[Samba] Having problem with "valid users" in Active Directory/Samba environment
in [Samba]
|
Prev: [Samba] winbind does not list users from trusted domain
Next: [Samba] probleme with samba 3.4.5-3.1 + winbind+ windows 2008 R2 + trusted domain
From: Eric Peterson on 10 Feb 2010 00:00 We have a Ubuntu/Samba setup to serve Windows-XP users using Active Directory credentials. The application is a backup service using rsync from their workstations to the server. Ubuntu: 9.10, Samba: 3.4.0. The backups work fine, and individual users logged onto XP with AD credentials can see the contents of their shares on the server. However, we have been unable to configure Samba to allow specified users (domain admins) access to Samba shares, which is needed for administration of the shares. The "valid user" and "admin user" constructs are not working in our environment. When smb.conf is configured with these constructs (see testparm output below), which should allow access, instead we get an error message on the XP side and the following messages in /var/log/samba: (in the example, trying to access the share \\<server>\wirt) [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. Permission denied [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No such file or directory [2010/02/08 21:31:21, 0] smbd/service.c:1188(make_connection) __ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the spelling and try again...." Is there something wrong with the smb.conf settings, or something else that needs to be done to allow domain admins access to user shares? Could something with the pam or winbind settings explain this behavior? One clue is that when we cranked the log level to 3, the log messages indicated that the Samba connection was being made to a UNIX user DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name of the admin's XP computer is "lfvr3tk1". The logfile is quite large so I did not include it here. What's going on???? Thanks, Eric Peterson ======output from testparm========= Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" Processing section "[public]" Processing section "[public_rw]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = DOMAIN realm = DOMAIN.COM server string = %h server (Samba, Ubuntu) security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 10000-20000 idmap gid = 10000-20000 template shell = /bin/bash [homes] comment = Home Directories valid users = DOMAIN\%S, DOMAIN\admin admin users = DOMAIN\admin [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No browsable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [public] path = /export/public guest ok = Yes [public_rw] path = /export/public_rw read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |