[Samba] samba 4.1.7 member server errors trying to access share(s)
steve
steve at steve-ss.com
Wed May 28 04:28:54 MDT 2014
On Wed, 2014-05-28 at 12:07 +0200, L.P.H. van Belle wrote:
> Hai,
>
> I have some strange things and i cant figure out whats going on.
> The problem is the my domain users and the extra Domain Admin ( Admin ) cant access my member server ( and shares )
>
>
> When i login with the DOMAIN\Administrator it all works fine, can access all shares not popups with authorisation requests.
>
> but as DOMAIN\Admin ( has the same rights as domain Administrator ), is added to "Domain Admins" and the domain admins have all privilages.
> when i login as my "DOMAIN\Admin" and i try to access any share on my member server im getting a popup with authorisation request.
> when entering as "Administrator" it works, all other users/Admins not.
Hi Louis
Administrator works because you're mapping him to someone who has
privileges. Admin doesn't enjoy any mapping.
> my 2 DC's \\rtd-dc1 and \\rtd-dc2 i can access without any problem, but \\rtd-mem1 im getting the popup.
> also tried \rtd-mem1\software but the same, popup.
>
> I cant figure out where something is wrong, im missing something..
> If someone can help me trace this, that would be nice. below is the info about the setup.
>
>
> Client pc, domain joined, is Windows 7 64Bit, logged in as "DOMAIN\Admin"
> and other strange thing.
> I've also setup a zarafa mail server with webacces and Single Sing On which is working fine.
> ( used this page for the SSO setup. https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 )
> i can access https://mailserver/webassess as Admin and no popup and auths fine.
>
> I saw the following errors in the log.smbd and these are the only errors i found on whole my system.
> ( can be from testing, i dont know anymore.. )
> [2014/05/28 10:44:59.886717, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
> gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:44:59.887122, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
> [2014/05/28 10:45:00.177559, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
> gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:45:00.177813, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
> [2014/05/28 10:45:01.302718, 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
> gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:45:01.302967, 0] ../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>
>
>
> It's setup with debian wheezy sernet samba 4.1.7. 2 x DC and 1 x member server. ( all sernet samba )
>
> Im testing/setting up the member server smb.conf is as the wiki says with few extra things.
> +> smb.conf of the member server.
> setup followed : http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Joined with net ads join -U administrator
>
> checked the A and PTR records, checked the keytab file all hosts entrys are there
> wbinfo -u / -g works fine for all my users and admins in the domain.
> getent passwd gives back my users it RFC2307.
>
> libpam-krb5 is installed.
> Time is in sync with less than 2 sec difference.
>
> shares setup followed : http://wiki.samba.org/index.php/Setup_and_configure_file_shares
>
>
> ------------------ SMB conf -----------------------
>
>
> [global]
> workgroup = MYDOMAIN
> security = ADS
> realm = MYDOMAIN.DDOMAIN.TLD
>
> netbios name = rtd-mem1
> domain master = no
> local master = no
> host msdfs = no
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> client signing = if_required
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 50001-80000
> ## map ids from the domain the range may not overlap !
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 2000-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = yes
>
> wins server = 192.168.1.1, 192.168.1.2
>
> template shell = /bin/sh
> template homedir = /home/users/%USERNAME%
>
> # user Administrator workaround, without it you are unable to set privileges
> username map = /etc/samba/samba_usermapping
>
> # For ACL support on member server
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> # Share Setting Globally
> usershare allow guests = no
> unix extensions = no
> wide links = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> # disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [home]
> path = /home/users
> read only = no
>
> [software]
> path = /home/samba/software
> read only = no
>
> ------------------ KRB5 -----------------------
> ## krb5 setup. /etc/krb5.conf
> [libdefaults]
> default_realm = MYDOMAIN.DOMAIN.TLD
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
>
> ------------------ NSSWITCH -----------------------
>
> /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
>
We set the permissions on the file system and it works fine.
What does:
getfacl on the share folders give us and what does getfacl on a user
folder under /home/users give us?
Cheers,
Steve
More information about the samba
mailing list