Adrian Chow wrote:
Hi Igor,
Regarding the home mapping problem:- I changed my log to level 3. And I got the following log which I think is weird. (maybe the reason why it cannot map). The problem is :- Logging user_A with domain_A at Domain_A_computer gets home directory mapped but Logging user_B with domain_B at Domain_A_computers does not get home directory mapped.
This is the log from domain_A_pdc. The XP computer joins domain_A. I am logging in as user_B from domain_B where domain_B_pdc have mutual trust with domain_A_pdc.
The log file is /var/log/samba/xp_computer_name from domain_A_pdc. It is when I run "net use x: /home" or logon to the domain.
--------------------------------------------------------
[2004/11/04 17:20:05, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [grade2] -> [grade2] -> [UWCSTU\grade2] succeeded
[2004/11/04 17:20:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2004/11/04 17:20:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60088215
[2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(222)
User name: UWCSTU\grade2 Real name: Grade 2 User
[2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(241)
UNIX uid 10002 is UNIX user UWCSTU\grade2, and will be vuid 109
[2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(270)
Adding homes service for user 'UWCSTU\grade2' using home directory: '/home/UWCSTU/grade2'
[2004/11/04 17:20:05, 3] param/loadparm.c:lp_add_home(2341)
adding home's share [grade2] for user 'UWCSTU\grade2' at '/home/UWCSTU/grade2'
----------------------------------------------------------
Why is it adding homes services? domain_A_pdc should get domain_b_user info from domain_b_pdc (which it uses ldap to get the sambaHomeDrive and sambaHomePath). It is like when winbind successfully maps the user, it does not know the homepath or the homedrive.
As far as I understand - that's how Samba works with "builtin" shares - [homes] and [printers] - it creates the right shares on the fly. Funny thing - I have userA's home share getting created in both Domains, but since in DomainB this path does not exists - Nobody have access to this share. But H: is correctly mapped to the share specified as sambaHomePath. What I mean - these lines do not indicate an error - I have the sames lines but mapping works.
This is the result when I add winbind into nsswitch.conf. But if I don't (like your case)... I cannot even login as user_b for domain_b at the xp computer. It is because the user_b is not even found in the local database file. With winbind in nsswitch.conf, getent passwd and getent group will return the user and group in the trusted domain. And the shares will have problem with valid users = @"Domain_B\Domain Users". Igor, I really wonder how your scenario works...
Questions:-
1. Does your "getent passwd" and "getent group" show the trusted domain accounts?
I don't know how I did it work previously without winbind in nsswitch.conf but after cleaning everything and stating from the scratch I realized that I do need it there for accounts from trusted domains. In my both domains I have:
% grep winbind /etc/nsswitch.conf
passwd: ldap winbind files
group: ldap winbind files
Yes, both "getent passwd" and "getent group" shows me accounts and grooups from trusted domain as well.
2. Does your smb.conf for shares work if you want certain groups in the trusted domain to access it? Can you give an example of how to do it? (e.g valid users = ... )
With winbind in nsswitch.conf the full names work. I've tried 'valid users = @"DomainA\Domain Users"' for a share and it works - userA from this group has access to the share and userB - does not. You just need to make sure that UNIX permission on the share's path allows access for users on this group as well.
3. I have the proper sambaHomePath and sambaHomeDrive as yours. Is there any winbind settings you have in the smb.conf that cause it to work?
The only winbind related entries in smb.conf in both Domains are: % grep idmap /etc/samba/smb.conf ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000
4. Do you specify the "auth methods" in the smb.conf?
No, I don't - they are default to those for 'security = user': % testparm -sv |& grep "auth method" auth methods =
5. You have winbind running?
Yes, I do. And it works according to the entries appearing in LDAP.
6. Do you have pam_winbind in your pam.d directory files (e.g login, ssh...)?
No, I don't use pam_winbind (no winbind in any of the /etc/pam.d/* files). To be honest, I don't even know what it could be used for.
On related note - I did have problem with user login when I had 'obey pam restrictions = Yes' in smb.conf. It caused Samba to fail when it asks PAM to verify account of the user from the trusting domain.
Thats all the questions I can think of now.
Thanks for helping.
adrian
Igor Belyi wrote:
Adrian Chow wrote:
Hi Igor,
Do you have trustdomains in your "auth methods"?
Currently I removed the winbind from nsswitch.conf. And "smbclient //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user"?
If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:-
Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED
I would also guess that since "valid users" and "write list" accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @"Domain_A\Domain Users" to work...
Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: "valid users = domain_a_user"?
The log file from the Domain_B_PDC:-
[2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
Client requested device type [?????] for share [SHARED]
[2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
making a connection to 'normal' service shared
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared)
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
error string = No such file or directory
[2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
--------------
My smb.conf :-
[Shared] path = /shared valid users = @"Domain Users", @"Domain_A\Domain Users" write list = @"Domain Users", @"Domain_A\Domain Users" browsable = yes guest ok = no writeable =no
---------------
Do you have winbind in your nsswitch.conf?
No, I don't.
How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer?
Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H:
dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes
dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes
Hope to hear from you on this... thanks a lot.
adrian
p/s: hope you got my previous mail cos I forgotten to cc to sambalists
Yes, I did. I apologize for delays - I work with Samba only in my spare time.
Igor
Igor Belyi wrote:
====== (Header) e-mail Filtrado ======
I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines.
No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space.
Adrian Chow wrote:
Hi Igor,
I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory.
1. What are the settings of your winbind?
I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 10000-20000 idmap gid = 10000-20000
To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following:
wbinfo -n 'STAFF\wheel'
wbinfo -Y <SID return in a previous command>
2. Do you use only "winbind" in your libnss_ldap or use "ldap" as well?In my /etc/nsswitch.conf I have only "ldap" without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains.
I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file)
3. My winbind works with :-Do you mean that this error message was reported during "getent group" in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server.
(For both sides)
wbinfo -t
wbinfo -p
wbinfo -u
wbinfo -g
getent passwd
(For DomainA)
"getent group" shows all the local groups and also the groups shown in "wbinfo -g"
(For DomainB)
"getent group" shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in "wbinfo -g" does not come up.
The logs is something like this:-
-----------------------------------
nsswitch/winbindd_group.c:fill_grent_mem(133)
could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP)
[2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795)
could not lookup domain group STAFF\wheel
---------------------------------------
The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it.
Igor
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
