Re: [Samba] Having problem with "valid users" in Active Directory/Samba environment

Sat, 13 Feb 2010 09:15:04 -0800 

Dale,

I was hoping that there was someone out there who:
a) uses Samba integrated with Active Directory, and
b) successfully uses the Samba permissions to allow "domain admin" members access to the shares of "domain users" from XP workstations. To narrow the scope of the troubleshooting, I am looking for a known working smb.conf configuration that supports this. Then I can make sure my smb.conf uses a similar configuratation and, if the problem persists, focus my troubleshooting on other areas. 

To answer your questions...


Yes we've also tried adding permission for a group but that did not work 
either.
With Samba log level set to 3, we have observed the following in the 
logfile:
[2010/02/10 21:35:09,  3] smbd/password.c:269(register_existing_vuid) 
register_existing_vuid: User name: DOMAIN\admin Real name: Admin, admin
[2010/02/10 21:35:09,  3] smbd/password.c:279(register_existing_vuid) 
register_existing_vuid: UNIX uid 10002 is UNIX user DOMAIN\admin, and will 
be vuid 101
[2010/02/10 21:35:09,  3] smbd/password.c:211(register_homes_share)  Adding 
homes service for user 'DOMAIN\admin' using home directory: 
'/home/DOMAIN/admin'
[2010/02/10 21:35:09,  3] param/loadparm.c:6126(lp_add_home)  adding home's 
share [socolofsky] for user 'DOMAIN\admin' at '/home/DOMAIN/admin'



The 'getent' does not report on users with Active Directory credentials, 
those are managed by perhaps winbindd, which is part of the integration with 
AD.

Yes the "admin" user has a uid, as you can see above.
Yes the admin user is in the group domain admins:
domain\ad...@server:/etc/samba$ id

uid=10002(DOMAIN\admin) gid=10020(DOMAIN\domain admins) 
groups=10017(DOMAIN\color 
printers),10018(DOMAIN\itdept),10019(DOMAIN\concordanceadmin),10020(DOMAIN\domain 
admins),10021(DOMAIN\everyone - DOMAIN),10022(DOMAIN\conference room 
resources),10087(DOMAIN\help desk),10089(DOMAIN\records 
management),10090(DOMAIN\public folder management)



Following are the remaining entries in the logfile (no attempt was made to 
connect to another share in this session).



[2010/02/10 21:35:09,  3] smbd/service.c:1047(make_connection_snum) 
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service IPC$ initially as 
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:12,  3] smbd/msdfs.c:828(get_referred_path) 
get_referred_path: |admin| in dfs path \server\admin is not a dfs root.
[2010/02/10 21:35:12,  3] smbd/service.c:807(make_connection_snum)  Connect 
path is '/home/DOMAIN/admin' for service [admin]
[2010/02/10 21:35:12,  1] smbd/service.c:1047(make_connection_snum) 
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service admin initially as 
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)

[2010/02/10 21:35:12,  3] smbd/sec_ctx.c:310(set_sec_ctx)

[2010/02/10 21:35:12,  3] smbd/reply.c:754(reply_tcon_and_X)  tconX 
service=admin
[2010/02/10 21:35:15,  1] smbd/service.c:1047(make_connection_snum) 
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service public_rw initially 
as user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:20,  1] smbd/service.c:1226(close_cnum)  __ffff_10.0.3.56 
(::ffff:10.0.3.56) closed connection to service admin
[2010/02/10 21:35:20,  3] smbd/connection.c:31(yield_connection)  Yielding 
connection to admin
[2010/02/10 21:35:22,  3] libads/authdata.c:302(decode_pac_data)  Found 
account name from PAC: admin [admin, admin]
[2010/02/10 21:35:22,  3] smbd/sesssetup.c:348(reply_spnego_kerberos) 
Ticket name is [[email protected]]
[2010/02/10 21:35:22,  3] smbd/password.c:269(register_existing_vuid) 
register_existing_vuid: User name: DOMAIN\admin Real name: admin, admin
[2010/02/10 21:35:22,  3] smbd/password.c:279(register_existing_vuid) 
register_existing_vuid: UNIX uid 10002 is UNIX user DOMAIN\admin, and will 
be vuid 107
[2010/02/10 21:35:22,  3] smbd/password.c:211(register_homes_share)  Adding 
homes service for user 'DOMAIN\admin' using home directory: 
'/home/DOMAIN/admin'
[2010/02/10 21:35:22,  3] param/loadparm.c:6126(lp_add_home)  adding home's 
share [admin] for user 'DOMAIN\admin' at '/home/DOMAIN/admin'
[2010/02/10 21:35:22,  3] smbd/service.c:807(make_connection_snum)  Connect 
path is '/home/DOMAIN/admin' for service [admin]
[2010/02/10 21:35:22,  1] smbd/service.c:1047(make_connection_snum) 
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service admin initially as 
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:33,  1] smbd/service.c:1226(close_cnum)  __ffff_10.0.3.56 
(::ffff:10.0.3.56) closed connection to service admin


Thanks,
Eric Peterson


----- Original Message ----- 
From: "Dale Schroeder" <[email protected]>

To: "Eric Peterson" <[email protected]>
Sent: Wednesday, February 10, 2010 1:53 PM

Subject: Re: [Samba] Having problem with "valid users" in Active 
Directory/Samba environment




Eric,

The log results look like Samba is unfamiliar with the user "admin".
Do "getent passwd" and "getent group" return the expected results?
Does the user "admin" appear in the "getent passwd" listing (with a uid
in the 10000-20000 range)?
Does the user "admin" appear as a member of "Domain Admins" in the
"getent group" listing?

If all the above are yes, consider trying the following:
In [homes], change each instance of DOMAIN\admin to @"DOMAIN\Domain
Admins" to see if other domain admins (such as the default
"administrator") can access the home shares.

This should give you a place to start troubleshooting.

Dale

On 02/09/2010 10:45 PM, Eric Peterson wrote:

We have a Ubuntu/Samba setup to serve Windows-XP users using Active 
Directory credentials.
The application is a backup service using rsync from their workstations 
to the server.

Ubuntu: 9.10, Samba: 3.4.0.

The backups work fine, and individual users logged onto XP with AD 
credentials can see the contents of their shares on the server.
However, we have been unable to configure Samba to allow specified users 
(domain admins) access to Samba shares, which is needed for 
administration of the shares.



The "valid user" and "admin user" constructs are not working in our 
environment.
When smb.conf is configured with these constructs (see testparm output 
below), which should allow access, instead we get an error message on the 
XP side and the following messages in /var/log/samba: (in the example, 
trying to access the share \\<server>\wirt)



[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. 
Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. 
Permission denied
[2010/02/08 21:31:21,  0] param/loadparm.c:8546(process_usershare_file) 
process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No 
such file or directory
[2010/02/08 21:31:21,  0] smbd/service.c:1188(make_connection) 
__ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt



The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the 
spelling and try again...."



Is there something wrong with the smb.conf settings, or something else 
that needs to be done to allow domain admins access to user shares?

Could something with the pam or winbind settings explain this behavior?


One clue is that when we cranked the log level to 3, the log messages 
indicated that the Samba connection was being made to a UNIX user 
DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name 
of the admin's XP computer is "lfvr3tk1". The logfile is quite large so I 
did not include it here.


What's going on????

Thanks,
Eric Peterson


======output from testparm=========

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[public]"
Processing section "[public_rw]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
         workgroup = DOMAIN
         realm = DOMAIN.COM
         server string = %h server (Samba, Ubuntu)
         security = ADS
         map to guest = Bad User
         obey pam restrictions = Yes
         pam password change = Yes
         passwd program = /usr/bin/passwd %u

         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

         unix password sync = Yes
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         dns proxy = No
         usershare allow guests = Yes
         panic action = /usr/share/samba/panic-action %d
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         template shell = /bin/bash

[homes]
         comment = Home Directories
         valid users = DOMAIN\%S, DOMAIN\admin
         admin users = DOMAIN\admin

[printers]
         comment = All Printers
         path = /var/spool/samba
         create mask = 0700
         printable = Yes
         browseable = No
         browsable = No

[print$]
         comment = Printer Drivers
         path = /var/lib/samba/printers

[public]
         path = /export/public
         guest ok = Yes

[public_rw]
         path = /export/public_rw
         read only = No
         guest ok = Yes





--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - www.avg.com

Version: 8.5.432 / Virus Database: 271.1.1/2679 - Release Date: 02/10/10 
07:40:00


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to