Hello, I have spent the last week and a bit searching google and reading documentation trying to get this figured. At this point, I have read the same things so many times, I am not even sure I would notice the answer any more.... time to ask for some help. Having gone through what seems like hundreds of posts, I have begun to see where the problem gets lost in the information provided when posts are really large. To this end, I will try to keep this as short as possible by not posting all my configs and logs (though I can certainly make all of that available). It takes considerable time to go through everything and I don't expect anyone to do that, so I am not looking for someone to review every config file and log entry, but I am hoping someone can say what they have done to troubleshoot similar situations.
The situation: I have a network of ~50 XP machines all authenticating to a Samba PDC. This has been working without flaw for the last two years. There are three shares; a public one that all users have access too, individual shares for each user that can only be accessed by the user, and a departmental share that contains folders that are governed by group ownerships. The PDC runs debian, and has samba 3.5.6 installed, and the XP workstations all seem to be working as expected. I am not using ldap. The goal: More computers are required, so we have been going through the retired computers and pulling out a number of them that are suitable for running ubuntu. We need these ubuntu machines to authenticate against the PDC, and the shares should be mounted automatically on login. The added challenge: Since the office where the LAN exists is closed over the holiday break and there are no existing ubuntu workstations on that LAN, I am forced to get the test ubuntu workstation to work over a vpn. This is soon a requirement anyway, but for the time being, I cannot remove the vpn from the mix. I do have ssh access to the Samba PDC, and can vnc to windows workstations inside the network. Given that the vast majority of everything seems to be working, I am doubtful the vpn is the problem, however it must be mentioned in the name of giving a complete picture... The path I have followed: Documentation has me understanding that in order to authenticate across different subnets or as a DMS or DMC, winbind is the answer. I have configured winbind as per the online Samba 3 documentation. There are also a prolific number of tutorials on the web that I have consulted, though most of them seem to be geared towards having an MS ADS instead of a Samba PDC. On the PDC, I have modified the nsswitch.conf file to have passwd and group use compat winbind (tried file winbind too, same effect). I have also configured in there the hosts entry to use wins. On the ubuntu workstation, I have done the same with the nsswitch.conf file, and I have modified the pam.d/common-auth and pam.d/common-account files to use winbind. I have installed pam_mount for the auto-mounting part and modified the pam.d files accordingly. What works and what doesn't: On the ubuntu workstation, I can log into gdm using my domain credentials. pam_mount successfully mounts the shares as expected. However, when I try to access the folders in the departmental share that are governed by group permissions, I am denied access. At this point, I do not log out of gdm on the workstation reliably either, but that is not the problem I am working on at the moment. On the workstation and PDC, it seems I can successfully use all wbinfo commands except -g (ie, wbinfo -t, -a, -G, -Y, -S, -s, -n, etc all work as expected). my troubleshooting so far: On the ubuntu workstation, I can issue wbinfo -u and I get expected results like DOM\user.name, and I get as many as I expect to get. However, wbinfo -g returns nothing, no error and no groups. getent passwd returns contents of the local password folder and the list of DOM \user.names as expected. getent group returns only the contents of /etc/group. When I su to my domain user, it tells me it cannot get the names of my groups, yet I can use wbinfo to retrieve this information: r...@test1:~# su - DOM\\bob.miller reenter password for pam_mount: groups: cannot find name for group ID 15004 groups: cannot find name for group ID 15005 groups: cannot find name for group ID 15006 dom\bob.mil...@test1:~$ i=$(wbinfo -G 15004); wbinfo -s $i DOM\accpac 4 dom\bob.mil...@test1:~$ i=$(wbinfo -G 15005); wbinfo -s $i DOM\public 4 dom\bob.mil...@test1:~$ i=$(wbinfo -G 15006); wbinfo -s $i DOM\it 4 Permissions on the workstation are like so: dom\bob.mil...@test1:~/Departments$ ls -al d---rws--- 14 DOM\bob.miller DOM\none 0 2010-12-29 13:22 Finance d---rws--- 9 DOM\bob.miller DOM\none 0 2010-12-14 15:24 IT and permissions on the server are like so: d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance d---rws--- 9 root it 4096 2010-12-14 15:24 IT On the PDC, wbinfo -u returns only the contents of the passwd file, and wbinfo -g returns nothing, as the workstation. I am not sure if this is entirely unexpected, I have read a number of posts that seem to allude to the idea that winbind does not work the same on a PDC as it does on a member server or member client. getent passwd and getent group on the PDC both return only local content from their respective files. I have tried modifying the pam.d files on the PDC as well to force winbind to work, but it has had no effect. Logging on the PDC also reveals some other clues, however my ability to interpret them is lacking and plugging them into google isn't revealing a lot of direction. For example, I see this frequently: process_request: Handling async request 12356:SID_TO_GID sid to gid S-1-5-2 Cache entry with key = IDMAP/SID2GID/S-1-5-2 couldn't be found find_lookup_domain_from_sid(S-1-5-2) calling find_domain_from_sid Could not find domain for sid S-1-5-2 Could not convert sid S-1-5-2: NT_STATUS_NONE_MAPPED However, I cannot make sense of where it is getting that SID from, or what it is supposed to be mapping too. As far as I know, that is not a legal sid. Net groupmap list also shows a list of all groups with their SIDs, of course that one does not show up. I also see things like: wcache_fetch_seqnum: DOM not found could not fetch seqnum for domain DOM wcache_fetch_seqnum: BUILTIN not found could not fetch seqnum for domain BUILTIN When I increase winbind logging to 10 and try to trace all that happens, on both workstation and PDC, it seems that winbind makes a query, gets a null response and passes it on. This essentially results in winbind not throwing any errors to fix. It makes a query, gets an answer, and gives it to the client, everything working normally. Conclusion: Given that the PDC seems to be having questionable behaviour of its own, I am not sure if I am dealing with a problem on the PDC, on the workstation, or if for some reason some packets aren't being passed across the VPN. Obviously there is something wrong with the groups situation, however, it seems that everything I try to work out where they are broken results in something that works. I would really really appreciate if someone could just put down some thoughts about this. I have the distinct feeling the answer is in my fingers already, but I just don't see it... Thank you for any thoughts you can share... Bob Miller 334-7117/660-5315 http://computerisms.ca b...@computerisms.ca Network, Internet, Server, and Open Source Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba