Hi Max,
I have experienced something similar. First I considered this to be a
bug, but as it seems it was a wrong approach.
As I am relatively new to Samba also, please do not consider this to be
a perfect solution.
It just works ;):
* In the Samba config and in local UNIX right management (chmod)
give free access to all folders.
* I transformed all UNIX users to Samba users (including AD
users+groups)
* Make sure you have ACL installed.
* Then, modify the access rights for your shares via ACL regarding
to your AD groups and users.
* I configured it with the ACL module in Webmin - it's quite
comfortable.
You might consider broaden the idmap to fit to the imported user IDs
from AD:
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
Here is my complete smb.conf:
http://pastebin.com/f69fdd077
Here is one my Threads I posted in Ubuntuforums. It should make no
difference if you are using Centos:
http://ubuntuforums.org/showthread.php?t=1162457
Martin Terber
Krefelder Wall 5
50670 Köln
0221 29873581
0174 4891653
www.jesuspresley.net
Betreff:
[Samba] Problem with Centos 5.3 + Samba 3.0.33 +AD (2k3)
Von:
Max León
Datum:
Tue, 26 May 2009 11:20:53 -0600
An:
samba@lists.samba.org
An:
samba@lists.samba.org
Hi everyone,
I have an issue with Samba agains Active Directory.
The authentication works just fine but when it comes to shares I've ran into
some problems.
If I use any group mapping from the AD it won't let me access it so I figure
that is where the problem lays.
If I comment out "valid users", "force user" and "force group" then I have
no problems and it goes by the file system restrictions.
Does anyone ever run into the same problem?, is there a way to fix it?
Thanks in advanced.
Here is my smb.conf:
[global]
netbios name = filer
workgroup = MYCOMPANY
realm = MYCOMPANY.COM
preferred master = no
server string = mycompany Filer
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
password server = *
log level = 1 vfs:2
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins lmshosts bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 33
local master = no
domain master = no
wins server = 192.168.0.10
allow trusted domains = no
idmap backend = rid:MYCOMPANY=1000-11000
idmap uid = 1000-11000
idmap gid = 1000-11000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
winbind separator = |
winbind use default domain = Yes
winbind cache time = 30
use kerberos keytab = Yes
printcap name = /etc/printcap
unix extensions = no
[homes]
comment = Home Directories
valid users = %D|%S
path = %H
read only = no
security mask = 0640
directory security mask = 0750
browsable = no
vfs objects = recycle
recycle: keeptree = yes
recycle: maxsize = 52428800
[Internal]
comment = Internal Projects
path = /filer/internal
read only = yes
create mask = 0664
directory mask = 0775
browsable = yes
vfs object = recycle
recycle: keeptree = yes
recycle: maxsize = 52428800
valid users = @pm, @design
write list = @pm
force group = pm
force user = root
hide dot files = yes
msdfs root = yes
Here is the error from the workstation that is trying to get access to the
server.
The user is part of the Group PM.
Error from log.%m:
[2009/05/26 10:36:55, 1] smbd/service.c:close_cnum(1230)
traveller (192.168.0.71) closed connection to service Internal
[2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_administrators(844)
create_builtin_administrators: Failed to create Administrators
[2009/05/26 10:36:58, 0] auth/auth_util.c:create_builtin_users(810)
create_builtin_users: Failed to create Users
[2009/05/26 10:36:58,id max.leon
uid=2109(max.leon) gid=2216(mycompany)
groups=2216(mycompany),2152(browse),2108(remote),2190(macadmin),2146(developers),2204(flashdev),2140(qa),2141(design),2180(it-tech),1513(domain
users),2139(engineering),2177(pm),1512(domain admins)
1] smbd/service.c:make_connection_snum(1033)
traveller (192.168.0.71) connect to service Internal initially as user
MYCOMPANY|max.leon (uid=2109, gid=2216) (pid 14369)
Betreff:
Re: [Samba] empty authentication string sent so samba-server
Von:
Volker Schwicking
Datum:
Wed, 27 May 2009 09:32:37 +0200
CC:
samba@lists.samba.org
Come on, somebodys got to have an at least an idea :-)
Volker Schwicking wrote:
Hi,
for the last two weeks ive been trying, to authenticate against a
samba-domain using a win2k3-server. the server