Prev: Windows 2008 R2 / one way trust / Samba
Next: [Samba] Join domain broken after update
From: Alex McKenzie on 6 May 2010 17:30
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

While I've seen this referred to a lot of places, I haven't yet found
a posted solution that works for me. Testing has been done from a Mac
running OSX 10.5.8 Here's what I have so far: if anyone can give me a
next step to test, I'd appreciate it. If anyone can give me a complete
solution, I'd appreciate it even more. 8-)

1) An LDAP server "mv", running Ubuntu 8.04 LTS. Samba is not installed.

2) A group file server "sl1", running Ubuntu 8.04 LTS. LDAP is not
installed.

3) Users can successfully authenticate to sl1 against LDAP when
connecting via SSH. If their user directory exists (they have logged in
via ssh) they can connect to their home directory through samba by
connecting to smb://sl1.biochem.lgrt.nsm (a non-routable internal
network), so I know samba is successfully connecting to the LDAP server.
Traffic between the file server and the LDAP server is encrypted, as
confirmed with tcpdump.

4) When attempting to access a group share, the connection is refused,
and the following shows up in the samba logs: the share has users
amckenzie and suzanne.

[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
User spalmer with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21004 in passdb
[2010/05/06 15:51:24, 0] passdb/passdb.c:lookup_global_sam_name(596)
User amckenzie with invalid SID
S-1-5-21-4167008922-1292391803-4044586981-21006 in passdb

5) All connections, successful or not, cause the following messages in
the samba logs on sl1:

[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_administrators(792)
create_builtin_administrators: Failed to create Administrators
[2010/05/06 16:31:33, 0] auth/auth_util.c:create_builtin_users(758)
create_builtin_users: Failed to create Users
[2010/05/06 16:31:33, 0] param/loadparm.c:widelinks_warning(5718)
Share 'IPC$' has wide links and unix extensions enabled. These
parameters are incompatible. Wide links will be disabled for this share.

6) On sl1, net getdomainsid returns the following:

SID for domain SL1 is: S-1-5-21-1557386430-3227286864-500253393
SID for domain CHEMBMB is: S-1-5-21-4167008922-1292391803-4044586981

7) Users have both user and group SIDs in the form
"S-1-5-21-4167008922-1292391803-4044586981-[unique number]", which is
generated according to the rules the smbldap tools use.

8) testparm on sl1 returns the following:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[itadmins]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
workgroup = CHEMBMB
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldaps://multivac.chem.umass.edu
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 255
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
ldap admin dn = cn=admin,dc=cns
ldap group suffix = ou=Chemistry groups
ldap suffix = ou=Chemistry,dc=cns
ldap ssl = no
ldap user suffix = ou=Chemistry users
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
invalid users = root

[homes]
comment = Home Directories
read only = No
browseable = No

[itadmins]
comment = Shared directory for the IT group
path = /home/itadmins
valid users = spalmer, amckenzie
read only = No
create mask = 0665
directory mask = 0775



Any advice would be appreciated -- I'm well beyond my understanding of
samba at the moment, and my understanding of samba is well beyond what
it was 48 hours ago. At the moment neither server is mission critical,
so tests that take them temporarily off-line are possible. By early
next week things will be authenticating against the LDAP server (we've
got no choice -- the old LDAP server is failing fast), so I won't be
able to take it down for testing.

Thanks in advance,
Alex McKenzie
alex(a)chem.umass.edu


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkvjKDIACgkQWFYfIucpZ2OKUQCeLuwQhp1dybJfktYHh3GX375o
eGEAnip1TnApBIi/HqZar0zInN9DrmEO
=hq2A
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: Windows 2008 R2 / one way trust / Samba
Next: [Samba] Join domain broken after update