pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Samba winbind Problem
Hello
Samba 3.5.9 on DragonflyBSD mit current pkgsrc.
following setting
Windows 2003 R2 Server named HERMES.ALYXBIO.LOCAL
Samba 3.5.9 on DragonflyBSD called HADES.ALYXBIO.LOCAL
map guest = bad uid
and
guest ok = yes
doesnt let users access the Samba Server called HADES.
let's assume user mark wants to access //HADES/Temp. This is a public
folder with guest access enabled.
An authentification Windows pops up! Why?
Also putting this into the Windows logon script doesnt work.
The Message pops up.
Why the hell authentificate? Ok, lets do it:
The authentication should be: ALYXBIO\mark + pw
Doesnt work!
But if I put now HERMES\mark + pw in here, it works!!
I can access all files in Temp and write to them.
So user has to auth against the Windows 2003 Server HERMES and not the
Domain itself?
Then: If I try to access other shares, (set with valid users = mark
ALYXBIO\\mark) I cant access them at all. not with ALYXBIO\mark nor
HERMES\mark. Another share called [ARCHIV] cant even be accessed by
the Administrator.
Also Samba is joined to our Windows-2003 R2 Active Drectory domain.
Pretty much everything works,
except that winbindd can't convert between SIDs and uid/gid:
wbinfo -t
checking the trust secret for domain ALYXBIO via RPC calls succeeded
wbinfo -r ALYXBIO\\mark
10513
11002
11133
11117
11115
11118
11120
11123
11116
11135
11122
11119
11146
10001
##
wbinfo -n ALYXBIO\\mark
S-1-5-21-1315757802-438667711-3701579331-1139 SID_USER (1)
##
wbinfo -S S-1-5-21-1315757802-438667711-3701579331-1139
11139
##
wbinfo -U 11139
S-1-5-21-1315757802-438667711-3701579331-1139
##
wbinfo -i ALYXBIO\\mark
ALYXBIO\mark:*:11139:10513:Mark:/daten/samba/users/mark:/bin/sh
##
these tests where done while running
winbindd -SFi -d3 -n
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
Successfully contacted LDAP server 192.168.1.51
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
connection_ok: Connection to for domain ALYXBIO is not connected
Connecting to 192.168.1.51 at port 445
Doing spnego session setup (blob length=109)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
got principal=hermes$@ALYXBIO.LOCAL
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/hermes.ALYXBIO.local@ALYXBIO.LOCAL
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Sat, 06 Aug 2011 10:58:54 CEST
##
nslookup -query=SRV _ldap._tcp.dc._msdcs.alyxbio.local
Server: 192.168.1.51
Address: 192.168.1.51#53
_ldap._tcp.dc._msdcs.alyxbio.local service = 0 100 389
hermes.alyxbio.local.
##
smbclient -L hades
Enter root's password:
Domain=[ALYXBIO] OS=[Unix] Server=[Samba 3.5.9]
Sharename Type Comment
--------- ---- -------
Temp Disk Austauschpool fuer temporaere Daten,
wird jeden Samstag geloescht
ClientApps Disk Software Speicher
Archiv Disk Alte Daten
woma Disk test folder for ads
IPC$ IPC IPC Service (HADES NAS Server)
Domain=[ALYXBIO] OS=[Unix] Server=[Samba 3.5.9]
Server Comment
--------- -------
HADES HADES NAS Server
HERMES
Workgroup Master
--------- -------
ALYXBIO HERMES
##
getent hosts hermes
192.168.1.51 hermes.alyxbio.local hermes
but getent is not showing ADS users and groups, only wbinfo
##
now trying to access an "guest account" enabled share from Windows XP
as Administrator the samba log says:
[2011/08/06 01:01:12.747093, 2] smbd/sesssetup.c:1413(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2011/08/06 01:01:12.747111, 3]
smbd/sesssetup.c:1212(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2011/08/06 01:01:12.747131, 3]
smbd/sesssetup.c:1254(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 5.2]
[2011/08/06 01:01:12.749646, 3] smbd/sesssetup.c:806(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1332
[2011/08/06 01:01:12.749908, 3] libads/authdata.c:304(decode_pac_data)
Found account name from PAC: Administrator [Administrator]
[2011/08/06 01:01:12.749930, 3] smbd/sesssetup.c:338(reply_spnego_kerberos)
Ticket name is [Administrator@ALYXBIO.LOCAL]
[2011/08/06 01:01:12.753142, 1] smbd/sesssetup.c:454(reply_spnego_kerberos)
Username ALYXBIO\Administrator is invalid on this system
[2011/08/06 01:01:12.753163, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(459) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2011/08/06 01:01:12.754985, 3] smbd/process.c:1489(process_smb)
Transaction 45 of length 1594 (0 toread)
[2011/08/06 01:01:08.671909, 3] libads/kerberos_verify.c:589(ads_verify_ticket)
ads_verify_ticket: krb5_rd_req with auth failed (Message size is
incompatible with encryption type)
##################
Any help here?
How to get user based logon enabled with 2003 R2 AD and this 3.5.9
Samba version?
Here for further reference my smb.conf:
bash-4.2# testparm
Load smb config files from /usr/pkg/etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Temp]"
Processing section "[ClientApps]"
Processing section "[Archiv]"
Processing section "[woma]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = ALYXBIO
realm = ALYXBIO.LOCAL
server string = HADES NAS Server
security = ADS
allow trusted domains = No
map to guest = Bad Password
password server = hermes.alyxbio.local
lanman auth = Yes
client NTLMv2 auth = Yes
log level = 3 passdb:3 winbind:10 auth:3
syslog = 3
log file = /var/log/samba/samba.log
max log size = 50
large readwrite = No
max xmit = 65535
time server = Yes
deadtime = 15
load printers = No
printcap name = /dev/null
disable spoolss = Yes
local master = No
domain master = No
dns proxy = No
wins server = hermes
cache directory = /var/tmp/.cache/.samba
idmap uid = 50000-99999
idmap gid = 50000-99999
template homedir = /daten/samba/users/%U
template shell = /bin/sh
idmap config ALYXBIO: schema_mode = rfc2307
idmap config ALYXBIO: range = 10000-49999
idmap config ALYXBIO: backend = ad
create mask = 0640
directory mask = 0751
inherit acls = Yes
guest ok = Yes
aio read size = 1
aio write size = 1
ea support = Yes
use sendfile = Yes
printing = cups
cups options = raw
print command = lpr -P'%p' %s; rm %s
lppause command = lp -i '%p-%j' -H hold
lpresume command = lp -i '%p-%j' -H resume
queuepause command = disable '%p'
queueresume command = enable '%p'
strict locking = No
[homes]
comment = Home Directories
read only = No
browseable = No
[Temp]
comment = Austauschpool fuer temporaere Daten, wird jeden
Samstag geloescht
path = /daten/samba/temp
read only = No
guest only = Yes
[ClientApps]
comment = Software Speicher
path = /daten/samba/software
read only = No
guest only = Yes
[Archiv]
comment = Alte Daten
path = /daten/samba/archiv
valid users = mark, alex, administrator, root
read only = No
guest ok = No
[woma]
comment = test folder for ads
path = /daten/samba/woma
read only = No
create mask = 0770
directory mask = 0770
guest ok = No
###############
any help appreciated to enable domain logons on the shares...
Home |
Main Index |
Thread Index |
Old Index