Hi... On Wed, 2007-12-05 at 17:09 +0000, Chris Boyd wrote: > Actually what I've discovered is that the user is able to access the > share and access the shared folders where its a member of it's > respective group. However, I have a weird problem where 1. user > logon.bat does not map shared drive to S: and 2. under the domain > name/server in My Network Places there are the folders in the share as > well as a subfolder called "shared". It seems somewhere ldap and samba > are not syncing. > > -------- Original Message -------- > Subject: cannot access share] > Date: Wed, 05 Dec 2007 15:53:31 +0000 > From: Chris Boyd <[EMAIL PROTECTED]> > To: [email protected] > > > > Any ideas? I'm at my wits end and pulling my hair out. > > -------- Original Message -------- > Subject: [ldap] cannot access share > Date: Tue, 04 Dec 2007 14:47:23 +0000 > From: Chris Boyd <[EMAIL PROTECTED]> > To: [email protected] > > > > Running openldap/samba/smbldap-tools/debian etch: > The users can access their home drives and logon.bat maps but not the > share. I can see the share in explorer but prompts for a password when > try to access it. I had them working fine a while back. The only user > that can access the share is admin. The only thing that's happened that > I can think of is that a script changed the whole directory tree on the > server as owned by root. I think the ownership on the share is correct > though. > Here's the setup: > --------------------------------------------------------- > smb.conf > [netlogon] > comment = Network Logon Service > path = /data/samba/netlogon > guest ok = yes > writable = no > share modes = no > write list = "@MYDOMAIN\admins" > > [profiles] > comment = Users profiles > path = /home/%U/profiles > ; path = / > ; path = %H > guest ok = no > browseable = no > writeable = yes > ; store dos attributes = Yes > create mask = 0600 > directory mask = 0700 > hide files = /desktop.ini/outlook*.lnk/*Briefcase*/ > > [shared] > comment = Shared folder > path = /data/Shared > force group = domusers > read only = no > browseable = yes > create mask = 0770 > directory mask = 0770 > valid users = @MYDOMAIN\admins,@MYDOMAIN\domusers > > getent passwd > admin:*:0:20000:Administrator:/home/admin:/bin/bash > bob.newhart:x:30302:20001:Bob Newhart:/home/bob.newhart:/bin/bash > ---------------------------------------------------------- > getent group > admins:*:20000: > domusers:*:20001: > > ----------------------------------------------------------- > net groupmap list -l > Domain Admins > SID : S-1-5-21-1953726507-754737620-746616776-512 > Unix gid : 20000 > Unix group: admins > Group type: Domain Group > Comment : > Domain Guests > SID : S-1-5-21-1953726507-754737620-746616776-514 > Unix gid : 20002 > Unix group: guests > Group type: Domain Group > Comment : > Domain Users > SID : S-1-5-21-1953726507-754737620-746616776-513 > Unix gid : 20001 > Unix group: domusers > Group type: Domain Group > Comment : > it > SID : S-1-5-21-1953726507-754737620-746616776-41007 > Unix gid : 20003 > Unix group: it > Group type: Domain Group > Comment : > accounts > SID : S-1-5-21-1953726507-754737620-746616776-41009 > Unix gid : 20004 > Unix group: accounts > Group type: Domain Group > Comment : > marketing > SID : S-1-5-21-1953726507-754737620-746616776-41011 > Unix gid : 20005 > Unix group: marketing > Group type: Domain Group > Comment : > incprogs > SID : S-1-5-21-1953726507-754737620-746616776-41013 > Unix gid : 20006 > Unix group: incprogs > Group type: Domain Group > Comment : > products > SID : S-1-5-21-1953726507-754737620-746616776-41015 > Unix gid : 20007 > Unix group: products > Group type: Domain Group > Comment : > retail > SID : S-1-5-21-1953726507-754737620-746616776-41019 > Unix gid : 20009 > Unix group: retail > Group type: Domain Group > Comment : > training > SID : S-1-5-21-1953726507-754737620-746616776-41021 > Unix gid : 20010 > Unix group: training > Group type: Domain Group > Comment : > uas > SID : S-1-5-21-1953726507-754737620-746616776-41023 > Unix gid : 20011 > Unix group: uas > Group type: Domain Group > Comment : > services > SID : S-1-5-21-1953726507-754737620-746616776-41025 > Unix gid : 20012 > Unix group: services > Group type: Domain Group > Comment : > programmes > SID : S-1-5-21-1953726507-754737620-746616776-41019 > Unix gid : 20008 > Unix group: programmes > Group type: Domain Group > Comment : > -------------------------------------------------------------------- > ls -la /data/Shared/ > total 80 > drwxrwxr-x 15 root domusers 4096 2007-11-29 13:44 . > drwx------ 5 root domusers 4096 2007-07-09 16:33 .. > drwxrwx--- 51 root accounts 4096 2007-06-07 13:17 accounts > drwxrwx--- 5 root domusers 4096 2007-06-08 11:52 email > drwxrwx--- 2 root domusers 4096 2007-07-16 15:56 everyone > drwxrwx--- 43 root incprogs 4096 2007-06-07 14:26 incprogs > drwxrwx--- 33 root it 4096 2007-07-25 13:24 it > drwxrwx--- 97 root marketing 12288 2007-06-07 17:36 marketing > drwxrwx--- 7 root domusers 4096 2007-06-07 17:39 misc > drwxrwx--- 33 root products 12288 2007-06-07 17:47 products > drwxrwx--- 22 root programmes 4096 2007-06-08 09:48 programmes > drwxrwx--- 3 root retail 4096 2007-06-08 10:24 retail > drwxrwx--- 3 root services 4096 2007-06-08 11:38 services > drwxrwx--- 14 root training 4096 2007-06-08 11:41 training > drwxrwx--- 63 root uas 4096 2007-06-08 11:50 uas > ---- 1 - samba shares have nothing to do with LDAP at least nothing that you are dealing with.
2 - you didn't show us your logon.bat file so we have no way of knowing what you're doing there but generally, I would do something like this to ensure it works... net use s: /delete net use s: \\SERVER_NAME\Shared Also...be absolutely certain that you either edit logon.bat with Windows (i.e. notepad.exe) or if you edit with Linux, run 'unix2dos logon.bat' to ensure Dos line endings 3 - having shares like your 'Shared' with various groups where group membership controls access like you are doing is a prescription for trouble. I would probably do something like 'chmod g+s /data/Shared -R' to ensures 'sticky bit' for groups so that files/folders created in /data/Shared/services always belongs to 'services' group (you might have to ensure that the group already owns all the files in it's subtree). Consider that user Bob who is a member of say services but not account will not be able to enter that folder. 4 - Did you abbreviate getent group command output? if so, it doesn't list the groups in your net groupmap list which means that you haven't properly configured ldap on your computer to use the groups from ldap. Likewise on getent password. I can't tell if you abbreviated it or if it just plain isn't configured properly. It would help if you trimmed out unneeded stuff Craig --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
