Re: [Samba] Having problems with Samba and openLDAP Groups
On Wed, Jun 3, 2009 at 9:47 PM, Liutauras Adomaitis liutauras.adomai...@gmail.com wrote: On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt m...@imparisystems.com wrote: On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote: On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt m...@imparisystems.com wrote: Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex You have 3 groups Staff and 2 users mib. This confuses me a bit. It may be your problem. I think you should have only one user mib. You should also make sure you have 1 group Staff. Check your net groupmap list to see how does Staff group maps to windows group. Liutauras Those are deleted entries - they don't show up in either the webmin module or phpldapadmin. Here's the results from the net groupmap list Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) - Domain Admins Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) - Domain Users Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) - Domain Guests Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) - Staff Hi, have you solved your problem? I've been busy a bit. You groupmap list looks nice, but I still think there is something to dig arround group membership. Some more things to check, if you didn't do that already: - smbldap-groupshow Staff - this should give an idea of gidNumber and SID of Staff group in ldap - do you run nscd? I had a lot of problems with it and ldap authentication. Samba Docs even say, that this is not supported if I remmeber correctly. nscd could be responsible of showing groups that are already deleted. - have tried using other group, like Domain Users. If it works with other group then it is problem with your group Staff. Liutauras PS one more thing to do nss_updatedb ldap group staff - this should refresh group memberships. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
On Thu, May 28, 2009 at 11:59 PM, Matt Burkhardt m...@imparisystems.com wrote: On Thu, 2009-05-28 at 23:29 +0300, Liutauras Adomaitis wrote: On Thu, May 28, 2009 at 3:53 PM, Matt Burkhardt m...@imparisystems.com wrote: Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex You have 3 groups Staff and 2 users mib. This confuses me a bit. It may be your problem. I think you should have only one user mib. You should also make sure you have 1 group Staff. Check your net groupmap list to see how does Staff group maps to windows group. Liutauras Those are deleted entries - they don't show up in either the webmin module or phpldapadmin. Here's the results from the net groupmap list Domain Admins (S-1-5-21-3529111891-2609867799-3129462049-512) - Domain Admins Domain Users (S-1-5-21-3529111891-2609867799-3129462049-513) - Domain Users Domain Guests (S-1-5-21-3529111891-2609867799-3129462049-514) - Domain Guests Domain Computers (S-1-5-21-3529111891-2609867799-3129462049-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Account Operators (S-1-5-32-548) - Account Operators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators Staff (S-1-5-21-3529111891-2609867799-3129462049-3029) - Staff Hi, have you solved your problem? I've been busy a bit. You groupmap list looks nice, but I still think there is something to dig arround group membership. Some more things to check, if you didn't do that already: - smbldap-groupshow Staff - this should give an idea of gidNumber and SID of Staff group in ldap - do you run nscd? I had a lot of problems with it and ldap authentication. Samba Docs even say, that this is not supported if I remmeber correctly. nscd could be responsible of showing groups that are already deleted. - have tried using other group, like Domain Users. If it works with other group then it is problem with your group Staff. Liutauras -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Having problems with Samba and openLDAP Groups
Thanks for the help! I appreciate you taking the time! On Thu, 2009-05-28 at 00:02 +0300, Liutauras Adomaitis wrote: [2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff id mlb uid=1000(mlb) gid=1000(mlb) groups=1000(mlb),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),33(www-data),44(video),46(plugdev),107(fuse),113(lpadmin),115(admin),116(sambashare),1001(musicshare),1002(printer-admin),1008(subversion),1012(Staff),513(Domain Users),1014(Staff) getent passwd | grep mlb mlb:x:1000:1000:Matt Burkhardt,,,:/home/mlb:/bin/bash mlb:x:1009:544:mlb:/home/mlb:/bin/bash mlb-laptop$:*:1014:515:Computer:/dev/null:/bin/false getent group | grep -i Staff staff:x:50: Staff:x:1012:alex,mlb Staff:*:1014:mlb,alex Run testparm - it will show some errors you have in your smb.conf file. Also run testparm command, it will show you some errors in your smb.conf file you have. testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [netlogon] Processing section [profiles] Processing section [printers] Processing section [print$] Processing section [bigdrive] Processing section [Business] Processing section [Editors] Processing section [Members] Processing section [Staff] WARNING: The only user option is deprecated Processing section [tmp] Loaded services file OK. Server role: ROLE_DOMAIN_PDC -- Matt Burkhardt, M.Sci. Technology Management m...@imparisystems.com (301) 682-7901 502 Fairview Avenue Frederick, MD 21701 http://www.imparisystems.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Having problems with Samba and openLDAP Groups
I'm getting a little closer and understanding how the logs, etc work. I can log onto a Samba share, can read and write to my home directory, but I'm concerned about trying to get the file share Staff to work - want it to be read and write to the Group named Staff. I have set up the group and added myself to the group If I do a smbldap-groupshow Staff - I get sudo smbldap-groupshow Staff dn: cn=Staff,ou=Groups,dc=imparisystems,dc=local objectClass: top,posixGroup cn: Staff gidNumber: 1012 memberUid: mlb I'm mlb - but it doesn't have any Samba information and I added the group by typing sudo smbldap-groupadd -a Staff If I try smbclient //Ubuntu/Staff Password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.28a] tree connect failed: NT_STATUS_ACCESS_DENIED Here's my smb.conf file - just the globals and the share I want to fix [global] server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost/ pam password change = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s* \spassword$ syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 log level = 3 server signing = auto printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '% g' delete user from group script = /usr/sbin/smbldap-groupmod -x '% u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '% u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon script = logon.bat logon path = \\%N\profiles\%U logon drive = H: domain logons = Yes os level = 34 domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=imparisystems,dc=local ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=imparisystems,dc=local ldap ssl = no ldap user suffix = ou=Users usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d path = /samba invalid users = root [Staff] writeable = yes msdfs root = yes valid users = @Staff path = /samba/smalldrive/doc/Staff only user = yes Here's my log for the server at /var/log/samba/log.ubuntu ---snip--- [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: sam authentication for user [mlb] succeeded [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [mlb] - [mlb] - [mlb] succeeded [2009/05/27 13:34:52, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) fetch gid from cache 544 - S-1-5-32-544 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/uid.c:push_conn_ctx(358) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/27 13:34:52, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/27 13:34:52, 3] lib/privileges.c:get_privileges(261)
Re: [Samba] Having problems with Samba and openLDAP Groups
[2009/05/27 13:34:52, 2] smbd/service.c:make_connection_snum(616) user 'mlb' (from session setup) not permitted to access this share (Staff) [2009/05/27 13:34:52, 3] smbd/error.c:error_packet_set(106) error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED i guess your user mib is not in group @Staff. What do you get with commands: smbldap-tools works only with ldap, it doesn't mean system sees those users. id mib getent passwd | grep mib getent group | grep -i staff Run testparm - it will show some errors you have in your smb.conf file. Also run testparm command, it will show you some errors in your smb.conf file you have. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba