Not sure if you import all the users and groups into your /etc/passwd and /etc/group file respectively, would fix your problem.
On 29/03/2011, at 11:39 PM, Werner Durgarten wrote: > Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in > without typing in the default domain does not work any more. > > > -------- Original-Nachricht -------- >> Datum: Mon, 28 Mar 2011 16:34:19 +1300 >> Von: Marco Huang <[email protected]> >> An: [email protected] >> Betreff: [Samba] winbind is not taking default domain > >> Hi, >> >> We have been running samba file server about 2 years without this problem. >> The problem appeared at the same time on our debian and centos servers. >> Not sure if it's related to any updates on our windows AD servers. >> >> Debian Squeeze >> sernet-samba-3.5.8-27 >> >> Centos 5.5 >> samba3-3.5.5-43.el5 >> >> Use Active Directory for user login authentication >> Use uid/gid from ldap >> The reason we still want winbind is for managing permissions from client >> end. >> >> Since last week, users failed on login with "valid users = @staff" until I >> stopped winbind. I found if I change to valid users = @"ABC\staff", users >> can login, however the change can not resolve the problem of ACLs on the >> folders/files. Of cause, if I stop winbind, works ok - user can login, and >> following the current permissions, but we do need winbind for managing >> permissions from client end. >> >> # smb.conf >> >> [global] >> realm = ad.mydomain >> workgroup = ABC >> server string = %h server >> enable privileges = yes >> dns proxy = no >> netbios name = linfiles >> smb ports = 139 445 >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> log file = /var/log/samba/%U.log >> log level = 10 winbind:10 >> debug timestamp = yes >> max log size = 1000 >> syslog only = no >> syslog = 2 >> panic action = /usr/share/samba/panic-action %d >> >> security = ADS >> encrypt passwords = true >> obey pam restrictions = no >> invalid users = root >> >> unix extensions = no >> >> idmap backend = nss >> idmap config ABC : default = yes >> idmap config ABC : backend = nss >> idmap alloc backend = nss >> idmap cache time = 30 >> allow trusted domains = no >> >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> SO_RCVBUF=65536 SO_SNDBUF=65536 >> locking = yes >> strict locking = no >> posix locking = yes >> kernel oplocks = no >> oplocks = yes >> level2 oplocks = yes >> >> winbind trusted domains only = yes >> winbind use default domain = yes >> winbind enum users = no >> winbind enum groups = no >> winbind cache time = 3600 >> >> acl compatibility = auto >> >> [sit] >> comment = Shares >> browseable = yes >> writable = yes >> create mask = 0770 >> directory mask = 0770 >> acl group control = yes >> acl check permissions = True >> nt acl support = yes >> force directory security mode = 770 >> inherit permissions = yes >> inherit acls = yes >> inherit owner = no >> map acl inherit = yes >> path = /mnt/sit >> valid users = @staff >> >> # /etc/nsswitch.conf >> passwd: files ldap >> shadow: files >> group: files ldap >> >> # getent group staff returns group members with testuser. >> >> # wbinfo --own-domain >> ABC >> >> # Here are some logs from debug mode, winbind just trying to lookup domain >> LINFILES and Unix Group rather than ABC. >> >> [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid) >> string_to_sid: Sid @staff does not start with 'S-'. >> [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup) >> Unable to get default yp domain, let's try without specifying it >> [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup) >> looking for user testuser of domain (ANY) in netgroup staff >> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name) >> lookup_name: LINFILES\staff => LINFILES (domain), staff (name) >> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name) >> lookup_name: flags = 0x077 >> [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx) >> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >> [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx) >> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >> [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >> [2011/03/25 12:43:50.645783, 5] >> auth/token_util.c:525(debug_nt_user_token) >> NT user token: (NULL) >> [2011/03/25 12:43:50.645792, 5] >> auth/token_util.c:551(debug_unix_user_token) >> UNIX token of user 0 >> Primary group is 0 and contains 0 supplementary groups >> [2011/03/25 12:43:50.645825, 3] smbd/sec_ctx.c:418(pop_sec_ctx) >> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name) >> lookup_name: Unix Group\staff => Unix Group (domain), staff (name) >> [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name) >> lookup_name: flags = 0x077 >> [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token) >> User testuser not in 'valid users' >> [2011/03/25 12:43:50.647820, 2] >> smbd/service.c:598(create_connection_server_info) >> user 'testuser' (from session setup) not permitted to access this share >> (sit) >> [2011/03/25 12:43:50.647832, 1] smbd/service.c:678(make_connection_snum) >> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED >> [2011/03/25 12:43:50.647882, 3] smbd/error.c:80(error_packet_set) >> error packet at smbd/reply.c(795) cmd=117 (SMBtconX) >> NT_STATUS_ACCESS_DENIED >> >> >> cheers >> -- >> Marco >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
