Hey folks, I could do with some more help on this, if anybody could point me in the right direction it would be appreciated.
The basic problem is that any attempt to change permissions on a file from a windows workstation results in an "Access Denied" error. While looking into it, I found that I'm getting a large number of NT_STATUS_LOGON_FAILURE messages in the Samba logs. I'm running Samba on Solaris 10, using the built in version of Samba (3.0.25a), and I'm attempting to get Samba running on a Windows 2000 domain with ADS authentication. All the files are stored locally on a ZFS volume. Samba appears to have joined the domain ok, and I think Kerberos authentication is working, but if you can think of anything I should check, no matter how basic, please let me know as I'm very new to this. I'm now in a position that I can browse the Samba shares from a windows workstation. I can also view and edit files, and I can view file permissions I can also use the windows "Computer Management" tool to view the shares, and even manage share permissions on the Samba box. However, any attempt to change file permissions results in an "Access Denied" error on the Windows XP client. Checking the logs, it also appears I am still getting a large number of NT_STATUS_LOGON_FAILURE messages. Just reading a file generates 5 of these errors, so I'm wondering if the only reason I can read anything from my windows clients is because I've been rather liberal with file permissions while testing this. I've read all the documentation I can find, and all the tests in the Samba how to guide appear to work. I tested Kerberos by using "smbclient -k \\\\server\share" and can browse my windows servers fine. When I connect and read a file, Samba logs this: ================================================ [2008/02/26 13:26:16, 1] smbd/service.c:(1033) rob-055 (192.168.1.55) connect to service samba initially as user ROBINSONS\ross smith (uid=100001, gid=100005) (pid 5413) [2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! [2008/02/26 13:26:17, 1] smbd/sesssetup.c:(316) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! Permissions on my test file are currently as follows: ===================================================== # ls -v test.txt -rwxrwxrwx+ 1 ross smith domain users 21 Feb 26 13:18 test.txt 0:everyone@:read_data/write_data/append_data/read_xattr/write_xattr /execute/delete_child/read_attributes/write_attributes/delete /read_acl/write_acl/write_owner:allow My krb5.conf file is: ===================== [libdefaults] default_realm = ROBINSONS.COM dns_lookup_kdc = true [realms] ROBINSONS.COM = { kdc = 192.168.1.10 admin_server = 192.168.1.10 } [domain_realm] .robinsons.com = ROBINSONS.COM robinsons.com = ROBINSONS.COM And smb.conf is: ================ [global] workgroup = ROBINSONS bind interfaces only = yes interfaces = CLUSTER1/255.255.255.0 netbios name = CLUSTER1 security = ADS realm = ROBINSONS.COM password server = ROB-010.ROBINSONS.COM server string = Samba (%v) domain (%h) pid directory = /globalfs/samba-config/cluster1/var/locks log file = /globalfs/samba-config/cluster1/logs/log.%m smb passwd file = /globalfs/samba-config/cluster1/private/smbpasswd private dir = /globalfs/samba-config/cluster1/private lock dir = /globalfs/samba-config/cluster1/var/locks ;don't know what this does, but it solved somebody's problem where netbios name didn't work but IP did msdfs root = yes winbind cache time = 30 ;See if this helps us setting ACL's nt acl support = yes ;May need this for getent passwd to work ;winbind separator = + ;AD needs encrypted passwords encrypt passwords = yes allow trusted domains = no ;idmap backend = rid:ROBINSONS.COM=100000-200000 idmap uid = 100000-200000 idmap gid = 100000-200000 winbind enum groups = yes winbind enum users = yes ;winbind use default domain = yes # Shares section [scmondir] comment = Monitor directory for Sun Cluster path = /tmp browseable = No [samba] comment = Main share path = /globalfs/SAMBAshare writeable = yes nt acl support = yes [sambatest] path = /globalfs/SAMBAshare public = yes only guest = yes force directory mode = 777 delete readonly = yes create mode = 777 wide links = no force create mode = 777 directory mode = 777 writeable = yes write list = @"everyone" [sambauser] path = /globalfs/SAMBAshare read only = no browseable = yes user = @"root" [sambadomainuser] path = /globalfs/SAMBAshare read only = no browseable = yes user = @"ROBINSONS+domain users" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross Smith Sent: 22 February 2008 10:52 To: samba@lists.samba.org Subject: [Samba] RE: Samba and ADS authentication problems Bleh, sorry folks. Two days troubleshooting this and I find the problem ten minutes after posting. Fixed it by synchronising the time with the PDC and rebooting the Solaris box. All my users are listed fine now in "getent passwd", and I can browse to the shares. ... now I just need to work out how on earth I grant file permissions to my windows users. _____ From: Ross Smith Sent: 22 February 2008 09:51 To: 'samba@lists.samba.org' Subject: Samba and ADS authentication problems Hey folks, I'm having trouble with AD integration with the version of Samba included in Solaris build 78 (Samba version 3.0.25a). I think it's almost working, but I get an authentication prompt every time I try to connect to samba from a windows client, and no matter what I enter I can't authenticate to see the shares. The main documentation I've been using is Sun's guide to setting up Samba: http://dlc.sun.com/pdf/819-3063/819-3063.pdf, but I've also been referring to the official How-To. I'm trying to join Samba to my windows domain as a member server using ADS. I've read and re-read all the documentation I can find over the last couple of days but I've no idea now where I've gone wrong. What *is* working is the following: - Kerberos seems fine. "klist" shows a valid ticket, and "kinit <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> .COM" authenticates ok. - The samba machine account in Active Directory created fine when I used the "net ... ADS JOIN ..." command. - From Solaris I can list Active Directory users and groups with "wbinfo -u" and "wbinfo -g". - From Solaris, smbclient works anonymously and can list the shares on both Samba and our windows servers with "smbclient -N -L computer". However, any attempt by a windows client to view shares on the Solaris server returns Access denied, followed by a password prompt, and on Solaris, smbclient returns NT_STATUS_LOGON_FAILURE if I try to authenticate with any username. I suspect the problem is linked to the fact that "getent passwd" and "getent group" just return the Solaris users and groups, whereas the documentation states that they should include the Active Directory accounts too. One other thing that might be wrong is that in all the examples I've seen online, "wbinfo -u" returns users in the form DOMAIN\user. However, in our case it simply lists the usernames, no domain is included. Searching on google, I've found a few people reporting identical problems, so I'm guessing whatever I've done it's a fairly basic mistake, but I haven't found any solution to this. Can anybody help out? This is my first time posting, I've attached the smb.conf and krb5.conf files but I'm not sure if they will be visible, please let me know if I need to copy/paste them into a message instead. thanks, Ross ----------------- Ross Smith Network Manager Robinson Construction http://www.robinsons.com <http://www.robinsons.com/> ********************************************************************* The information transmitted is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Any views or opinions presented are solely those of the author and do not necessarily represent those of Robinson Construction. If you have received this transmission in error please advise the originator, or contact [EMAIL PROTECTED] This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. No responsibility is accepted for any virus or defect that might arise from opening this e-mail or attachment, whether or not it has been checked by anti-virus software. For further information visit www.clearswift.com. Thank you for your co-operation. Robinson Construction www.robinsons.com S. Robinson & Sons (Engineers) Limited is a limited company registered in England. Registration no: 823781 Registered office: S. Robinson & Sons (Engineers) Limited, Wincanton Close, Ascot Drive, Derby, DE24 8NJ ********************************************************************* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba