[Samba] samba 4.1.7 member server errors trying to access share(s)
L.P.H. van Belle
belle at bazuin.nl
Wed May 28 05:58:06 MDT 2014
and..
can i add the user in the usermapping also on the member server like this, or is this not adviced?
!root = DOMAIN\Administrator DOMAIN\administrator
!DOMAIN\Administrator = DOMAIN\Admin DOMAIN\admin
Louis
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>Namens L.P.H. van Belle
>Verzonden: woensdag 28 mei 2014 13:45
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba 4.1.7 member server errors trying
>to access share(s)
>
>
>Ok, 1 thing extra works. (2)
>
>1) DOMAIN\Administrator works fine everywhere.
>
>2) DOMAIN\someuser works fine now on all my servers (
>forgot to put the site in the intranet sites)
>
>3) Domain\Admin works fine for the webmail SSO,
>but not for the shares on the member server, popups domain
>auth. on the DC it works.
>
>but Admin.. still no go..
>as Admin is member of Domain Users, it should work imo..
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>>Namens L.P.H. van Belle
>>Verzonden: woensdag 28 mei 2014 13:32
>>Aan: samba at lists.samba.org
>>Onderwerp: Re: [Samba] samba 4.1.7 member server errors trying
>>to access share(s)
>>
>>Hai Steve,
>>
>>Thanks for the reply. Right on the spot.
>>
>>I checked my rights, and something was messed up there..
>>i did set some rights again but still same error. ( but read
>>on, not entirly the same )
>>
>>getfacl afdelingen/
>>
>># file: afdelingen/
>># owner: root
>># group: root
>># flags: -s-
>>user::rwx
>>user:root:rwx
>>group::---
>>group:root:---
>>group:domain\040users:r-x
>>mask::rwx
>>other::---
>>default:user::rwx
>>default:user:root:rwx
>>default:group::r-x
>>default:group:root:r-x
>>default:mask::rwx
>>default:other::---
>>
>>totaly correct..
>>root is mapped to "DOMAIN\Administrator" ( only the member server )
>>( the DC is DC and only DC with sysvol and netlogon share )
>>
>>>Administrator works because you're mapping him to someone who has
>>>privileges. Admin doesn't enjoy any mapping.
>>but i did set the "Domain Admins" privileges, shouldnt that
>>work also then?
>>and i didnt set any other privileges on the servers, only for
>>"Domain Admins"
>>
>>Ok, now the "strange" thing.
>>I did set the rights again, ( as example from the wiki )
>>Now the following happens.
>>
>>1) DOMAIN\Administrator works fine everywhere.
>>2) DOMAIN\someuser works fine now on my member server, can
>>access the shares, but SSO for webmail fails, popups domain auth..
>>3) Domain\Admin works fine for the webmail SSO,
>>but not for the shares on the member server, popups domain
>>auth. on the DC it works.
>>
>>Arg... :-//
>>Someuser is member of "Domain Users"
>>Admin is member of "Domain users" AND "Domain Admins" ( setup
>>the same as the original Domain\Administrator )
>>
>>1 step forward and 1 back :-/
>>
>>the member server is not in production so if you advice is
>>format, consider it done..
>>the mail server is no option for reinstall..
>>* the mail server, i'll look into on a later moment, this is
>>for the member server.
>>I need that one for my auto software installations through GPO setup.
>>
>>
>>any other suggestions?
>>
>>Greetz,
>>
>>Louis
>>
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>>>Namens steve
>>>Verzonden: woensdag 28 mei 2014 12:29
>>>Aan: samba at lists.samba.org
>>>Onderwerp: Re: [Samba] samba 4.1.7 member server errors trying
>>>to access share(s)
>>>
>>>On Wed, 2014-05-28 at 12:07 +0200, L.P.H. van Belle wrote:
>>>> Hai,
>>>>
>>>> I have some strange things and i cant figure out whats going on.
>>>> The problem is the my domain users and the extra Domain
>>>Admin ( Admin ) cant access my member server ( and shares )
>>>>
>>>>
>>>> When i login with the DOMAIN\Administrator it all works
>>>fine, can access all shares not popups with authorisation requests.
>>>>
>>>> but as DOMAIN\Admin ( has the same rights as domain
>>>Administrator ), is added to "Domain Admins" and the domain
>>>admins have all privilages.
>>>> when i login as my "DOMAIN\Admin" and i try to access any
>>>share on my member server im getting a popup with
>>>authorisation request.
>>>> when entering as "Administrator" it works, all other
>>>users/Admins not.
>>>
>>>Hi Louis
>>>Administrator works because you're mapping him to someone who has
>>>privileges. Admin doesn't enjoy any mapping.
>>>
>>>> my 2 DC's \\rtd-dc1 and \\rtd-dc2 i can access without any
>>>problem, but \\rtd-mem1 im getting the popup.
>>>> also tried \rtd-mem1\software but the same, popup.
>>>>
>>>> I cant figure out where something is wrong, im missing something..
>>>> If someone can help me trace this, that would be nice. below
>>>is the info about the setup.
>>>>
>>>>
>>>> Client pc, domain joined, is Windows 7 64Bit, logged in as
>>>"DOMAIN\Admin"
>>>> and other strange thing.
>>>> I've also setup a zarafa mail server with webacces and
>>>Single Sing On which is working fine.
>>>> ( used this page for the SSO setup.
>>>https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-
>>>amp-webaccess-sso-with-samba4 )
>>>> i can access https://mailserver/webassess as Admin and no
>>>popup and auths fine.
>>>>
>>>> I saw the following errors in the log.smbd and these are
>>>the only errors i found on whole my system.
>>>> ( can be from testing, i dont know anymore.. )
>>>> [2014/05/28 10:44:59.886717, 0]
>>>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>> gss_unwrap_iov failed with [ Miscellaneous failure (see
>>>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>> [2014/05/28 10:44:59.887122, 0]
>>>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>>>> [2014/05/28 10:45:00.177559, 0]
>>>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>> gss_unwrap_iov failed with [ Miscellaneous failure (see
>>>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>> [2014/05/28 10:45:00.177813, 0]
>>>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>>>> [2014/05/28 10:45:01.302718, 0]
>>>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>>> gss_unwrap_iov failed with [ Miscellaneous failure (see
>>>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>>>> [2014/05/28 10:45:01.302967, 0]
>>>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>>> Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>>>>
>>>>
>>>>
>>>> It's setup with debian wheezy sernet samba 4.1.7. 2 x DC
>>>and 1 x member server. ( all sernet samba )
>>>>
>>>> Im testing/setting up the member server smb.conf is as the
>>>wiki says with few extra things.
>>>> +> smb.conf of the member server.
>>>> setup followed :
>>>http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>
>>>> Joined with net ads join -U administrator
>>>>
>>>> checked the A and PTR records, checked the keytab file all
>>>hosts entrys are there
>>>> wbinfo -u / -g works fine for all my users and admins in
>>the domain.
>>>> getent passwd gives back my users it RFC2307.
>>>>
>>>> libpam-krb5 is installed.
>>>> Time is in sync with less than 2 sec difference.
>>>>
>>>> shares setup followed :
>>>http://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>>
>>>>
>>>> ------------------ SMB conf -----------------------
>>>>
>>>>
>>>> [global]
>>>> workgroup = MYDOMAIN
>>>> security = ADS
>>>> realm = MYDOMAIN.DDOMAIN.TLD
>>>>
>>>> netbios name = rtd-mem1
>>>> domain master = no
>>>> local master = no
>>>> host msdfs = no
>>>>
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> client signing = if_required
>>>>
>>>> ## map id's outside to domain to tdb files.
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 50001-80000
>>>> ## map ids from the domain the range may not overlap !
>>>> idmap config MYDOMAIN:backend = ad
>>>> idmap config MYDOMAIN:schema_mode = rfc2307
>>>> idmap config MYDOMAIN:range = 2000-40000
>>>>
>>>> winbind nss info = rfc2307
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>> winbind refresh tickets = yes
>>>> winbind offline logon = yes
>>>>
>>>> wins server = 192.168.1.1, 192.168.1.2
>>>>
>>>> template shell = /bin/sh
>>>> template homedir = /home/users/%USERNAME%
>>>>
>>>> # user Administrator workaround, without it you are
>>>unable to set privileges
>>>> username map = /etc/samba/samba_usermapping
>>>>
>>>> # For ACL support on member server
>>>> vfs objects = acl_xattr
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>>
>>>> # Share Setting Globally
>>>> usershare allow guests = no
>>>> unix extensions = no
>>>> wide links = no
>>>> reset on zero vc = yes
>>>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>> hide unreadable = yes
>>>>
>>>> # disable printing completely
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>>
>>>> [home]
>>>> path = /home/users
>>>> read only = no
>>>>
>>>> [software]
>>>> path = /home/samba/software
>>>> read only = no
>>>>
>>>> ------------------ KRB5 -----------------------
>>>> ## krb5 setup. /etc/krb5.conf
>>>> [libdefaults]
>>>> default_realm = MYDOMAIN.DOMAIN.TLD
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>> ticket_lifetime = 24h
>>>> renew_lifetime = 7d
>>>> forwardable = true
>>>>
>>>>
>>>> ------------------ NSSWITCH -----------------------
>>>>
>>>> /etc/nsswitch.conf
>>>> passwd: compat winbind
>>>> group: compat winbind
>>>> shadow: compat
>>>>
>>>> hosts: files dns
>>>> networks: files
>>>>
>>>>
>>>
>>>We set the permissions on the file system and it works fine.
>>>What does:
>>>getfacl on the share folders give us and what does getfacl on a user
>>>folder under /home/users give us?
>>>Cheers,
>>>Steve
>>>
>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list