Problems with Samba and Active Directory
in [Samba]
|
From: Ryan on 28 Dec 2007 14:50 Thanks, but now it throws a different error :( >From log of computer tryin to connect to the share [2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_secrets_verify_ticket(279) ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt integrity check failed [2007/12/28 13:40:54, 3] libads/kerberos_verify.c:ads_verify_ticket(427) ads_verify_ticket: krb5_rd_req with auth failed (Decrypt integrity check failed) [2007/12/28 13:40:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2007/12/28 13:40:54, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(318) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2007/12/28 13:40:54, 3] smbd/process.c:timeout_processing(1328) timeout_processing: End of file from client (client has disconnected). noticed this in the log.smbd file [2007/12/28 13:40:19, 3] libads/sasl.c:ads_sasl_spnego_bind(222) ads_sasl_spnego_bind: got server principal name = pipdc01$@PIPFS.LOCAL [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) [2007/12/28 13:40:19, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration Fri, 28 Dec 2007 23:40:19 CST Any other thoughts? :) Cheers! On Dec 28, 2007 1:29 PM, Dale Schroeder <dale(a)briannassaladdressing.com> wrote: > Ryan, > > In your share try prefacing domain users and groups with the workgroup: > > admin users = @"PIPFS#Domain Users" > valid users = @"PIPFS#Domain Users" > > This is required since Samba 3.0.23. > > Good luck, > Dale > > Ryan wrote: > > Afternoon! > > > > Let me apologize first if this is something soooo simple, but i have > been > > working on this for days and I'm still stuck on one part. > > > > Where to start. Small user environment (under 100 users) using Active > > Directory on Win 2k3 server. Running Fedora 8 on a server, and I am > trying > > to get it added to the domain, and to be able to access a share using > > Windows usernames and passwords. > > > > The server (known from here as fedoraftp) can kinit > > > > [root(a)fedoraftp /]# kinit Administrator > > Password for Administrator(a)DOMAIN.LOCAL: > > [root(a)fedoraftp /]# klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: Administrator(a)DOMAIN.LOCAL > > > > Valid starting Expires Service principal > > 12/28/07 12:44:31 12/28/07 22:44:35 krbtgt/DOMAIN.LOCAL(a)DOMAIN.LOCAL > > renew until 12/29/07 12:44:31 > > > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > [root(a)fedoraftp /]# > > > > It can join the domain > > [root(a)fedoraftp /]# net ads join -U Administrator > > Administrator's password: > > Using short domain name -- DOMAIN > > Joined 'FEDORAFTP' to realm 'DOMAIN.LOCAL' > > [root(a)fedoraftp /]# > > > > wbinfo -u, wbinfo -g, getent passwd and getent group both show correct > > information (not going to show output). I can also login locally on > > fedoraftp using my windows username and password and not have any > issues. > > What i cannot get to work is accessing the share, as it wont take any > > username/password thrown at it. > > > > smb.conf > > [global] > > log file = /var/log/samba/log.%m > > guest account = admin > > load printers = no > > show add printer wizard = No > > idmap gid = 10000-20000 > > smb passwd file = /etc/samba/smbpasswd > > unix password sync = yes > > guest ok = yes > > encrypt passwords = yes > > realm = PIPFS.LOCAL > > template shell = /bin/bash > > netbios name = FEDORAFTP > > cups options = raw > > server string = Fedora Server Ver %v > > idmap uid = 10000-20000 > > password server = 192.168.0.240 > > winbind nested groups = yes > > workgroup = PIPFS > > dns proxy = no > > passwd program = /usr/bin/passwd %u > > obey pam restrictions = yes > > os level = 20 > > security = ads > > preferred master = no > > max log size = 50 > > winbind separator = # > > winbind cache time = 0 > > log level = 3 > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > passdb backend = tdbsam > > > > [FTP] > > msdfs root = yes > > inherit permissions = yes > > writeable = yes > > admin users = @"domain users" > > path = /home/ftpshare/ > > create mask = 700 > > directory mask = 700 > > valid users = admin,@"domain users", > > inherit acls = yes > > ; public=yes > > > > Output of /var/log/samba/log.smbd > > > > [2007/12/28 12:53:05, 0] smbd/server.c:main(944) > > smbd version 3.0.28-0.fc8 started. > > Copyright Andrew Tridgell and the Samba Team 1992-2007 > > [2007/12/28 12:53:05, 2] param/loadparm.c:do_section(3796) > > Processing section "[FTP]" > > [2007/12/28 12:53:05, 3] param/loadparm.c:lp_add_ipc(2711) > > adding IPC service > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117) > > reloading printcap cache > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223) > > reload status: ok > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(117) > > reloading printcap cache > > [2007/12/28 12:53:05, 3] printing/pcap.c:pcap_cache_reload(223) > > reload status: ok > > [2007/12/28 12:53:05, 2] lib/interface.c:add_interface(81) > > added interface ip=192.168.0.50 bcast=192.168.0.255 nmask= > 255.255.255.0 > > [2007/12/28 12:53:05, 3] smbd/server.c:main(982) > > loaded services > > [2007/12/28 12:53:05, 3] smbd/server.c:main(997) > > Becoming a daemon. > > [2007/12/28 12:53:05, 2] lib/tallocmsg.c:register_msg_pool_usage(105) > > Registered MSG_REQ_POOL_USAGE > > [2007/12/28 12:53:05, 2] lib/dmallocmsg.c:register_dmalloc_msgs(75) > > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > store_gid_sid_cache: gid 0 in cache -> > > S-1-5-21-3422581952-716862249-2814536807-1002 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > store_gid_sid_cache: gid 10000 in cache -> S-1-5-32-544 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > store_gid_sid_cache: gid 10001 in cache -> S-1-5-32-545 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-22-1-0] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-2] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-11] > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(250) > > [2007/12/28 12:53:05, 3] lib/util_seaccess.c:se_access_check(251) > > se_access_check: user sid is S-1-22-1-0 > > se_access_check: also S-1-5-32-544 > > se_access_check: also S-1-1-0 > > se_access_check: also S-1-5-2 > > se_access_check: also S-1-5-11 > > [2007/12/28 12:53:05, 3] libsmb/namequery.c:get_dc_list(1489) > > get_dc_list: preferred server list: "192.168.0.240, 192.168.0.240" > > [2007/12/28 12:53:05, 3] libads/ldap.c:ads_connect(394) > > Connected to LDAP server 192.168.0.240 > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(213) > > ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 > > [2007/12/28 12:53:05, 3] libads/sasl.c:ads_sasl_spnego_bind(222) > > ads_sasl_spnego_bind: got server principal name = > pipdc01$@DOMAIN.LOCAL > > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_krb5_mk_req(593) > > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > > [2007/12/28 12:53:05, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(528) > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] > > expiration Fri, 28 Dec 2007 22:53:05 CST > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:store_gid_sid_cache(1133) > > store_gid_sid_cache: gid 10008 in cache -> > > S-1-5-21-1220945662-682003330-839522115-513 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > fetch gid from cache 10000 -> S-1-5-32-544 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > fetch gid from cache 10001 -> S-1-5-32-545 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/uid.c:push_conn_ctx(358) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2007/12/28 12:53:05, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID > > [S-1-5-21-3422581952-716862249-2814536807-501] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID > > [S-1-5-21-1220945662-682003330-839522115-513] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-2] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-32-546] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-22-2-10008] > > [2007/12/28 12:53:05, 3] lib/privileges.c:get_privileges(261) > > get_privileges: No privileges assigned to SID [S-1-5-32-545] > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > fetch gid from cache 10008 -> > S-1-5-21-1220945662-682003330-839522115-513 > > [2007/12/28 12:53:05, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1089) > > fetch gid from cache 10001 -> S-1-5-32-545 > > [2007/12/28 12:53:05, 3] > printing/printing.c:start_background_queue(1388) > > start_background_queue: Starting background LPQ thread > > [2007/12/28 12:53:05, 2] smbd/server.c:open_sockets_smbd(458) > > waiting for a connection > > > > > > The main thing i see in the log from the computer trying to connect is > (log > > is huge...not going to post it all) > > > > [2007/12/28 12:56:55, 2] smbd/service.c:make_connection_snum(616) > > user 'DOMAIN#redwards' (from session setup) not permitted to access > this > > share (FTP) > > [2007/12/28 12:56:55, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/reply.c(514) cmd=117 (SMBtconX) > > NT_STATUS_ACCESS_DENIED > > > > redwards is part of the group "Domain Users" > > Im at a HUGE loss right now how to go about this, as im still pretty > green > > to this whole type of setup. Any advice would be helpful. If more info > is > > required, please ask and ill provide it as i would like to resolve this > > issue. > > > > Cheers! > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Pages: 1 Prev: Samba + LDAP cannot get account from NT4 Next: [Samba] Problem with samba 3.0.25b-33 |