>
>>>>>>>>>>> I normally clone, configure, and build. Is the stable branch
>>>>>>>>>>> not default? Am I building a testing branch? Should I
>>>>>>>>>>> checkout on the stable branch?
>>>>>>>>>>>
>>>>>>>>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>>>>>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>>>>>>>>> Alright, I was poking around this morning trying to make
>>>>>>>>>>>>> this work, and noticed something odd. Loads of zombie nmbd
>>>>>>>>>>>>> processes. Check out the dump below and tell me, what is
>>>>>>>>>>>>> going on here? Is this my problem?
>>>>>>>>>>>>>
>>>>>>>>>>>>> root at fs01:~# ps x
>>>>>>>>>>>>> PID TTY STAT TIME COMMAND
>>>>>>>>>>>>> 1 ? Ss 0:02 init [2]
>>>>>>>>>>>>> 2 ? S 0:00 [kthreadd]
>>>>>>>>>>>>> 3 ? S 0:00 [ksoftirqd/0]
>>>>>>>>>>>>> 5 ? S 0:00 [kworker/u:0]
>>>>>>>>>>>>> 6 ? S 0:00 [migration/0]
>>>>>>>>>>>>> 7 ? S 0:01 [watchdog/0]
>>>>>>>>>>>>> 8 ? S< 0:00 [cpuset]
>>>>>>>>>>>>> 9 ? S< 0:00 [khelper]
>>>>>>>>>>>>> 10 ? S 0:00 [kdevtmpfs]
>>>>>>>>>>>>> 11 ? S< 0:00 [netns]
>>>>>>>>>>>>> 12 ? S 0:00 [xenwatch]
>>>>>>>>>>>>> 13 ? S 0:00 [xenbus]
>>>>>>>>>>>>> 14 ? S 0:01 [sync_supers]
>>>>>>>>>>>>> 15 ? S 0:00 [bdi-default]
>>>>>>>>>>>>> 16 ? S< 0:00 [kintegrityd]
>>>>>>>>>>>>> 17 ? S< 0:00 [kblockd]
>>>>>>>>>>>>> 19 ? S 0:00 [khungtaskd]
>>>>>>>>>>>>> 20 ? S 0:00 [kswapd0]
>>>>>>>>>>>>> 21 ? SN 0:00 [ksmd]
>>>>>>>>>>>>> 22 ? SN 0:00 [khugepaged]
>>>>>>>>>>>>> 23 ? S 0:00 [fsnotify_mark]
>>>>>>>>>>>>> 24 ? S< 0:00 [crypto]
>>>>>>>>>>>>> 173 ? S 0:00 [jbd2/xvda1-8]
>>>>>>>>>>>>> 174 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 183 ? S 0:00 [kworker/u:1]
>>>>>>>>>>>>> 313 ? Ss 0:00 udevd --daemon
>>>>>>>>>>>>> 420 ? S 0:00 udevd --daemon
>>>>>>>>>>>>> 425 ? S 0:00 udevd --daemon
>>>>>>>>>>>>> 433 ? S 0:00 [khubd]
>>>>>>>>>>>>> 438 ? S< 0:00 [kpsmoused]
>>>>>>>>>>>>> 445 ? S< 0:00 [ata_sff]
>>>>>>>>>>>>> 471 ? S 0:00 [scsi_eh_0]
>>>>>>>>>>>>> 472 ? S 0:00 [scsi_eh_1]
>>>>>>>>>>>>> 1295 ? S 0:00 [jbd2/xvda2-8]
>>>>>>>>>>>>> 1296 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1297 ? S 0:01 [flush-202:0]
>>>>>>>>>>>>> 1298 ? S 0:00 [jbd2/xvda9-8]
>>>>>>>>>>>>> 1299 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1300 ? S 0:00 [jbd2/xvda10-8]
>>>>>>>>>>>>> 1301 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1302 ? S 0:00 [jbd2/xvda8-8]
>>>>>>>>>>>>> 1303 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1307 ? S 0:00 [jbd2/xvda11-8]
>>>>>>>>>>>>> 1308 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1309 ? S 0:00 [jbd2/xvda3-8]
>>>>>>>>>>>>> 1310 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1311 ? S 0:00 [jbd2/xvda4-8]
>>>>>>>>>>>>> 1312 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1313 ? S 0:00 [jbd2/xvda5-8]
>>>>>>>>>>>>> 1314 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1315 ? S 0:00 [jbd2/xvda6-8]
>>>>>>>>>>>>> 1316 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1317 ? S 0:00 [jbd2/xvda7-8]
>>>>>>>>>>>>> 1318 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1319 ? S 0:00 [jbd2/xvdb1-8]
>>>>>>>>>>>>> 1320 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>>>>>>>> 1780 ? Sl 0:00 /usr/sbin/rsyslogd -c5
>>>>>>>>>>>>> 1811 ? Ss 0:00 /usr/sbin/acpid
>>>>>>>>>>>>> 1903 ? Ss 0:00 /usr/sbin/cron
>>>>>>>>>>>>> 1998 ? Ss 0:00 /usr/sbin/sshd
>>>>>>>>>>>>> 2022 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
>>>>>>>>>>>>> 2023 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
>>>>>>>>>>>>> 2024 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
>>>>>>>>>>>>> 2025 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
>>>>>>>>>>>>> 2026 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
>>>>>>>>>>>>> 2027 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
>>>>>>>>>>>>> 2041 ? Ss 0:03 nmbd
>>>>>>>>>>>>> 2043 ? Ss 0:03 smbd
>>>>>>>>>>>>> 2045 ? Ss 0:00 winbindd
>>>>>>>>>>>>> 2046 ? S 0:02 winbindd
>>>>>>>>>>>>> 2047 ? S 0:00 winbindd
>>>>>>>>>>>>> 2048 ? S 0:00 winbindd
>>>>>>>>>>>>> 2049 ? S 0:00 smbd
>>>>>>>>>>>>> 2067 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2085 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2109 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2127 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2145 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2163 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2185 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2203 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2223 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2241 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2263 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2281 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2299 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2317 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2339 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2357 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2375 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2393 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2415 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2433 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2451 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2469 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2491 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2509 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2527 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2545 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2567 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2585 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2603 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2621 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2643 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2661 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2679 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2697 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2719 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2737 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2755 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2773 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2795 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2813 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2831 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2849 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2871 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2889 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2907 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2925 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2946 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2964 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 2982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3022 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3040 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3098 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3116 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3174 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3192 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3250 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3268 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3380 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3402 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3420 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3438 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3456 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3574 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3592 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3610 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3628 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3650 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3668 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3686 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3704 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3726 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3744 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3762 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3780 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3802 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3820 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3838 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3856 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3878 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3896 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3914 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3932 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3954 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3972 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 3990 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4008 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4030 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4048 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4066 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4084 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4106 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4124 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4142 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4160 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4182 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4200 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4220 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4261 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4279 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4297 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4315 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4337 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4355 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4373 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4391 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4413 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4431 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4449 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4467 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4489 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4507 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4565 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4583 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4601 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4619 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4641 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4659 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4677 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4716 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4734 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4792 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4811 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4869 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4887 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4905 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4923 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4945 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4963 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4981 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 4999 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5021 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5039 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5057 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5075 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5097 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5115 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5133 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5151 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5173 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5191 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5209 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5227 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5249 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5267 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5285 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5303 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5325 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5343 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5361 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5379 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5525 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5543 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5571 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5589 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5611 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5630 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5648 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5666 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5688 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5706 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5724 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5742 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5764 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5782 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5800 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5818 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5840 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5858 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5876 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5894 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5916 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5934 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5952 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5970 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 5992 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6010 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6028 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6046 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6068 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6086 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6104 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6122 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6144 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6161 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6179 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6197 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6219 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6238 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6256 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6274 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6296 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6314 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6332 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6350 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6372 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6390 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6408 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6426 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6448 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6466 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6484 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6502 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6524 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6542 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6560 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6578 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6600 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6618 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6636 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6654 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6676 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6694 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6712 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6730 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6752 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6770 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6789 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6807 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6829 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6847 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6852 ? S 0:01 [kworker/0:0]
>>>>>>>>>>>>> 6867 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6885 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6906 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6924 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6942 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6960 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 6982 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7000 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7018 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7036 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7058 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7076 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7094 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7112 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7134 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7152 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7170 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7188 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7210 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7228 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7246 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7264 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7286 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7304 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7322 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7340 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7458 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7476 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7494 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7512 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7534 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7552 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7569 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7587 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7609 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7627 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7645 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7665 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7676 ? S 0:00 [kworker/0:2]
>>>>>>>>>>>>> 7687 ? Z 0:00 [nmbd] <defunct>
>>>>>>>>>>>>> 7697 ? Ss 0:00 sshd: root at pts/0
>>>>>>>>>>>>> 7699 pts/0 Ss 0:00 -bash
>>>>>>>>>>>>> 7711 ? S 0:00 [kworker/0:1]
>>>>>>>>>>>>> 7718 ? S 0:00 [flush-202:16]
>>>>>>>>>>>>> 7721 pts/0 R+ 0:00 ps x
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>>>>>>>>> I have never even played with apparmor. I do my Debian
>>>>>>>>>>>>>> installs using a net CD and doing the expert 64bit
>>>>>>>>>>>>>> install. I disable recommended and suggested packages and
>>>>>>>>>>>>>> install only exactly what I need, so I do not have
>>>>>>>>>>>>>> apparmor or selinux. Good thought though. I also tried
>>>>>>>>>>>>>> disabling the firewall on a test PC and still no go. This
>>>>>>>>>>>>>> has NEVER happened before so I am lost.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So where else should I look? The system in question is a
>>>>>>>>>>>>>> domain member server, can resolve users and groups, and
>>>>>>>>>>>>>> can set ACLs with user and groups from AD. It is simply
>>>>>>>>>>>>>> denying access to group members of said shares.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>>>>>>>>> I understand and I should have stated more clearly that
>>>>>>>>>>>>>>>> I have been going through those results for over a week
>>>>>>>>>>>>>>>> now. Nothing seems to help. Funny thing is that
>>>>>>>>>>>>>>>> creating a second virtual file-server and using share
>>>>>>>>>>>>>>>> authentication works fine. Yet another reason I am
>>>>>>>>>>>>>>>> leaning towards group issues. If the file-server is
>>>>>>>>>>>>>>>> share-level the Windows 7 boxes are happy. As soon as
>>>>>>>>>>>>>>>> it goes AD and uses AD groups, they stop working. I
>>>>>>>>>>>>>>>> have not tried user-level security yet. Then again I
>>>>>>>>>>>>>>>> may have user-level and share-level confused. It has
>>>>>>>>>>>>>>>> been a long week. I will keep searching but so far
>>>>>>>>>>>>>>>> nothing I have found and tried works.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Is there a way to get an actual reason for the denial?
>>>>>>>>>>>>>>>> If it flat-out told me a reason I could troubleshoot.
>>>>>>>>>>>>>>>> Right now I am just shooting in random directions
>>>>>>>>>>>>>>>> hoping to hit something since all I get is "Access
>>>>>>>>>>>>>>>> Denied". Is it possible to see is S4 is denying the
>>>>>>>>>>>>>>>> connection via a log or something, or if Windows 7 is
>>>>>>>>>>>>>>>> being stupid... again?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>>>>>>>>> That solution is for Windows 8. That also is not our
>>>>>>>>>>>>>>>>>> issue. The WIndows 7 Pro 64bit workstations see the
>>>>>>>>>>>>>>>>>> server and shares, and they map the shares according
>>>>>>>>>>>>>>>>>> to group policy, but then everybody gets access
>>>>>>>>>>>>>>>>>> denied, despite being in the domain groups for which
>>>>>>>>>>>>>>>>>> the shares were created. Funny thing is that if I
>>>>>>>>>>>>>>>>>> logon as domain admin, I get to access the shares.
