Yang Xiao wrote:
On Tue, 31 Aug 2004 08:17:56 -0400, Michael Cesar <[EMAIL PROTECTED]> wrote:Thanks Yang, for the tip on groupmap. As for the nsswitch.conf file...are us suggesting I add the 'network' and 'netgroup' keywords? The following, according to the how-to are the only services mapped to winbind...
Yang Xiao wrote:
On Fri, 27 Aug 2004 15:17:35 -0400, Michael Cesar <[EMAIL PROTECTED]> wrote:
I hope this is the right place to post this.
I am running SuSe 8.2 Linux on an IBM 1 gig processor at work. I installed samba 3.0.5 on it and followed the instructions in the online book "Samba-3 by Example" for chapter 9 "Active Directory Domain with Samba Domain Member Server <http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm>" to the tee (of course it is for 3.0.2) and have every thing working except for W2K pc cannot authenticate? Oh yeah, I also went the steps in the troubleshooting guide but couldn't get the step "net use x: \\mysamba\web" to add.
I can 'net view \\mysamba' just fine and sambaclient -L mysamba.xxx.com/mydomainloginname ok using my ADS password. I can see mysamba in the Network Neighborhood. But I just can't get access to the share from my PC. Oh yea, and I am using encrypted passwords = yes.
I assume I must have missed something somewhere but for the life of me I can' t see it. Anybody have any ideas?
Michael Cesar
***** my smb.conf file contents: ******
# Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/08/27 14:25:35
# Global parameters [global] workgroup = MBTMASTER realm = MBTMASTER.COM netbios name = SAMBA_TEST security = ADS map to guest = Bad User log level = 1 syslog = 0 log file = /var/log/samba/%m time server = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY os level = 2 ldap ssl = no preload = global idmap uid = 10000-20000 idmap gid = 10000-20000 template primary group = template shell = /bin/bash winbind separator = + veto files = /*.eml/*.nws/riched20.dll/*.{*}/
[homes] comment = Home Directories valid users = %S read only = No create mask = 0640 directory mask = 0750 browseable = No
[printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin, root force group = ntadmin create mask = 0664 directory mask = 0775
[web] comment = Test Web Root path = /srv/www/htdocs valid users = michael.cesar, @Administrtors admin users = michael.cesar read only = No
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hi, Is your winbind running? did you configure Kerboros correctly? try add log level = 2 in the smb.conf and see if you can catch anything in the logs.
Yang
Winbind appears to be running fine. My share definition for 'web' contains 'valid users' of 'michael.cesar' (my domain login) and '@Administrators' ( the domain group I belong to). I set the log level to 2 and am getting the following below. I don't understand why... 1) Why is winbind trying to create a user in the first place? I want it to validate an existing one. 2) When winbind fails to create the user it doesn't know the group Administrators and gives the error "cannot validate gid for group()"? 3) Why it is trying to validate 'mcesar' (a local login account not listed in any config file for samba etc)? and not michael.cesar (my domain login). I am using the command line "net use" so the apache logins my browser knows should not come into play - one would think)
Michael Cesar
[2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 [2004/08/31 07:50:02, 2] lib/interface.c:add_interface(79) added interface ip=10.0.10.29 bcast=10.0.255.255 nmask=255.255.0.0 [2004/08/31 07:50:02, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2004/08/31 07:50:02, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain MBTMASTER MBTMASTER.COM S-0-0 [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:50:02, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306) krb5_cc_get_principal failed (No such file or directory) [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain BUILTIN S-1-5-32 [2004/08/31 07:50:02, 1] nsswitch/winbindd_util.c:add_trusted_domain(180) Added domain SAMBA_TEST S-1-5-21-289385821-3664457749-2860223883 [2004/08/31 07:50:02, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:51:44, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:51:44, 2] nsswitch/winbindd_acct.c:winbindd_create_user(904) winbindd_create_user: Cannot validate gid for group () [2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist [2004/08/31 07:54:06, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist [2004/08/31 07:54:14, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2004/08/31 07:55:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(535) Doing kerberos session setup [2004/08/31 07:55:37, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'mcesar' does not exist
Sounds like you have not mapped the user groups, you need to use "net groupmap" which allows you to map NT user groups to Linux user groups, both have to be valid existing groups. Do a "net groupmap list" and you will see.
What is missing from the how-to is user group mapping. Make sure you /etc/nsswitch.conf file uses winbind for user name resolution.
Yang
passwd: compat winbind group: compat winbind
Michael Cesar
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
