Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without typing in the default domain does not work any more.
-------- Original-Nachricht -------- > Datum: Mon, 28 Mar 2011 16:34:19 +1300 > Von: Marco Huang <[email protected]> > An: [email protected] > Betreff: [Samba] winbind is not taking default domain > Hi, > > We have been running samba file server about 2 years without this problem. > The problem appeared at the same time on our debian and centos servers. > Not sure if it's related to any updates on our windows AD servers. > > Debian Squeeze > sernet-samba-3.5.8-27 > > Centos 5.5 > samba3-3.5.5-43.el5 > > Use Active Directory for user login authentication > Use uid/gid from ldap > The reason we still want winbind is for managing permissions from client > end. > > Since last week, users failed on login with "valid users = @staff" until I > stopped winbind. I found if I change to valid users = @"ABC\staff", users > can login, however the change can not resolve the problem of ACLs on the > folders/files. Of cause, if I stop winbind, works ok - user can login, and > following the current permissions, but we do need winbind for managing > permissions from client end. > > # smb.conf > > [global] > realm = ad.mydomain > workgroup = ABC > server string = %h server > enable privileges = yes > dns proxy = no > netbios name = linfiles > smb ports = 139 445 > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > log file = /var/log/samba/%U.log > log level = 10 winbind:10 > debug timestamp = yes > max log size = 1000 > syslog only = no > syslog = 2 > panic action = /usr/share/samba/panic-action %d > > security = ADS > encrypt passwords = true > obey pam restrictions = no > invalid users = root > > unix extensions = no > > idmap backend = nss > idmap config ABC : default = yes > idmap config ABC : backend = nss > idmap alloc backend = nss > idmap cache time = 30 > allow trusted domains = no > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > SO_RCVBUF=65536 SO_SNDBUF=65536 > locking = yes > strict locking = no > posix locking = yes > kernel oplocks = no > oplocks = yes > level2 oplocks = yes > > winbind trusted domains only = yes > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > winbind cache time = 3600 > > acl compatibility = auto > > [sit] > comment = Shares > browseable = yes > writable = yes > create mask = 0770 > directory mask = 0770 > acl group control = yes > acl check permissions = True > nt acl support = yes > force directory security mode = 770 > inherit permissions = yes > inherit acls = yes > inherit owner = no > map acl inherit = yes > path = /mnt/sit > valid users = @staff > > # /etc/nsswitch.conf > passwd: files ldap > shadow: files > group: files ldap > > # getent group staff returns group members with testuser. > > # wbinfo --own-domain > ABC > > # Here are some logs from debug mode, winbind just trying to lookup domain > LINFILES and Unix Group rather than ABC. > > [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid) > string_to_sid: Sid @staff does not start with 'S-'. > [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup) > Unable to get default yp domain, let's try without specifying it > [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup) > looking for user testuser of domain (ANY) in netgroup staff > [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name) > lookup_name: LINFILES\staff => LINFILES (domain), staff (name) > [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name) > lookup_name: flags = 0x077 > [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2011/03/25 12:43:50.645783, 5] > auth/token_util.c:525(debug_nt_user_token) > NT user token: (NULL) > [2011/03/25 12:43:50.645792, 5] > auth/token_util.c:551(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2011/03/25 12:43:50.645825, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name) > lookup_name: Unix Group\staff => Unix Group (domain), staff (name) > [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name) > lookup_name: flags = 0x077 > [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token) > User testuser not in 'valid users' > [2011/03/25 12:43:50.647820, 2] > smbd/service.c:598(create_connection_server_info) > user 'testuser' (from session setup) not permitted to access this share > (sit) > [2011/03/25 12:43:50.647832, 1] smbd/service.c:678(make_connection_snum) > create_connection_server_info failed: NT_STATUS_ACCESS_DENIED > [2011/03/25 12:43:50.647882, 3] smbd/error.c:80(error_packet_set) > error packet at smbd/reply.c(795) cmd=117 (SMBtconX) > NT_STATUS_ACCESS_DENIED > > > cheers > -- > Marco > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
