[Samba] net ads join -- strange message

nathalie ramat nathalie.ramat at univ-littoral.fr
Fri Oct 25 07:33:12 UTC 2019


hello,

Le 23/10/2019 à 12:45, Rowland penny via samba a écrit :
> On 23/10/2019 10:51, nathalie ramat via samba wrote:
>> Hello,
>>
>> I have an server ad  - everything seems ok
>> I have a windows client and a linux client . The users must to 
>> connect on windows or on linux with the same home.
>>
>> when I join my client linux with the command net ads join -U 
>> administration I have after the following message
>>
>> net ads join -U administrator
>> Enter administrator's password:
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>>
>> Error reading password from file descriptor 0: empty password
>> Using short domain name -- SAMBADOM
>> Joined 'CLIENTBLUESEYE' to dns domain 'sambadom.calais.fr'
>>
>> but my machine is joined to my samba AD.
>>
>> Why I have this error ?
>
> I do not think this has anything to do with Samba, but 'The users must 
> to connect on windows or on linux with the same home' may give a hint, 
> are you using something like pam-mount ?
>
>

yes i use pam_mount.


I have modified the script pam_mount.conf.xml .to create the directory 
of my  user.

<?xml version="1.0" encoding="UTF-8"?>

<pam_mount>
<debug enable="1"/>
<mkmountpoint enable="1" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck" />
<mntoptions require="nosuid,nodev" />
<lsof>/usr/bin/lsof %(MNTPT) </lsof>
<cifsmount> /sbin/mount.cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o 
"user=%(USER),domain=SAMBADOM,uid=%(USER),gid=%(USERGID),cifsacl,file_mode=0700,dir_mode=0700" 
</cifsmount>
<umount>/bin/umount %(MNTPT) </umount>
<volume 
options="username=%(DOMAIN_USER),workgroup=%(DOMAIN_NAME),uid=%(DOMAIN_USER),fmask=700,file_mode=0700,dir_mode=0700" 
mountpoint="/etudiants/%(USER)" path="%(DOMAIN_USER)" 
server="blueyestest" fstype="cifs" />
</pam_mount>



The home of my user  mount correctly. I have juste problem via les acl .

on the server my user have this rights

root at blueyestest:/home/SAMBADOM/specifique/testjeudi# ls -l
total 12
-rwxrwxr--+ 1 SAMBADOM/testjeudi SAMBADOM/specifique    0 oct.  21 11:59 
testlinux21102019
drwxrwxr--+ 2 SAMBADOM/testjeudi SAMBADOM/specifique 4096 oct.  17 13:39 
testwindow17102019

root at blueyestest:/home/SAMBADOM/specifique/testjeudi# getfacl 
testlinux21102019
# file: testlinux21102019
# owner: SAMBADOM/testjeudi
# group: SAMBADOM/specifique
user::rwx
group::r--
group:SAMBADOM/specifique:r--
group:SAMBADOM/testjeudi:rwx
mask::rwx
other::r--




on my client linux the rights are :

  -rwx------ 1 testjeudi specifique    0 oct.  21 11:59 testlinux21102019
drwxr-x--- 2 testjeudi specifique    0 oct.  17 13:39 testwindow17102019



I think that acl are not supported by smb3.1.1 ?

>>
>> My smb.conf server is  :
>>
>> # Global parameters
>> [global]
>>     dns forwarder = 193.49.xxx.xxx
>>     netbios name = BLUEYESTEST
>>     realm = SAMBADOM.CALAIS.FR
>>     server role = active directory domain controller
>>     workgroup =SAMBADOM
>>     idmap_ldb:use rfc2307 = yes
>>     log level =5
>>     log file =/var/log/samba3/log.%M
>>     max log size = 1000
>>     host msdfs = no
>> #    vfs objects = acl_xattr
>> #    map acl inherit =yes
>> #    store dos attributes = yes
>>     load printers = no
>>     printing = bsd
>>     printcap name = /dev/null
>>     disable spoolss = yes
>>
>> #  for tests only
>>     winbind enum users =yes
>>     winbind enum groups =yes
>> #
>>     winbind separator = /
>>     winbind use default domain = yes
>>
>> [netlogon]
>>     path = /var/lib/samba/sysvol/sambadom.calais.fr/scripts
>>     read only = No
>>     writable = yes
>>
>> [sysvol]
>>     path = /var/lib/samba/sysvol
>>     read only = No
>>     browsable =yes
>> [homes]
>>     path=/home/SAMBADOM/%G/%U
>>     writable=yes
>>     read only = no
> Er, you do know that 'writable=yes' and 'read only = no' mean the same 
> thing, you only need one of them.
>>
>>
>> my smb.conf client linux is
>>
>> [global]
>>     security =ADS
>>     realm = SAMBADOM.CALAIS.FR
>>     workgroup =SAMBADOM
>>     netbios name = clientblueseye
>>     winbind separator = /
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>
>>
>>     idmap config * : backend=tdb
>>     idmap config * : range=1000-2000
> With that line, you cannot have any local Unix users

All users are created in my ad. I have juste one local user (id 1000)- 
created during installation. I decided to use backend ad .
I give Uidnumber, GidNumber and UnixHomeDirectory directly in the samba 
attributes

>>
>>     idmap config SAMBADOM : backend = ad
>>     idmap config SAMBADOM : schema_mode =rfc2307
>>     idmap config SAMBADOM : backend = rid
>>     idmap config SAMBADOM : range = 10000-600000
>>     idmap config SAMBADOM : unix_nss_info = yes
>>     idmap config SAMBADOM : unix_primary_group = yes
> Sorry, but you cannot use both the 'ad' and 'rid' winbind backend, 
> choose one and remove the other and if you choose 'rid', remove the 
> unneeded extra 'ad' lines
>> template homedir =/etudiants/%U
>>
>> #    template homedir = /home/%D/%G/%U
>>
>>     template shell =/bin/bash
>>     kerberos method =  secrets and keytab
>>     dedicated keytab file =/etc/krb5.keytab
>>     winbind refresh tickets =yes
>> #
>> #    username map = /etc/samba/samba_usermapping
> turn this back on
>>
>>     winbind use default domain = yes
>>     log file =/var/log/samba/log.%m
>>     log level = 3
>> # for acl support on members servers with shares
>> #    vfs object = acl_xattr
>> #    map acl inherit = yes
>> #    store dos attributes = yes
> also turn these on again
>
> Rowland
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

-- 
Nathalie RAMAT-LECLERCQ

Service Informatique

Universite du Littoral-Côte d'Opale
SCoSI - Service Commun du Système d'Information
Pôle Systèmes et réseaux

Centre de Gestion Universitaire de Calais
50 rue ferdinand Buisson
C.S 80699
62228 CALAIS CEDEX







More information about the samba mailing list