>>>>>>>>>>>>>>>>>> Due to this, I fully believe the S4 server is
>>>>>>>>>>>>>>>>>> ignoring or not accounting for group membership. The
>>>>>>>>>>>>>>>>>> "reachfp" account is the domain admin. This is also
>>>>>>>>>>>>>>>>>> the default owner of files on the shares. The group
>>>>>>>>>>>>>>>>>> "administration" contains many members and does not
>>>>>>>>>>>>>>>>>> grant access, despite the group being granted full
>>>>>>>>>>>>>>>>>> control. This lead e into believing I am still
>>>>>>>>>>>>>>>>>> dealing with a permissions issue and not another
>>>>>>>>>>>>>>>>>> issue. If it was the other issue, I would assume
>>>>>>>>>>>>>>>>>> domain admin could not see the share or access it. Is
>>>>>>>>>>>>>>>>>> that about right?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> You are missing the point, I probably could have
>>>>>>>>>>>>>>>>> chosen a better target but I only spent about 30secs
>>>>>>>>>>>>>>>>> on the search:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Try looking into this before dismissing it out of hand
>>>>>>>>>>>>>>>>> and insisting that samba is the problem.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, after more thought and re-reading your posts, a
>>>>>>>>>>>>>>> thought has popped into my head, apparmor, do you have
>>>>>>>>>>>>>>> this running on the server ?
>>>>>>>>>>>>>>> I have been caught out by this a few times, not being
>>>>>>>>>>>>>>> allowed to do things that I thought I should be able to
>>>>>>>>>>>>>>> do, or packages not running correctly because they were
>>>>>>>>>>>>>>> not allowed access, in every case it was apparmor. As I
>>>>>>>>>>>>>>> could never get apparmor to play ball with me (I thought
>>>>>>>>>>>>>>> that I had found all rights that needed modding and then
>>>>>>>>>>>>>>> another one would pop its head up and what is in the
>>>>>>>>>>>>>>> logs bares no resemblance to what you need to put in the
>>>>>>>>>>>>>>> conf file), I now disable apparmor straight after
>>>>>>>>>>>>>>> installing a new system.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> Somebody else reported this problem, he went to 4.1.8 and
>>>>>>>>>>>> the zombie nmbd problem went away, if you upgrade to the
>>>>>>>>>>>> latest samba4 you may hit two birds with one stone, the
>>>>>>>>>>>> nmbd problem and your group problem ;-)
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>> Hi, what you are using is not the stable branch, it is the
>>>>>>>>>> branch that will become the next release i.e. 4.2. This does
>>>>>>>>>> not mean that you shouldn't use it, it just means that it
>>>>>>>>>> could be upgraded at any time until it is 'frozen' just
>>>>>>>>>> before release. These upgrades 'could' break something, not
>>>>>>>>>> saying they will, just that they could, for production use I
>>>>>>>>>> would use the latest version from here:
>>>>>>>>>>
>>>>>>>>>> https://ftp.samba.org/pub/samba/stable/
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> Do you have all of these packages installed:
>>>>>>
>>>>>> samba libnss-winbind winbind libpam-winbind krb5-config
>>>>>> libpam-krb5 krb5-user
>>>>>>
>>>>>> If not, install what is missing and add these lines to smb.conf:
>>>>>>
>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>> kerberos method = secrets and keytab
>>>>>>
>>>>>> Restart samba and try again, you may have to join the machine to
>>>>>> the domain again.
>>>>>>
>>>>>> Rowland
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list