Dale, Yes I think that for some reason, when connecting to the Samba share in this case, the credentials being used are those of the *computer* and not those of the *user* (admin in this case). I have also noticed that there are directories that have been created in /home/DOMAIN on the server that are for the computers as well the directories that have been created for AD (Active Directory) users. When connecting to a Samba share, what controls the set of credentials being used to make that connection? The assumption has been that it would be the AD credentials of the user logged onto XP, but that does not seem to be the case here. Yet AD users are still able to access their shares even when (apparently) connected using the credentials of their computer. Thanks, Eric Peterson
--- On Wed, 2/10/10, Dale Schroeder <d...@briannassaladdressing.com> wrote: From: Dale Schroeder <d...@briannassaladdressing.com> Subject: Re: [Samba] Having problem with "valid users" in Active Directory/Samba environment To: "Eric Peterson" <ericrpeter...@sbcglobal.net> Date: Wednesday, February 10, 2010, 1:53 PM Eric, The log results look like Samba is unfamiliar with the user "admin". Do "getent passwd" and "getent group" return the expected results? Does the user "admin" appear in the "getent passwd" listing (with a uid in the 10000-20000 range)? Does the user "admin" appear as a member of "Domain Admins" in the "getent group" listing? If all the above are yes, consider trying the following: In [homes], change each instance of DOMAIN\admin to @"DOMAIN\Domain Admins" to see if other domain admins (such as the default "administrator") can access the home shares. This should give you a place to start troubleshooting. Dale On 02/09/2010 10:45 PM, Eric Peterson wrote: > We have a Ubuntu/Samba setup to serve Windows-XP users using Active Directory > credentials. > The application is a backup service using rsync from their workstations to > the server. > Ubuntu: 9.10, Samba: 3.4.0. > The backups work fine, and individual users logged onto XP with AD > credentials can see the contents of their shares on the server. > However, we have been unable to configure Samba to allow specified users > (domain admins) access to Samba shares, which is needed for administration of > the shares. > > The "valid user" and "admin user" constructs are not working in our > environment. > When smb.conf is configured with these constructs (see testparm output > below), which should allow access, instead we get an error message on the XP > side and the following messages in /var/log/samba: (in the example, trying to > access the share \\<server>\wirt) > > [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) > process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. > Permission denied > [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) > process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. > Permission denied > [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file) > process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No > such file or directory > [2010/02/08 21:31:21, 0] smbd/service.c:1188(make_connection) > __ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt > > The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the > spelling and try again...." > > Is there something wrong with the smb.conf settings, or something else that > needs to be done to allow domain admins access to user shares? > Could something with the pam or winbind settings explain this behavior? > > One clue is that when we cranked the log level to 3, the log messages > indicated that the Samba connection was being made to a UNIX user > DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name of > the admin's XP computer is "lfvr3tk1". The logfile is quite large so I did > not include it here. > > What's going on???? > > Thanks, > Eric Peterson > > > ======output from testparm========= > > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Processing section "[printers]" > Processing section "[print$]" > Processing section "[public]" > Processing section "[public_rw]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] > workgroup = DOMAIN > realm = DOMAIN.COM > server string = %h server (Samba, Ubuntu) > security = ADS > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n >*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > usershare allow guests = Yes > panic action = /usr/share/samba/panic-action %d > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/bash > > [homes] > comment = Home Directories > valid users = DOMAIN\%S, DOMAIN\admin > admin users = DOMAIN\admin > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > browsable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [public] > path = /export/public > guest ok = Yes > > [public_rw] > path = /export/public_rw > read only = No > guest ok = Yes > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
