Re: [Samba] Can't login from Windows PC to Samba using ADS?

[Michael Cesar]

Yang Xiao wrote:
On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <[EMAIL PROTECTED]> wrote:
 

I hope this is the right place to post this.
I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I
installed samba 3.0.5 on it and followed the instructions in the online
book "Samba-3 by Example" for chapter 9 "Active Directory Domain with
Samba Domain Member Server
<http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>"
to the tee (of course it is for 3.0.2) and have every thing working
except for W2K pc cannot authenticate? Oh yeah, I also went the steps in
the troubleshooting guide but couldn't get the step "net use x:
\\mysamba\web" to add.
I can 'net view \\mysamba' just fine and sambaclient -L
mysamba.xxx.com/mydomainloginname ok using my ADS password.
I can see mysamba in the Network Neighborhood.
But I just can't get access to the share from my PC. Oh yea, and I am
using encrypted passwords = yes.
I assume I must have missed something somewhere but for the life of me I
can' t see it. Anybody have any ideas?
Michael Cesar
***** my smb.conf file contents: ******
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2004/08/27 14:25:35
# Global parameters
[global]
  workgroup = MBTMASTER
  realm = MBTMASTER.COM
  netbios name = SAMBA_TEST
  security = ADS
  map to guest = Bad User
  log level = 1
  syslog = 0
  log file = /var/log/samba/%m
  time server = Yes
  socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
  os level = 2
  ldap ssl = no
  preload = global
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template primary group =
  template shell = /bin/bash
  winbind separator = +
  veto files = /*.eml/*.nws/riched20.dll/*.{*}/
[homes]
  comment = Home Directories
  valid users = %S
  read only = No
  create mask = 0640
  directory mask = 0750
  browseable = No
[printers]
  comment = All Printers
  path = /var/tmp
  create mask = 0600
  printable = Yes
  browseable = No
[print$]
  comment = Printer Drivers
  path = /var/lib/samba/drivers
  write list = @ntadmin, root
  force group = ntadmin
  create mask = 0664
  directory mask = 0775
[web]
  comment = Test Web Root
  path = /srv/www/htdocs
  valid users = michael.cesar, @Administrtors
  admin users = michael.cesar
  read only = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
   

Hi,
Is your winbind running? did you configure Kerboros correctly? try add
log level = 2 in the smb.conf and see if you can catch anything in the logs.
Yang
 

Winbind appears to be running fine. My share definition for 'web' 
contains 'valid users' of 'michael.cesar' (my domain login) and 
'@Administrators' ( the domain group I belong to).  I set the log level 
to 2 and am getting the following below. I don't understand why...
1) Why is winbind trying to create a user in the first place? I want it 
to validate an existing one.
2) When winbind fails to create the user it doesn't know the group 
Administrators and gives the error "cannot validate gid for group()"?
3) Why it is trying to validate 'mcesar' (a local login account not 
listed in any config file for samba etc)? and not michael.cesar (my 
domain login). I am using the command line "net use" so the apache 
logins my browser knows should not come into play - one would think)

Michael Cesar
[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
 added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79)
 added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0
[2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
 Registered MSG_REQ_POOL_USAGE
[2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
 Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
 Added domain MBTMASTER MBTMASTER.COM S-0-0
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
 Doing kerberos session setup
[2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
 krb5_cc_get_principal failed (No such file or directory)
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
 Doing kerberos session setup
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
 Added domain BUILTIN  S-1-5-32
[2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
 Added domain SAMBA_TEST  S-1-5-21-289385821-3664457749-2860223883
[2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
 Doing kerberos session setup
[2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
 Doing kerberos session setup
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
 winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
 winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904)
 winbindd_create_user: Cannot validate gid for group ()
[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
 user 'mcesar' does not exist
[2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
 user 'mcesar' does not exist
[2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
 user 'root' does not exist
[2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535)
 Doing kerberos session setup
[2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
 user 'mcesar' does not exist
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba