From: Charles Johnson on
I am trying to authenticate samba 3.3 running on Centos 5 to Windows 2003 R2 Active Directory.

95% of my setup is working.

The only thing that doesn't work are expanded groups.
Whenever a group is a member of another group the permissions in samba/nss/winbind are not communicated
correctly to the windows client but seem to work on the linux end of things.

Here's my scenario. (All hostnames are internal)

AD Groups and Members
-----------------
testgroup9 members: cjohnson,erodriguez,testuser11,testuser9
testgroup10 members: testgroup9

Getent group responds correctly populating the testgroup9 members into testgroup10

testgroup9:x:111265:cjohnson,erodriguez,testuser11,testuser9
testgroup10:x:111266:cjohnson,erodriguez,testuser11,testuser9

From the shell i can....

su testuser11
cd /storage/CME/test

No problem. But when I try to access the same directory in windows I get these entries in my logs....

/var/log/samba/log.smbd
------------------
[2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be working correctly.
I know this because the minute I give access to this share to testgroup9 the windows users can immediately access the folder. ie. setfacl -m g:testgroup9:r-x /storage/CME/test


Testshare on Samba FS
-----------------
getfacl testshare

# file: storage/CME/test
# owner: root
# group: Domain Users
user::rwx
group::rwx
group:testgroup10:r-x
mask::rwx
other::---

I've poured through documentation for weeks including these articles among others:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598913
http://www.samba.org/samba/history/samba-3.3.0.html
man smb.conf

Here are my final questions.

Has anyone got the "winbind expand groups" option to funtion properly with Windows clients?
Am I using the proper idmap settings?
Would setting up an LDAP backend with the editposix option help anything?
Is there something I need to do on the Windows server side? (I have installed Unix Extentions but not sure how to assign UID/GID's)

It seems that everything is working how it's supposed to 'cept I'm probably missing something very simple. Anyone with any kind of help would be appreciated.

SMB.CONF
---------------
[global]
workgroup = CME
security = ads
passdb backend = tdbsam:/etc/samba/passdb.tdb
idmap backend = rid (have tested with tdb also with no luck)
idmap uid = 110000-119999
idmap gid = 110000-119999
idmap cache time = 3600
idmap negative cache time = 300
winbind cache time = 900
winbind expand groups = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = true
template shell = /bin/bash
template homedir = /home/%D/%U
machine password timeout = 2592000
realm = CME.COM
use kerberos keytab = yes
password server = prod-srv-8.cme.com
nt acl support = yes
map acl inherit = yes
winbind nss info = rcf2307
allow trusted domains = no

[CME]
path = /storage/CME
writeable = yes
inherit acls = yes
inherit permissions = yes
security mask = 0770
force security mode = 0770
directory security mask = 0770
force directory security mode = 0770
force create mode = 0770
map archive = yes
store dos attributes = yes



NSSWITCH.CONF
----------------------
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files wins dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files winbind
rpc: files winbind
services: files
netgroup: files winbind
publickey: nisplus
automount: files
aliases: files nisplus winbind


KRB5.CONF
----------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CME.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
CME.COM = {
kdc = prod-srv-8.cme.com:88
admin_server = prod-srv-8.cme.com:749
default_domain = cme.com
kdc = prod-srv-8.cme.com
}

[domain_realm]
..cme.com = CME.COM
cme.com = CME.COM

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}


Joined Domain
----------------------
net ads testjoin
Join is OK


Time
---------------------
NTP is setup on both Windows and Linux and time is always in sync.


Samba Server's nameserver is the AD PDC.

Authconfig --test output
------------------------------------------
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is enabled
SMB workgroup = "CME"
SMB servers = "prod-srv-8.cme.com"
SMB security = "ads"
SMB realm = "CME.COM"
Winbind template shell = "/bin/bash"
SMB idmap uid = "110000-119999"
SMB idmap gid = "110000-119999"
nss_wins is enabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is md5
pam_krb5 is enabled
krb5 realm = "CME.COM"
krb5 realm via dns is enabled
krb5 kdc = "prod-srv-8.cme.com:88,prod-srv-8.cme.com"
krb5 kdc via dns is enabled
krb5 admin server = "prod-srv-8.cme.com:749"
pam_ldap is disabled

LDAP+TLS is disabled
LDAP server = "ldap://127.0.0.1/"
LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled

use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is enabled
SMB workgroup = "CME"
SMB servers = "prod-srv-8.cme.com"
pam_winbind is enabled
SMB workgroup = "CME"
SMB servers = "prod-srv-8.cme.com"
SMB security = "ads"
SMB realm = "CME.COM"
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled











Charles Johnson
Information Technology
Custom Manufacturing & Engineering
2904 44th Ave. N
St. Petersburg, FL 33714
P: 727-548-0522 ext 1759
F: 727-541-8822
www.custom-mfg-eng.com


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba