RE: [Samba] Re: domain groups accessing samba share
Hiya Tim, Thanks for helping. Can you post your smb.conf /etc/pam.d/login wbinfo -g wbinfo -u getent passwd getent group Here we go: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software # valid users = @MYNETWORK.ISP.CO.UK\Domain Users # Admin users = @MYNETWORK.ISP.CO.UK\gavdav [EMAIL PROTECTED] /root]# more /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so wbinfo -u [EMAIL PROTECTED] /root]# wbinfo -u MYDOMAIN\gavdav MYDOMAIN\Guest MYDOMAIN\Administrator MYDOMAIN\krbtgt MYDOMAIN\SUPPORT_388945a0 MYDOMAIN\fbloggs snip wbinfo -g [EMAIL PROTECTED] /root]# wbinfo -g MYDOMAIN\Domain Computers MYDOMAIN\Cert Publishers MYDOMAIN\Domain Users MYDOMAIN\Domain Guests MYDOMAIN\RAS and IAS Servers MYDOMAIN\Group Policy Creator Owners MYDOMAIN\Schema Admins MYDOMAIN\Enterprise Admins MYDOMAIN\Domain Admins MYDOMAIN\Domain Controllers snip [EMAIL PROTECTED] /root]# getent passwd root:x:0:0:root:/root:/bin/bash snip xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/home/gdm:/bin/bash gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash named:x:200:200:Nameserver:/var/named:/bin/false vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin [EMAIL PROTECTED] /root]# getent group root:x:0:root snip nobody:x:99: users:x:100:gavdav snip xfs:x:43: gdm:x:42: gavdav:x:500: vcsa:x:69: getent and setent are listing local users and groups. What do I need to change in /etc/pam.d/login to fix it ? Where should I be looking for help ? Thanks very much Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
FW: [Samba] Re: domain groups accessing samba share
-Original Message- From: VR-Bug Support Sent: 15 October 2003 13:42 To: 'Gavin Davenport' Subject: RE: [Samba] Re: domain groups accessing samba share Hi Gavin, This is what I have for my /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so nodelay use_first_pass auth sufficient /lib/security/pam_krb5.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountsufficient /lib/security/pam_krb5.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so And when I issue getent group or getent passwd it lists both local and ADS users. Regards, Luke -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 15 October 2003 09:05 To: [EMAIL PROTECTED] Cc: Tim Jordan, Network Services Subject: RE: [Samba] Re: domain groups accessing samba share Hiya Tim, Thanks for helping. Can you post your smb.conf /etc/pam.d/login wbinfo -g wbinfo -u getent passwd getent group Here we go: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software # valid users = @MYNETWORK.ISP.CO.UK\Domain Users # Admin users = @MYNETWORK.ISP.CO.UK\gavdav [EMAIL PROTECTED] /root]# more /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_stack.so service=system-auth auth required /lib/security/pam_nologin.so accountrequired /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth sessionrequired /lib/security/pam_stack.so service=system-auth sessionoptional /lib/security/pam_console.so wbinfo -u [EMAIL PROTECTED] /root]# wbinfo -u MYDOMAIN\gavdav MYDOMAIN\Guest MYDOMAIN\Administrator MYDOMAIN\krbtgt MYDOMAIN\SUPPORT_388945a0 MYDOMAIN\fbloggs snip wbinfo -g [EMAIL PROTECTED] /root]# wbinfo -g MYDOMAIN\Domain Computers MYDOMAIN\Cert Publishers MYDOMAIN\Domain Users MYDOMAIN\Domain Guests MYDOMAIN\RAS and IAS Servers MYDOMAIN\Group Policy Creator Owners MYDOMAIN\Schema Admins MYDOMAIN\Enterprise Admins MYDOMAIN\Domain Admins MYDOMAIN\Domain Controllers snip [EMAIL PROTECTED] /root]# getent passwd root:x:0:0:root:/root:/bin/bash snip xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false gdm:x:42:42::/home/gdm:/bin/bash gavdav:x:500:500:Gavin Davenport:/home/gavdav:/bin/bash named:x:200:200:Nameserver:/var/named:/bin/false vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin [EMAIL PROTECTED] /root]# getent group root:x:0:root snip nobody:x:99: users:x:100:gavdav snip xfs:x:43: gdm:x:42: gavdav:x:500: vcsa:x:69: getent and setent are listing local users and groups. What do I need to change in /etc/pam.d/login to fix it ? Where should I be looking for help ? Thanks very much Gavin Davenport -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba _ This e-mail and all attachments have been scanned by the HighSpeed Office virus scanning service powered by MessageLabs and no known viruses were detected. __ Any views or opinions expressed in this e-mail are solely those of the author and do not necessarily represent those of ENDEMOL UK plc unless specifically stated. This email and the information it contains are confidential and intended solely for the use of the individual or entity to which it is addressed. If you have
RE: [Samba] Re: domain groups accessing samba share
Ok - I replaced my /etc/pam.d/login with the one you've posted. getent still lists me just local machine users and groups. Trying to attach to the machine results in this in the hosts samba log: Doing spnego session setup NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002 5.1] Got OID 1 2 840 48018 1 2 2 Got OID 1 2 840 113554 1 2 2 Got OID 1 3 6 1 4 1 311 2 2 10 Got secblob of size 1235 Ticket name is [EMAIL PROTECTED] Username gavdav is invalid on this system error string = No such file or directory error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE timeout_processing: End of file from client (client has disconnected). setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Closing connections Yielding connection to yield_connection: tdb_delete for name failed with error Record does not exist. Server exit (normal exit) Still stuck - what should I have in /etc/pam_smb.conf, and /etc/pam.d/system-auth ?? smb.conf now: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Revolver security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 139 445 announce as = NT Workstation name resolve order = host bcast client signing = Yes server signing = Yes client use spnego = Yes use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind cache time = 2 winbind use default domain = Yes template homedir = /home/%D/%U template shell = /bin/bash winbind enum users = yes winbind enum groups = yeS comment = Redhat 8.0 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [usr-local] path = /usr/local read only = Yes valid users = @MYNETWORK.ISP.CO.UK\Domain Users Admin users = @MYNETWORK.ISP.CO.UK\gavdav ### Re: domain groups accessing samba share Hi Gavin, This is what I have for my /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth sufficient /lib/security/pam_winbind.so auth sufficient /lib/security/pam_unix.so nodelay use_first_pass auth sufficient /lib/security/pam_krb5.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient /lib/security/pam_winbind.so accountsufficient /lib/security/pam_krb5.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so And when I issue getent group or getent passwd it lists both local and ADS users. Regards, Luke -Original Message- From: Gavin Davenport [mailto:[EMAIL PROTECTED] Sent: 15 October 2003 09:05 To: [EMAIL PROTECTED] Cc: Tim Jordan, Network Services Subject: RE: [Samba] Re: domain groups accessing samba share Hiya Tim, Thanks for helping. Can you post your smb.conf /etc/pam.d/login wbinfo -g wbinfo -u getent passwd getent group Here we go: # Global parameters [global] workgroup = MYDOMAIN realm = MYNETWORK.ISP.CO.UK server string = Linux Samba Server security = ADS password server = bashful log level = 3 log file = /var/log/samba/log.%m max log size = 100 smb ports = 445 announce as = NT Workstation name resolve order = host bcast wins server = 10.0.0.104 client signing = Yes server signing = Yes client use spnego = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No os level = 10 preferred master = No local master = No domain master = No dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash # winbind separator = + winbind cache time = 2 # winbind use default domain = Yes comment = Redhat 7.1 Samba hosts allow = 127., 10.0.0. [homes] comment = Home Directories read only = No browseable = No [Software] comment = Software Library path = /mnt/largeprimary/software # valid users = @MYNETWORK.ISP.CO.UK\Domain Users # Admin users = @MYNETWORK.ISP.CO.UK\gavdav [EMAIL PROTECTED] /root]# more /etc/pam.d/login #%PAM-1.0
Re: [Samba] Re: domain groups accessing samba share
- Original Message - From: Gavin Davenport [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:14 PM Subject: RE: [Samba] Re: domain groups accessing samba share Ok - I replaced my /etc/pam.d/login with the one you've posted. getent still lists me just local machine users and groups. Do you have the following in your /etc/nsswitch.conf: passwdfileswinbind groupfileswinbind shadowfiles Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: domain groups accessing samba share
Hi there Make this: valid users = @LABOR\domain admins write list = @LABOR\domain admins write useres = @LABOR\domain admins What if the domain user doesn't have a local user on the unix machine ? How do I get round that ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John H Terpstra Sent: 14 October 2003 02:18 To: Tim Jordan, Network Services Cc: [EMAIL PROTECTED] Subject: [Samba] Re: domain groups accessing samba share On Mon, 13 Oct 2003, Tim Jordan, Network Services wrote: Hey John, I've been working on this most the day. Just can't seem to nail it down! (Yes sir I did read the How To) Winbind is working fine - I can: wbinfo -g wbinfo -u getent passwd getent group Problem is when I try to use a domain group on a Samba share I get a username and password prompt; although, nothing seems to get me in! Please advise #Samba 3.0 running under Gentoo1.4 [global] workgroup = LABOR realm = LABOR.AK server string = Samba3 on ANC-Gentoo1.4 security = ADS password server = passwordserver log file = /usr/local/samba/var/log.%m max log size = 50 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = win_server_ip idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/winnt/%D/%U template shell = /bin/bash [Linux Software] comment = Open Source Software path = /home/tim/Linux Software valid users = @LABOR\domain admins read only = No -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: domain groups accessing samba share
- Original Message - From: Gavin Davenport [EMAIL PROTECTED] To: John H Terpstra [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 4:13 AM Subject: RE: [Samba] Re: domain groups accessing samba share Hi there Make this: valid users = @LABOR\domain admins write list = @LABOR\domain admins write useres = @LABOR\domain admins What if the domain user doesn't have a local user on the unix machine ? How do I get round that ?? That is where winbind comes in. You use winbind to allow your domain users from your NT/2k server to be seen by the samba box as normal unix users. Rich -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: domain groups accessing samba share
On Mon, 13 Oct 2003, Tim Jordan, Network Services wrote: Hey John, I've been working on this most the day. Just can't seem to nail it down! (Yes sir I did read the How To) Winbind is working fine - I can: wbinfo -g wbinfo -u getent passwd getent group Problem is when I try to use a domain group on a Samba share I get a username and password prompt; although, nothing seems to get me in! Please advise #Samba 3.0 running under Gentoo1.4 [global] workgroup = LABOR realm = LABOR.AK server string = Samba3 on ANC-Gentoo1.4 security = ADS password server = passwordserver log file = /usr/local/samba/var/log.%m max log size = 50 socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 0 preferred master = No local master = No domain master = No dns proxy = No wins server = win_server_ip idmap uid = 1-2 idmap gid = 1-2 template homedir = /home/winnt/%D/%U template shell = /bin/bash [Linux Software] comment = Open Source Software path = /home/tim/Linux Software valid users = @LABOR\domain admins Make this: valid users = @LABOR\domain admins write list = @LABOR\domain admins write useres = @LABOR\domain admins - John T. read only = No -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba