Active Directory Integration Problems

Hello everyone,

 

I have setup Samba 3.0.28a on an Ubuntu 8.04 server.  The setup that I
am working with is an exact copy (as far as I can tell) if an identical
installation that I did on a test box.  Kerberos is setup and working
properly.  I can use kinit to issue tickets.  The box has been
successfully joined to the Active Directory domain.  I can enumerate AD
users and groups.  I can log into the Linux box with accounts from AD.
When browsing to the server over the network using the UNC, I can
connect to the server just fine.

 

The problem comes in when I try to connect to the share (\\<server
name>\<share name>).  When attempting to connect to the share I am
prompted for authentication credentials.  Neither valid AD credentials,
nor valid credentials for accounts on the local box work.  I have set
the directory world readable/writeable (chmod 777).

 

I'm not sure what to do to further troubleshoot the issue.  The exact
same configuration works fine on another box.  I have included my
smb.conf file here for reference.  Thanks in advance for any help and
insights.

 

[global]

        security = ads

        realm = <censored, ALL IN CAPS)

        password server = <censored, FQDN to domain controller>

        workgroup = 2CP

        winbind separator = '\'

        winbind refresh tickets = yes

        idmap uid = 10000-20000

        idmap gid = 10000-20000

        winbind enum users = yes

        winbind enum groups = yes

        template homedir = /home/%D/%U

        template shell = /bin/bash

        client use spnego = yes

        client ntlmv2 auth = yes

        encrypt passwords = yes

        winbind use default domain = yes

        restrict anonymous = 2

 

[test]

        path = /home/2CP/darmstrong

        valid users = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin

        write list = 2CP\darmstrong,2CP\buexec,2CP\test,itadmin

        read list =

 

 

 

David Armstrong

Database Administrator

MOCA  THE MUSEUM OF CONTEMPORARY ART

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Try setting up your share like this, I am not sure that you need the quotes except of groups with spaces in them.


> [faculty]
>         comment                         = CHE Faculty Share
>         path                            = /home/CHE-shares/faculty
>         browseable                      = yes
>         read only                       = yes
>         inherit permissions             = yes
>         write list                      = @"CHEMENG+Domain Admins", @"CHEMENG+Faculty"
>         valid users                     = @"CHEMENG+Domain Admins", @"CHEMENG+Faculty"
>         admin users                     = @"CHEMENG+Domain Admins"



--
Brian Gregorcy
IT Manager
University of Utah
Department of Chemical Engineering
801.585.7170












>  
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thanks for the replies.  I have modified the share portion of my
smb.conf file as shown below.  Still no luck.

[test]
        path = /home/2CP/darmstrong
        browseable = yes
        read only = yes
        inherit permissions = yes
        valid users = "2CP\darmstrong","buexec","test",itadmin
        write list = "2CP\darmstrong","buexec","test",itadmin
        read list =


When modifying file permissions for shares on Windows servers, I have to
log out and log back on again before the workstation recognizes them.
Does the same go for Samba shares?

-----Original Message-----
From: Gary Greene [mailto:ggreene@...]
Sent: Thursday, July 09, 2009 2:38 PM
To: gregorcy; David Armstrong
Cc: samba@...
Subject: Re: [Samba] Active Directory Integration Problems

On 7/9/09 2:20 PM, "gregorcy" <brian.gregorcy@...> wrote: quotes
The domain portion of the user isn't needed if you have 'winbind use
default
domain = true' in your config. The quotes are however required since
Samba
and the NSS stack on Linux cannot (or at least not from my experience)
handle escapes.

--
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell:  (650) 704-6633
Phone: (408) 240-1239

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

HI:)

what permission you used for the folder:

/home/CHE-shares/faculty
?

Thanks:)

Gabi

On Fri, Jul 10, 2009 at 12:20 AM, gregorcy<brian.gregorcy@...> wrote: --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

David Armstrong wrote:

Sounds like my first suggestion was wrong, maybe try uping the idmap setting.

> idmap backend                   = rid:CHEMENG=500-100000000
> idmap uid                       = 500-100000000
> idmap gid                       = 500-100000000

Is there anything in the logs?

--
Brian Gregorcy
IT Manager
University of Utah
Department of Chemical Engineering



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Brian,

Which logs should I be checking?

The following output comes from the winbindd.log.  I replaced the FQDN
of the domain controller in the second to last line of the log file.  It
was in the format SERVERNAME.domain.name

[2009/07/13 09:16:40, 0] lib/util_sock.c:write_data(564)
  write_data: write failure. Error = Connection reset by peer
[2009/07/13 09:16:40, 0] libsmb/clientgen.c:write_socket(158)
  write_socket: Error writing 104 bytes to socket 17: ERRNO = Connection
reset by peer
[2009/07/13 09:16:40, 0] libsmb/clientgen.c:cli_send_smb(188)
  Error writing 104 bytes to client. -1 (Connection reset by peer)
[2009/07/13 09:16:40, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
  cli_rpc_pipe_open: cli_nt_create failed on pipe \lsarpc to machine
(FQDN to domain controller).  Error was Write error: Connection reset by
peer

-----Original Message-----
From: gregorcy [mailto:brian.gregorcy@...]
Sent: Friday, July 10, 2009 12:56 PM
To: David Armstrong
Cc: samba@...
Subject: Re: [Samba] Active Directory Integration Problems



David Armstrong wrote: to
> log out and log back on again before the workstation recognizes them.
> Does the same go for Samba shares?
>


Sounds like my first suggestion was wrong, maybe try uping the idmap
setting.

> idmap backend                   = rid:CHEMENG=500-100000000
> idmap uid                       = 500-100000000
> idmap gid                       = 500-100000000

Is there anything in the logs?

--
Brian Gregorcy
IT Manager
University of Utah
Department of Chemical Engineering



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

  Lets see if this help.

   I have setup a server a couple of weeks before, windows 2k3 AD I
add my vm centos 5.3 machine to it, I share 1 folder and add the home
users folder.

   Is running and have no issue with.

  Windows 2k3 domain name: DOM.local
  machine name: dompdc
  IP: 192.168.2.2

  Network: 192.168.2.0/24

  Centos machine name: dom-vmcentos(DHCP)

   Kerberos: /etc/krb5.conf

   [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOM.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  DOM.LOCAL = {
  admin_server = dompdc.DOM.local
  default_domain = DOM.local
  kdc = dompdc.DOM.local
 }

[domain_realm]
 .kerberos.server = DOM.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Winbind + samba running, lets go with samba:

[global]
        syslog = 1
        log level = 2 vfs:2
        log file = /var/log/samba/%U.%m.log
        utmp = Yes
        load printers = no
        socket options = TCP_NODELAY SO_RCVBUF=20480 SO_SNDBUF=20480
        dns proxy = no
        server string = vmCents 5.x Test Server
        printing = cups
        workgroup = DOM
        netbios name = dom-vmcentos
        security = ads
        realm = DOM.LOCAL
        allow trusted domains = Yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind separator = +
        password server = dompdc.DOM.local
        encrypt passwords = Yes
        printcap name = /etc/printcap
        max log size = 100
        interfaces = eth0
        bind interfaces only = Yes
        local master = no
        domain master = no
        preferred master = no
        template homedir = /home/%D/%U
        template shell = /bin/bash
        #unix charset = UTF-8

[homes]
        comment = Home Directories DOM
        browseable = no
        writable = yes
        #valid users = %S
        create mode = 0664
        directory mode = 0775

[Test]
        comment = Test Directories DOM
        path = /opt/test
        public = yes
        browseable = yes
        writable = yes
        valid users = DOM+username
        write list = DOM+username
        create mode = 0770

 /etc/nsswitch.conf

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:        files winbind
services:   files

netgroup:   files winbind

publickey:  nisplus

automount:  files winbind
aliases:    files nisplus

/etc/hostname:

# Do not remove the following line, or various programs
# that require network functionality willfail.
192.168.2.118   dom-vmcentos.DOM.local dom-vmcentos
#::1            localhost6.localdomain6 localhost6
192.168.2.2     dompdc.DOM.local dompdc

Here it suppose that we already add the machine account to AD and is
working as u say.

Now lets see our shares on linux:

[root@dom-vmcentos opt]# ll
total 16
-rw-r--r-- 1 root             root   146 Sep 16  2008 File
drwx------ 2 root             root 12288 Feb 22  2008 lost+found
drwxr-xr-x 3 psql             pvsw  1024 Jun 12  2008 PSQLDATA
drwxr-xr-x 2 DOM+username root  1024 Jun 16 15:31 test
drwxr-xr-x 3 root             root  1024 Jan  8  2009 zimbra

Lest test:

[root@dom-vmcentos opt]# smbclient -L ////dom-vmcentos -U username
Password:
Domain=[DOM] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (vmCents 5.x Test Server)
        Test            Disk      Test Directories DOM
        username    Disk      Home Directories DOM
Domain=[DOM] OS=[Unix] Server=[Samba 3.0.33-3.7.el5]

        Server               Comment
        ---------            -------
        DOM-VMCENTOS         vmCents 5.x Test Server
        DOMPDC

        Workgroup            Master
        ---------            -------
        DOM                  DOMPDC


Now a mount command:

mount -t cifs //dom-vmcentos/Test -o username=username,password=passwd /mnt

[root@dom-vmcentos ~]# mount
//dom-vmcentos/Test on /mnt type cifs (rw,mand)
[root@dom-vmcentos ~]#

I can see the files inside this user home folder, create, modify, etc
even inside windows 2k3.

See u latter!!!

On Mon, Jul 13, 2009 at 9:21 AM, David Armstrong<darmstrong@...> wrote:


--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba