[Samba] Winbind and groups
Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Winbind and groups
And the correct answer is... Using a valid users line that looks like this: Valid users = +DOMAIN\group Many thanks to irda on the #samba IRC channel. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben Vaughan Sent: Tuesday, December 11, 2007 10:30 AM To: samba@lists.samba.org Subject: [Samba] Winbind and groups Hello Friendly Samba People, I have a working samba install that allows my AD users access to files on my linux box. The linux box is configured via Winbind as a domain member and uses Winbind as the local NSS. I can successfully resolve both users and groups from the AD. Users are currently able to access the samba shares without trouble. I am running into trouble when trying to use groups defined in the AD as valid users or ACLs on the linux box. Smb.conf: [global] security = ADS realm = CORP.CALLGLOBALCOM.COM workgroup = CORP log file = /var/log/samba/%m log level = 2 #winbind / AD stuff winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind expand groups = 2 winbind nss info = rfc2307 winbind nested groups = Yes idmap uid range = 1000 - 3000 idmap gid range = 100 - 3000 idmap domains = CORP idmap config CORP:backend = ad idmap config CORP:default = yes idmap config CORP:readonly = yes [homes] [sysadmins] path = /tmp writeable = yes comment = Globalcom Sysadmins share valid users = @gc_sysadmins create mask = 0775 directory mask = 0775 # getent group gc_sysadmins gc_sysadmins:*:10001:bvaughan # getent passwd bvaughan bvaughan:*:1812:100:Ben Vaughan, IT Systems Overlord:/home/bvaughan:/bin/bash When trying to access the [sysadmins] share defined as above, samba logging says this: user 'CORP\bvaughan' (from session setup) not permitted to access this share (sysadmins) I see the disconnect, the CORP\bvaughan that samba sees here, vs the bvaughan seen in the group entry. Is there a way to make these two come together so the valid users= line works? I am running samba version 3.0.25b-1.el5_1.4 as provided by RedHat. Any help would be appreciated. Ben Ben Vaughan Globalcom IT Infrastructure Support Team [EMAIL PROTECTED] 312 673 4116 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] mount.cifs and sec=krb5
Hello fellow Samba folks, I am attempting to mount a cifs share on a RHEL 5 box using mount.cifs. The server is another RHEL 5 box. Both boxes are joined to the same Kerberos realm (AD). I kinit to get my Kerberos tickets. This is the mount command I'm using: mount.cifs //rhel5.server.iastate.edu/benvon ./mnt -o user=benvon,sec=krb5 This results in a password prompt, then a permission denied message (even if the password was correct). The interesting thing to see is the log on the server (log level 10 excerpt): [2007/05/04 15:10:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1010) sesssetupX:name=[]\[湥潶n䰀湩硵瘠牥楳湯㈠㘮 ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x]@ [129.186.196.8] [2007/05/04 15:10:30, 6] param/loadparm.c:lp_file_list_changed(3001) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Fri May 4 10:59:44 2007 [2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user []\[湥潶n䰀湩硵瘠牥楳湯 ㈠㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x] from workstation [129.186.196.8] [2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(75) attempting to make a user_info for 湥潶n䰀湩硵瘠牥楳湯㈠ 㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x (湥潶n 䰀湩硵瘠牥楳湯㈠㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥 ⁴潦楌畮x) [2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(85) making strings for 湥潶n䰀湩硵瘠牥楳湯㈠㘮 ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x's user_info struct [2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(117) making blobs for 湥潶n䰀湩硵瘠牥楳湯㈠㘮ㄮⴸ⸸⸱⸱ 汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x's user_info struct [2007/05/04 15:10:30, 10] auth/auth_util.c:make_user_info(135) made an encrypted user_info for 湥潶n䰀湩硵瘠牥楳湯㈠㘮 ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦楌畮x (湥潶n䰀 湩硵瘠牥楳湯㈠㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴ 潦楌畮x) [2007/05/04 15:10:30, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user []\[湥潶 n䰀湩硵瘠牥楳湯㈠㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥 [EMAIL PROTECTED] with the new password interface [2007/05/04 15:10:30, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [IASTATE]\[湥潶n䰀湩硵 瘠牥楳湯㈠㘮ㄮⴸ⸸⸱⸱汥5䥃卆嘠卆䌠楬湥⁴潦 [EMAIL PROTECTED] Yah Anyway, when leaving off the sec=krb5 or setting sec=ntlmv2, everything works as expected. smbclient -k works as expected. Does anyone have any advice? I can produce as much logging as may be needed. If this isn't the proper place to be asking questions about mount.cifs, please redirect me. Many Thanks, Ben Vaughan, RHCE Engineering Computing Support Services Iowa State University [EMAIL PROTECTED] To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.11pre2 and wbinfo --users-sids
Hello good people of Samba, I've been working with the latest Samba (3.0.11pre2) and have noticed that between 3.0.11pre1 and 3.0.11pre2, wbinfo --user-sids SID has stopped working. I have confirmed that going back to version 3.0.11pre1 (everything else being held steady) corrects the error I'm seeing. #wbinfo -n username big long SID #wbinfo --user-sids=big long SID Could not get group SIDs for user SID big long SID The specific errors were these: Jan 25 10:08:18 discovery winbindd[3795]: [2005/01/25 10:08:18, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) Jan 25 10:08:18 discovery winbindd[3795]: cli_pipe: return critical error. Error was NT_STATUS_INVALID_HANDLE It appears that the command will be successful the first attempt after starting winbind, but will fail every time after that. Can anyone reproduce these results? Does anyone know what might be going on? Thanks, Ben Vaughan Ben Vaughan Engineering Computing Support Services CLUE Network SysAdmin Iowa State University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RHEL3 3.0.9 Release Active Directory Membership
Hello Christian, Here at Iowa State, we have experienced exactly this behavior, although we haven't noticed any of my samba servers loosing their domain membership. It appears that samba is still functioning via the rpc methods. We compiled samba.org's srpms and haven't had any problems. I can't verify this right now, but I recall having this same problem with RH's 3.0.7 package. I'm still digging to see if that was indeed the case. We are running Samba with an AD in native 2000 mode. We are beginning the transition to AD 2003. We have about 3 dozen or so samba servers in our domain. Let me know if you need any more help or testing or whatever. Thanks, Ben Vaughan Ben Vaughan Engineering Computing Support Services CLUE Network SysAdmin Iowa State University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christian Merrill Sent: Friday, December 17, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: [Samba] RHEL3 3.0.9 Release Active Directory Membership Some preliminary testing indicates that there may be problems in the newly released Red Hat 3.0.9 packages (not samba.org's) in regard to joining an AD as a full member (w/kerberos). This may also affect maintaining current membership in such an environment. If anyone has already upgraded and is experiencing the same or different behavior please let me know. Specifically we are seeing no support for encryption type messages when using a net ads join and a return code of -1. Christian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.4 + OpenAFS 1.2.11 and fake-kaserver
I'm trying to build the --with-fake-kaserver option in 3.0.4 on RHEL 3.0. I'm using the srpms provided on the samba.org site (http://us3.samba.org/samba/ftp/bin-pkgs/RedHat/SRPMS/samba-3.0.4 -1.src.rpm). My OpenAFS version is 1.2.11, rpms (openafs-1.2.11 and openafs-devel-1.2.11) provided from openafs.org. It compiles fine if I omit the --with-fake-kaserver configure option. When it is added, this is the result: Compiling smbd/files.c In file included from /usr/kerberos/include/profile.h:149, from /usr/kerberos/include/krb5.h:138, from include/includes.h:401, from dynconfig.c:21: /usr/include/afs/com_err.h:15: syntax error before afs_int32 /usr/include/afs/com_err.h:16: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:17: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:18: syntax error before afs_int32 /usr/include/afs/com_err.h:19: syntax error before afs_int32 /usr/include/afs/com_err.h:20: syntax error before afs_int32 In file included from /usr/kerberos/include/profile.h:149, from /usr/kerberos/include/krb5.h:138, from include/includes.h:401, from param/params.c:82: /usr/include/afs/com_err.h:15: syntax error before afs_int32 /usr/include/afs/com_err.h:16: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:17: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:18: syntax error before afs_int32 /usr/include/afs/com_err.h:19: syntax error before afs_int32 /usr/include/afs/com_err.h:20: syntax error before afs_int32 In file included from /usr/kerberos/include/profile.h:149, from /usr/kerberos/include/krb5.h:138, from include/includes.h:401, from param/loadparm.c:54: /usr/include/afs/com_err.h:15: syntax error before afs_int32 /usr/include/afs/com_err.h:16: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:17: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:18: syntax error before afs_int32 /usr/include/afs/com_err.h:19: syntax error before afs_int32 /usr/include/afs/com_err.h:20: syntax error before afs_int32 In file included from include/includes.h:761, from dynconfig.c:21: include/ads.h:225:1: warning: AP_OPTS_USE_SUBKEY redefined In file included from include/includes.h:401, from dynconfig.c:21: /usr/kerberos/include/krb5.h:754:1: warning: this is the location of the previous definition In file included from /usr/kerberos/include/profile.h:149, from /usr/kerberos/include/krb5.h:138, from include/includes.h:401, from smbd/files.c:21: /usr/include/afs/com_err.h:15: syntax error before afs_int32 /usr/include/afs/com_err.h:16: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:17: warning: parameter names (without types) in function declaration /usr/include/afs/com_err.h:18: syntax error before afs_int32 /usr/include/afs/com_err.h:19: syntax error before afs_int32 /usr/include/afs/com_err.h:20: syntax error before afs_int32In file included from include/includes.h:761, from param/params.c:82: include/ads.h:225:1: warning: AP_OPTS_USE_SUBKEY redefined In file included from include/includes.h:401, from param/params.c:82: /usr/kerberos/include/krb5.h:754:1: warning: this is the location of the previous definition In file included from include/includes.h:761, from param/loadparm.c:54: include/ads.h:225:1: warning: AP_OPTS_USE_SUBKEY redefined In file included from include/includes.h:401, from param/loadparm.c:54: /usr/kerberos/include/krb5.h:754:1: warning: this is the location of the previous definition In file included from include/includes.h:761, from smbd/files.c:21: include/ads.h:225:1: warning: AP_OPTS_USE_SUBKEY redefined In file included from include/includes.h:401, from smbd/files.c:21: /usr/kerberos/include/krb5.h:754:1: warning: this is the location of the previous definition make: *** [dynconfig.o] Error 1 make: *** Waiting for unfinished jobs make: *** [param/params.o] Error 1 make: *** [smbd/files.o] Error 1 Help? Ben Vaughan -- That's crazy enough it might just work! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba