pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Samba winbind Problem


Samba 3.5.9 on DragonflyBSD mit current pkgsrc.

following setting

Windows 2003 R2 Server named HERMES.ALYXBIO.LOCAL
Samba 3.5.9 on DragonflyBSD called HADES.ALYXBIO.LOCAL

map guest = bad uid
guest ok = yes

doesnt let users access the Samba Server called HADES.

let's assume user mark wants to access //HADES/Temp. This is a public
folder with guest access enabled.

An authentification Windows pops up! Why?
Also putting this into the Windows logon script doesnt work.

The Message pops up.
Why the hell authentificate? Ok, lets do it:

The authentication should be: ALYXBIO\mark + pw

Doesnt work!

But if I put now HERMES\mark + pw in here, it works!!
I can access all files in Temp and write to them.

So user has to auth against the Windows 2003 Server HERMES and not the
Domain itself?

Then: If I try to access other shares, (set with valid users = mark
ALYXBIO\\mark) I cant access them at all. not with ALYXBIO\mark nor
HERMES\mark. Another share called [ARCHIV] cant even be accessed by
the Administrator.

Also Samba is joined to our Windows-2003 R2 Active Drectory domain.
Pretty much everything works,
except that winbindd can't convert between SIDs and uid/gid:

wbinfo -t
checking the trust secret for domain ALYXBIO via RPC calls succeeded

wbinfo -r ALYXBIO\\mark


wbinfo -n ALYXBIO\\mark
S-1-5-21-1315757802-438667711-3701579331-1139 SID_USER (1)


wbinfo -S S-1-5-21-1315757802-438667711-3701579331-1139


wbinfo -U 11139


wbinfo -i ALYXBIO\\mark


these tests where done while running
winbindd -SFi -d3 -n

get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
Successfully contacted LDAP server
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
get_dc_list: preferred server list: "hermes.ALYXBIO.local, hermes.alyxbio.local"
connection_ok: Connection to  for domain ALYXBIO is not connected
Connecting to at port 445
Doing spnego session setup (blob length=109)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.
got OID=
got principal=hermes$@ALYXBIO.LOCAL
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
expiration Sat, 06 Aug 2011 10:58:54 CEST


nslookup -query=SRV _ldap._tcp.dc._msdcs.alyxbio.local

_ldap._tcp.dc._msdcs.alyxbio.local      service = 0 100 389


smbclient -L hades
Enter root's password:
Domain=[ALYXBIO] OS=[Unix] Server=[Samba 3.5.9]

        Sharename       Type      Comment
        ---------       ----      -------
        Temp            Disk      Austauschpool fuer temporaere Daten,
wird jeden Samstag geloescht
        ClientApps      Disk      Software Speicher
        Archiv          Disk      Alte Daten
        woma            Disk      test folder for ads
        IPC$            IPC       IPC Service (HADES NAS Server)
Domain=[ALYXBIO] OS=[Unix] Server=[Samba 3.5.9]

        Server               Comment
        ---------            -------
        HADES                HADES NAS Server

        Workgroup            Master
        ---------            -------
        ALYXBIO              HERMES


getent hosts hermes      hermes.alyxbio.local  hermes

but getent is not showing ADS users and groups, only wbinfo


now trying to access an "guest account" enabled share from Windows XP
as Administrator the samba log says:

[2011/08/06 01:01:12.747093,  2] smbd/sesssetup.c:1413(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2011/08/06 01:01:12.747111,  3]
  Doing spnego session setup
[2011/08/06 01:01:12.747131,  3]
  NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 5.2]
[2011/08/06 01:01:12.749646,  3] smbd/sesssetup.c:806(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1332
[2011/08/06 01:01:12.749908,  3] libads/authdata.c:304(decode_pac_data)
  Found account name from PAC: Administrator [Administrator]
[2011/08/06 01:01:12.749930,  3] smbd/sesssetup.c:338(reply_spnego_kerberos)
  Ticket name is [Administrator@ALYXBIO.LOCAL]
[2011/08/06 01:01:12.753142,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
  Username ALYXBIO\Administrator is invalid on this system
[2011/08/06 01:01:12.753163,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(459) cmd=115 (SMBsesssetupX)
[2011/08/06 01:01:12.754985,  3] smbd/process.c:1489(process_smb)
  Transaction 45 of length 1594 (0 toread)
[2011/08/06 01:01:08.671909,  3] libads/kerberos_verify.c:589(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (Message size is
incompatible with encryption type)


Any help here?

How to get user based logon enabled with 2003 R2 AD and this 3.5.9
Samba version?

Here for further reference my smb.conf:

bash-4.2# testparm
Load smb config files from /usr/pkg/etc/samba/smb.conf
Processing section "[homes]"
Processing section "[Temp]"
Processing section "[ClientApps]"
Processing section "[Archiv]"
Processing section "[woma]"
Loaded services file OK.
Press enter to see a dump of your service definitions

        workgroup = ALYXBIO
        realm = ALYXBIO.LOCAL
        server string = HADES NAS Server
        security = ADS
        allow trusted domains = No
        map to guest = Bad Password
        password server = hermes.alyxbio.local
        lanman auth = Yes
        client NTLMv2 auth = Yes
        log level = 3 passdb:3 winbind:10 auth:3
        syslog = 3
        log file = /var/log/samba/samba.log
        max log size = 50
        large readwrite = No
        max xmit = 65535
        time server = Yes
        deadtime = 15
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        local master = No
        domain master = No
        dns proxy = No
        wins server = hermes
        cache directory = /var/tmp/.cache/.samba
        idmap uid = 50000-99999
        idmap gid = 50000-99999
        template homedir = /daten/samba/users/%U
        template shell = /bin/sh
        idmap config ALYXBIO: schema_mode = rfc2307
        idmap config ALYXBIO: range = 10000-49999
        idmap config ALYXBIO: backend = ad
        create mask = 0640
        directory mask = 0751
        inherit acls = Yes
        guest ok = Yes
        aio read size = 1
        aio write size = 1
        ea support = Yes
        use sendfile = Yes
        printing = cups
        cups options = raw
        print command = lpr -P'%p' %s; rm %s
        lppause command = lp -i '%p-%j' -H hold
        lpresume command = lp -i '%p-%j' -H resume
        queuepause command = disable '%p'
        queueresume command = enable '%p'
        strict locking = No

        comment = Home Directories
        read only = No
        browseable = No

        comment = Austauschpool fuer temporaere Daten, wird jeden
Samstag geloescht
        path = /daten/samba/temp
        read only = No
        guest only = Yes

        comment = Software Speicher
        path = /daten/samba/software
        read only = No
        guest only = Yes

        comment = Alte Daten
        path = /daten/samba/archiv
        valid users = mark, alex, administrator, root
        read only = No
        guest ok = No

        comment = test folder for ads
        path = /daten/samba/woma
        read only = No
        create mask = 0770
        directory mask = 0770
        guest ok = No


any help appreciated to enable domain logons on the shares...

Home | Main Index | Thread Index | Old Index