I'd check the unix ownership and permissions on these shares you wish to edit.
Mike Staver wrote:
Alright - I got one more problem licked:
timmy:/home/staver # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: [EMAIL PROTECTED]
Issued Expires Principal Aug 30 22:08:56 Aug 31 08:08:56 krbtgt/[EMAIL PROTECTED]
However, from windows I still can't edit the samba shares - everything is still read only, and I restarted the smb and nmb services. My logs are still showing:
[2004/08/30 22:21:58, 0] smbd/server.c:main(757)
smbd version 3.0.4-SUSE started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 22:30:41, 0] lib/access.c:check_access(328)
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Denied connection from (0.0.0.0)
[2004/08/30 22:30:41, 1] smbd/process.c:process_smb(883)
[2004/08/30 22:30:41, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Connection denied from 0.0.0.0
[2004/08/30 22:30:41, 0] lib/util_sock.c:write_socket_data(413)
write_socket_data: write failure. Error = Connection reset by peer
[2004/08/30 22:30:41, 0] lib/util_sock.c:write_socket(438)
write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection reset by peer
[2004/08/30 22:30:41, 0] lib/util_sock.c:send_smb(630)
Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/30 22:30:43, 1] smbd/service.c:make_connection_snum(619)
mike (10.0.0.8) connect to service html initially as user mstaver (uid=1001, gid=0) (pid 3011) [2004/08/30 22:30:56, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 22:31:28, 0] rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
[2004/08/30 22:31:57, 0] smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID S-1-5-21-894072087-884895359-931750244-1174 to uid or gid.
So, now that klist issue has been resolved (I had to tweak the registry in windows on the AD to fix this) and now it appears I have another issue.
O Plameras wrote:
Just say,
#kinit <your username>
and klist again, just to confirm.
Mike Staver wrote:
timmy:/var/log/samba # klist klist: No ticket file: /tmp/krb5cc_0
So yeah, I guess it is? How do I renew it, or should my linux box automatically renew it now? Thanks for the quick reply!
O Plameras wrote:
On your Samba, what is the output of command:
#klist
Is it possible your ticket has expired ?
Mike Staver wrote:
I have a frustating issue with Samba - I'm simply trying to get a Suse
9.1 Pro box to authenticate against my AD domain and share some files
on it. Here are my conf files:
/etc/samba/smb.conf ----------------------------- [global] workgroup = RTSENTERPRISE netbios name = TIMMY wins server = 10.0.0.10 realm = MYCOMPANY.COM security = ADS password server = pip.MYCOMPANY.com server string = TIMMY #username map = /etc/samba/smbusers #smb passwd file = /etc/samba/smbpasswd encrypt passwords = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY os level = 0 dns proxy = No load printers = No winbind separator = + idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = no
[html] comment = html browseable = Yes read only = No path = /srv/www/htdocs writeable = yes
/etc/krb5.conf ----------------------------------------- [libdefaults] default_realm = MYCOMPANY.COM clockskew = 300
[realms] MYCOMPANY.COM = { kdc = pip.MYCOMPANY.com default_domain = RTSENTERPRISE kpasswd_server = pip.MYCOMPANY.com } YOUR.KERBEROS.REALM = { kdc = pip.MYCOMPANY.com }
[domain_realms] .pip.MYCOMPANY.com = MYCOMPANY.com [domain_realm] .RTSENTERPRISE = MYCOMPANY.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = true minimum_uid = 0 }
Those settings worked fine on Friday... then today I walked into the office, and I'm now unable to gain write access or change security permissions to the Samba box using Windows File Sharing like I was on Friday. My samba log shows this:
[2004/08/30 14:31:07, 0] smbd/server.c:main(757)
smbd version 3.0.4-SUSE started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/access.c:check_access(328)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Denied connection from (0.0.0.0)
[2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Connection denied from 0.0.0.0
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413)
write_socket_data: write failure. Error = Connection reset by peer
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438)
write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection
reset by peer
[2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630)
Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619)
10.0.0.1 (10.0.0.1) connect to service html initially as user
administrator (uid=0, gid=0) (pid 3240)
[2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:54, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:27, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801)
10.0.0.1 (10.0.0.1) closed connection to service html
[2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619)
mike (10.0.0.8) connect to service html initially as user mstaver
(uid=1001, gid=0) (pid 3396)
[2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2004/08/30 14:51:18, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:51:31, 0]
smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID
S-1-5-21-894072087-884895359-931750244-500 to uid or gid.
Yet, I'm able to join the domain just fine:
timmy:/var/log/samba # net ads join -U Administrator Administrator's password: [2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for timmy already exists - modifying old account Using short domain name -- RTSENTERPRISE Joined 'TIMMY' to realm 'MYCOMPANY.COM'
And, commands like this work:
timmy:/var/log/samba # smbclient -L timmy -Umstaver Password: Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Sharename Type Comment --------- ---- ------- html Disk html root Disk root IPC$ IPC IPC Service (TIMMY) ADMIN$ IPC IPC Service (TIMMY) Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Server Comment --------- ------- PIP TIMMY TIMMY
Workgroup Master --------- ------- RTSENTERPRISE PIP
Can somebody point me in the right direction of where I need to go
next? I don't understand why this worked great on Friday, and then
quit working today. On another note I would also like to get this box
working so I can log into it at the shell using AD users from windows.
Right now everytime I try to log into it via ssh using the standard
users I created in Suse, it works - but seems to take forever to
decide to let me in. So, it's hanging on something and I'm not sure
what to do next.
------------------------------------------------------------------------
Subject: Re: [SLUG] Suse 9.1 Pro and Samba 3.0.X From: O Plameras <[EMAIL PROTECTED]> Date: Tue, 31 Aug 2004 08:38:54 +1000 To: Mike Staver <[EMAIL PROTECTED]>
To: Mike Staver <[EMAIL PROTECTED]>
Just say,
#kinit <your username>
and klist again, just to confirm.
Mike Staver wrote:
timmy:/var/log/samba # klist klist: No ticket file: /tmp/krb5cc_0
So yeah, I guess it is? How do I renew it, or should my linux box automatically renew it now? Thanks for the quick reply!
O Plameras wrote:
On your Samba, what is the output of command:
#klist
Is it possible your ticket has expired ?
Mike Staver wrote:
I have a frustating issue with Samba - I'm simply trying to get a Suse
9.1 Pro box to authenticate against my AD domain and share some files
on it. Here are my conf files:
/etc/samba/smb.conf ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
-----------------------------
[global]
workgroup = RTSENTERPRISE
netbios name = TIMMY
wins server = 10.0.0.10
realm = MYCOMPANY.COM
security = ADS
password server = pip.MYCOMPANY.com
server string = TIMMY
#username map = /etc/samba/smbusers
#smb passwd file = /etc/samba/smbpasswd
encrypt passwords = Yes
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
os level = 0
dns proxy = No ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
load printers = No
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = no
[html] comment = html browseable = Yes read only = No path = /srv/www/htdocs writeable = yes
ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938 /etc/krb5.conf ----------------------------------------- [libdefaults] default_realm = MYCOMPANY.COM clockskew = 300
[realms] MYCOMPANY.COM = { kdc = pip.MYCOMPANY.com default_domain = RTSENTERPRISE kpasswd_server = pip.MYCOMPANY.com } YOUR.KERBEROS.REALM = { kdc = pip.MYCOMPANY.com }
[domain_realms] .pip.MYCOMPANY.com = MYCOMPANY.com [domain_realm] .RTSENTERPRISE = MYCOMPANY.COM [appdefaults] ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938 pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = true minimum_uid = 0 }
Those settings worked fine on Friday... then today I walked into the office, and I'm now unable to gain write access or change security permissions to the Samba box using Windows File Sharing like I was on Friday. My samba log shows this:
[2004/08/30 14:31:07, 0] smbd/server.c:main(757)
smbd version 3.0.4-SUSE started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978) ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/08/30 14:31:45, 0] lib/access.c:check_access(328)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Denied connection from (0.0.0.0)
[2004/08/30 14:31:45, 1] smbd/process.c:process_smb(883)
[2004/08/30 14:31:45, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
Connection denied from 0.0.0.0
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket_data(413)
write_socket_data: write failure. Error = Connection reset by peer
[2004/08/30 14:31:45, 0] lib/util_sock.c:write_socket(438)
write_socket: Error writing 5 bytes to socket 22: ERRNO = Connection
reset by peer ugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
[2004/08/30 14:31:45, 0] lib/util_sock.c:send_smb(630)
Error writing 5 bytes to client. -1. (Connection reset by peer)
[2004/08/30 14:31:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:48, 1] smbd/service.c:make_connection_snum(619)
10.0.0.1 (10.0.0.1) connect to service html initially as user
administrator (uid=0, gid=0) (pid 3240)
[2004/08/30 14:31:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:50, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:31:54, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:22, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:27, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:32:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
Username MYCOMPANY.COM+chef$ is invalid on this system
[2004/08/30 14:32:33, 1] smbd/service.c:close_cnum(801)
10.0.0.1 (10.0.0.1) closed connection to service html
[2004/08/30 14:51:07, 1] smbd/service.c:make_connection_snum(619)
mike (10.0.0.8) connect to service html initially as user mstaver
(uid=1001, gid=0) (pid 3396)
[2004/08/30 14:51:15, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2004/08/30 14:51:17, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2004/08/30 14:51:18, 0]
rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [hawkbug] is not a
Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2004/08/30 14:51:31, 0]
smbd/posix_acls.c:create_canon_ace_lists(1381)
create_canon_ace_lists: unable to map SID
S-1-5-21-894072087-884895359-931750244-500 to uid or gid.
Yet, I'm able to join the domain just fine:
timmy:/var/log/samba # net ads join -U Administrator Administrator's password: [2004/08/30 14:44:33, 0] libads/ldap.c:ads_add_machine_acct(1006) Host account for timmy already exists - modifying old account Using short domain name -- RTSENTERPRISE Joined 'TIMMY' to realm 'MYCOMPANY.COM'
And, commands like this work:
timmy:/var/log/samba # smbclient -L timmy -Umstaver Password: Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Sharename Type Comment --------- ---- ------- html Disk html root Disk root IPC$ IPC IPC Service (TIMMY) ADMIN$ IPC IPC Service (TIMMY) Domain=[RTSENTERPRISE] OS=[Unix] Server=[Samba 3.0.4-SUSE]
Server Comment --------- ------- PIP TIMMY TIMMY
Workgroup Master --------- ------- RTSENTERPRISE PIP
Can somebody point me in the right direction of where I need to go
next? I don't understand why this worked great on Friday, and then
quit working today. On another note I would also like to get this box
working so I can log into it at the shell using AD users from windows.
Right now everytime I try to log into it via ssh using the standard
users I created in Suse, it works - but seems to take forever to
decide to let me in. So, it's hanging on something and I'm not sure
what to do next.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
