[Samba] Problems with ADS and user mapping

[Matthew Choppen]

Hi,

I am having problems with the mapping of a windows users to a unix
user using Active Directory.

When I perform the following every think seems ok

smbclient -U ADOMAIN\clearcase_albd -L CCSERVER
Enter ADOMAIN\clearcase_albd's password:
Domain=[ADOMAIN] OS=[Unix] Server=[Samba 3.4.3-1.17.2-2359-SUSE-
CODE11]

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (ClearCase)
LicenseMonitor  Disk  License monitoring directory
ccviews Disk  View storage directory
vobstoreDisk  Vob storage directory
Domain=[ADOMAIN] OS=[Unix] Server=[Samba 3.4.3-1.17.2-2359-SUSE-
CODE11]

Server   Comment
----
CCSERVER ClearCase
CCSERVER2
CCSERVER3

WorkgroupMaster
----
ADOMAIN  CCSERVER3

However this fails:

smbclient -U ADOMAIN\clearcase_albd //CCSERVER/ccviews
Enter ADOMAIN\clearcase_albd's password:
Domain=[ADOMAIN] OS=[Unix] Server=[Samba 3.4.3-1.17.2-2359-SUSE-
CODE11]
tree connect failed: NT_STATUS_ACCESS_DENIED


Both vobadmin and clearcase_albd are in Active Directory and both in
the same ADOMAIN

Any help would be greatly appreciated


# /etc/samba/smb.conf

[global]
workgroup = ADOMAIN
password server = ldap1.ADOMAIN.int, ldap2.ADOMAIN.int
domain master = no
realm = ADOMAIN.INT
server string = ClearCase
netbios name = CCSERVER
security = ADS
encrypt passwords = yes
winbind use default domain = Yes
winbind nested groups = Yes
client use spnego = Yes
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
template homedir = /home/%D/%u
log level = 2
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind cache time = 5
winbind refresh tickets = true
map to guest = Bad User
username map = /etc/samba/user.map
max open files = 11000
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/
nobody -s /bin/false %m$
usershare allow guests = Yes
directory security mask = 0775
##map untrusted to domain = Yes -- This has no effect!
kernel oplocks = No
create mask = 0775
directory mask = 0775
map archive = No
oplocks = No
level2 oplocks = No
lock directory = /var/run/samba
ldap timeout = 30
ldap connection timeout = 30
host msdfs = No
preserve case = Yes

[vobstore]
comment = Vob storage directory
path = /vobstore
valid users = @ADOMAIN+ccusers
writeable = Yes
create mask = 0775

[ccviews]
comment = View storage directory
path = /ccviews
valid users = @ADOMAIN+ccusers
writeable = Yes
create mask = 0775

[LicenseMonitor]
comment = License monitoring directory
path = /home/vobadmin/LicenseMonitor
valid users = clearcase_albd vobadmin
writeable = yes
create mask = 0755

# /etc/samba/user.map
root = administrator admin
nobody = guest pcguest smbguest
vobadmin = ADOMAIN\clearcase_albd clearcase_albd


## /var/log/samba/CCSERVER


[2012/12/11 11:50:10,  1] smbd/service.c:676(make_
connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/12/11 11:51:17,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [clearcase_albd] -
[vobadmin] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/12/11 11:51:17,  2] smbd/service.c:
584(create_connection_server_info)
  guest user (from session setup) not permitted to access this share
(ccviews)
[2012/12/11 11:51:17,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2012/12/11 11:57:33,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [clearcase_albd] -
[vobadmin] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/12/11 11:57:34,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [clearcase_albd] -
[vobadmin] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/12/11 11:58:54,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [clearcase_albd] -
[vobadmin] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/12/11 11:58:54,  2] smbd/service.c:
584(create_connection_server_info)
  guest user (from session setup) not permitted to access this share
(ccviews)
[2012/12/11 11:58:54,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED



Thanks in advance

Matt
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  

[Samba] Problems with Winbind Idmap and Active Directory 2008 r2

[Matthew Choppen]

For our Linux Machines (SLES 10) we are using kerberos and LDAP to
authenticate against Active Directory (works perfectly)

Please note that the same configuration works with Windows 2003 Server, the
problem is with with Windows 2008 Server

However we are experiencing problems with winbind for the file share, I see
in the log.winbind-idmap logfile the following errors

[2011/03/03 15:09:08.643286,  1]
winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
  ad_idmap_init: failed to connect to AD
[2011/03/03 15:09:08.643323,  1]
winbindd/idmap_ad.c:326(idmap_ad_unixids_to_sids)
  ADS uninitialized: No logon servers
The user from windows clients experiences extremely poor performance (I
guess timeouts from winbind, and I would also guess that winbind then
assigns some kind of default ID and not the real uid/gid from AD)

The Unix Services for windows is applied and the users have the correct UNIX
settings (else LDAP / kerberos auth would not work)

I have also tried backend = ldap:ldap://OurADServer  which also does not
work!!!


Here is our current configuration:

samba3-3.5.2-43.suse101.x86_64.rpm
samba3-cifsmount-3.5.2-43.suse101.x86_64.rpm
samba3-client-3.5.2-43.suse101.x86_64.rpm
samba3-debuginfo-3.5.2-43.suse101.x86_64.rpm
samba3-doc-3.5.2-43.suse101.x86_64.rpm
samba3-utils-3.5.2-43.suse101.x86_64.rpm
samba3-winbind-32bit-3.5.2-43.suse101.i586.rpm
samba3-winbind-3.5.2-43.suse101.x86_64.rpm
Samba Config

[global]
workgroup = MYDOMAIN
password server = OurADServer
domain master = no
realm =  MYDOMAIN.COM
server string = ClearCase Server
netbios name = OURNAME
security = ADS
encrypt passwords = yes
winbind use default domain = Yes
winbind nested groups = Yes
client use spnego = Yes
winbind enum users = Yes
winbind enum groups = Yes
template shell = /bin/bash
template homedir = /home/%u
log level = 2
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
#idmap uid = 4-5
#idmap gid = 4-5
winbind offline logon = true
winbind cache time = 5
winbind refresh tickets = true
map to guest = Bad User
username map = /etc/samba/users.map
max open files = 11000
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
/bin/false %m$
ldap ssl = No
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap backend = ad
ldap idmap suffix = dc=mydomain,dc=com
ldap admin dn = CN=bindUserFromAD,OU=Siteroles,OU=HAM,DC=mydomain,dc=com
ldap suffix = dc=mydomain,dc=com
usershare allow guests = Yes
directory security mask = 0775
kernel oplocks = No
create mask = 0775
directory mask = 0775
map archive = No
oplocks = No
level2 oplocks = No
[vobs]
comment = Vob storage directory
path = /vobs
valid users = @MYDOMAIN+ccusers
writeable = Yes
create mask = 0775
force directory mode = 0775
[vobstore]
comment = Vob storage directory
path = /vobstore
valid users = @MYDOMAIN+ccusers
writeable = Yes
create mask = 0775
force directory mode = 0775
[ccviews]
comment = View storage directory
path = /ccviews
valid users = @MYDOMAIN+ccusers
writeable = Yes
create mask = 0775
force directory mode = 0775
Thanks for any assistance :)

Matt
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba