-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So no one has any guesses on this? I've found nothing new, so any help at all would be appreciated...
- -Alex Alex McKenzie wrote: > Greetings, > > While I've seen this referred to a lot of places, I haven't yet found > a posted solution that works for me. Testing has been done from a Mac > running OSX 10.5.8 Here's what I have so far: if anyone can give me a > next step to test, I'd appreciate it. If anyone can give me a complete > solution, I'd appreciate it even more. 8-) > > 1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed. > > 2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not > installed. > > 3) Users can successfully authenticate to sl1 against LDAP when > connecting via SSH. If their user directory exists (they have logged in > via ssh) they can connect to their home directory through samba by > connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal > network), so I know samba is successfully connecting to the LDAP server. > Traffic between the file server and the LDAP server is encrypted, as > confirmed with tcpdump. > > 4) When attempting to access a group share, the connection is refused, > and the following shows up in the samba logs: the share has users > amckenzie and suzanne. > > [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) > User spalmer with invalid SID > S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb > [2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596) > User amckenzie with invalid SID > S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb > > 5) All connections, successful or not, cause the following messages in > the samba logs on sl1: > > [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792) > create_builtin_administrators: Failed to create Administrators > [2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758) > create_builtin_users: Failed to create Users > [2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718) > Share 'IPC$' has wide links and unix extensions enabled. These > parameters are incompatible. Wide links will be disabled for this share. > > 6) On sl1, net getdomainsid returns the following: > > SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393 > SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981 > > 7) Users have both user and group SIDs in the form > "S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is > generated according to the rules the smbldap tools use. > > 8) testparm on sl1 returns the following: > > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Processing section "[itadmins]" > Loaded services file OK. > Server role: ROLE_STANDALONE > Press enter to see a dump of your service definitions > > [global] > workgroup = CHEMBMB > server string = %h server (Samba, Ubuntu) > map to guest = Bad User > obey pam restrictions = Yes > passdb backend = ldapsam:ldaps://multivac.chem.umass.edu > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 255 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > ldap admin dn = cn=admin,dc=cns > ldap group suffix = ou=Chemistry groups > ldap suffix = ou=Chemistry,dc=cns > ldap ssl = no > ldap user suffix = ou=Chemistry users > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > invalid users = root > > [homes] > comment = Home Directories > read only = No > browseable = No > > [itadmins] > comment = Shared directory for the IT group > path = /home/itadmins > valid users = spalmer, amckenzie > read only = No > create mask = 0665 > directory mask = 0775 > > > > Any advice would be appreciated -- I'm well beyond my understanding of > samba at the moment, and my understanding of samba is well beyond what > it was 48 hours ago. At the moment neither server is mission critical, > so tests that take them temporarily off-line are possible. By early > next week things will be authenticating against the LDAP server (we've > got no choice -- the old LDAP server is failing fast), so I won't be > able to take it down for testing. > > Thanks in advance, > Alex McKenzie > [email protected] > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAkvxjXAACgkQWFYfIucpZ2OA2QCY5Ah0KkHwr2QGuCF/jCGf/dDr zwCfbXwvHr50j7vZZTuSJxLels7Izv8= =58HV -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
