Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? Thanks so much. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Thanks so much for troubleshooting all this while and we found out none of our configuration is the problem but the source code. Hope that the samba team will modify to a working code so that I can deploy it. Actually my dateline to deploy is coming soon and I do not know what to do now. when do you think the code will be modified and be released? Thanks so much for your help. adrian -- Original Message -- From: Igor Belyi [EMAIL PROTECTED] Date: Fri, 05 Nov 2004 12:03:46 -0500 Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Regarding the home mapping problem:- I changed my log to level 3. And I got the following log which I think is weird. (maybe the reason why it cannot map). The problem is :- Logging user_A with domain_A at Domain_A_computer gets home directory mapped but Logging user_B with domain_B at Domain_A_computers does not get home directory mapped. This is the log from domain_A_pdc. The XP computer joins domain_A. I am logging in as user_B from domain_B where domain_B_pdc have mutual trust with domain_A_pdc. The log file is /var/log/samba/xp_computer_name from domain_A_pdc. It is when I run net use x: /home or logon to the domain. [2004/11/04 17:20:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [grade2] - [grade2] - [UWCSTU\grade2] succeeded [2004/11/04 17:20:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2004/11/04 17:20:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(222) User name: UWCSTU\grade2 Real name: Grade 2 User [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(241) UNIX uid 10002 is UNIX user UWCSTU\grade2, and will be vuid 109 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(270) Adding homes service for user 'UWCSTU\grade2' using home directory: '/home/UWCSTU/grade2' [2004/11/04 17:20:05, 3] param/loadparm.c:lp_add_home(2341) adding home's share [grade2] for user 'UWCSTU\grade2' at '/home/UWCSTU/grade2' -- Why is it adding homes services? domain_A_pdc should get domain_b_user info from domain_b_pdc (which it uses ldap to get the sambaHomeDrive and sambaHomePath). It is like when winbind successfully maps the user, it does not know the homepath or the homedrive. This is the result when I add winbind into nsswitch.conf. But if I don't (like your case)... I cannot even login as user_b for domain_b at the xp computer. It is because the user_b is not even found in the local database file. With winbind in nsswitch.conf, getent passwd and getent group will return the user and group in the trusted domain. And the shares will have problem with valid users = @Domain_B\Domain Users. Igor, I really wonder how your scenario works... Questions:- 1. Does your getent passwd and getent group show the trusted domain accounts? 2. Does your smb.conf for shares work if you want certain groups in the trusted domain to access it? Can you give an example of how to do it? (e.g valid users = ... ) 3. I have the proper sambaHomePath and sambaHomeDrive as yours. Is there any winbind settings you have in the smb.conf that cause it to work? 4. Do you specify the auth methods in the smb.conf? 5. You have winbind running? 6. Do you have pam_winbind in your pam.d directory files (e.g login, ssh...)? Thats all the questions I can think of now. Thanks for helping. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor, Regarding the home mapping problem:- I changed my log to level 3. And I got the following log which I think is weird. (maybe the reason why it cannot map). The problem is :- Logging user_A with domain_A at Domain_A_computer gets home directory mapped but Logging user_B with domain_B at Domain_A_computers does not get home directory mapped. This is the log from domain_A_pdc. The XP computer joins domain_A. I am logging in as user_B from domain_B where domain_B_pdc have mutual trust with domain_A_pdc. The log file is /var/log/samba/xp_computer_name from domain_A_pdc. It is when I run net use x: /home or logon to the domain. [2004/11/04 17:20:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [grade2] - [grade2] - [UWCSTU\grade2] succeeded [2004/11/04 17:20:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2004/11/04 17:20:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(222) User name: UWCSTU\grade2 Real name: Grade 2 User [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(241) UNIX uid 10002 is UNIX user UWCSTU\grade2, and will be vuid 109 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(270) