My Samba server is a domain member to a Win2k ADS domain. I have a domain
group where some members of the group can access a particular share, while
others cannot. If the user tries to login from a different system, the
problem still exists. Additionally, the user can log into other shares. I
have verified this with two different groups. It seems like the system
cannot identify the username in the group. All other tests with getent
and wbinfo appear as expected and the server tends to run fine for most
users on most shares.
OS = RedHat Ent Server 3 update 3
Samba = 3.0.9-1.3E.5
Kerberos = 1.2.7-47
Relevant smb.conf
[global]
workgroup = WARGROUP
realm = GT.WARMAN.COM.AU
server string = sydtch1 file server
security = ADS
log level = 5
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
domain master = No
dns proxy = No
ldap ssl = no
idmap uid = 15000-20000
idmap gid = 15000-20000
template homedir = /fshare/users/%U
winbind cache time = 120
cups options = raw
[matproj]
path = /fshare/depdata/materialprojects
valid users = @WARGROUP\matproj
read only = No
create mask = 0660
directory mask = 0775
The WARGROUP\matproj group has four users, one of which is Administrator
and cannot connect to the matproj share while the other users can. The
following error appears when debugging. I have more extensive logs, if
requested. The permissions on the matproj directory are 2775 with the
WARGROUP\matproj group having group ownership.
[2006/07/09 16:54:08, 2] smbd/service.c:make_connection_snum(314)
user 'WARGROUP\administrator' (from session setup) not permitted
to access this share (matproj)
[2006/07/09 16:54:08, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
My krb5.conf file is as follows.
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = GT.WARMAN.COM.AU
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
GT.WARMAN.COM.AU = {
kdc = wgtnts1.gt.warman.com.au:88
admin_server = wgtnts1.gt.warman.com.au:749
default_domain = gt.warman.com.au
}
[domain_realm]
.gt.warman.com.au = GT.WARMAN.COM.AU
gt.warman.com.au = GT.WARMAN.COM.AU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
My nsswitch.conf file.
passwd: files winbind
shadow: files
group: files winbind
hosts: files dns winbind
bootparams: files
ethers: files
netmasks: files
networks: files dns
protocols: files
rpc: files
services: files
netgroup: files
publickey: files
automount: files
aliases: files
I'm not sure if it's related, but I'm also seeing a lot of the following
errors in my winbindd.log file.
[2006/07/09 17:01:24, 3]
lib/charcnv.c:convert_string_allocate(576)
convert_string_allocate: Conversion error: Illegal multibyte
sequence(å µ )
[2006/07/09 17:01:24, 3]
lib/charcnv.c:convert_string_allocate(567)
convert_string_allocate: Conversion error: Incomplete multibyte
sequence(µ )
Thanks for any assistance.
Todd Jones
==========================================================================
The information contained in this email (including any attachments) is
confidential, subject to copyright and for the use of the intended recipient
only. If you are not the intended recipient please delete this message after
notifying the sender. Unauthorised retention, alteration or distribution of
this email is forbidden and may be actionable.
Attachments are opened at your own risk and you are advised to scan incoming
email for viruses before opening any attached files. We give no guarantee that
any communication is virus-free and accept no responsibility for virus
contamination or other system loss or damage of any kind.
==========================================================================
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
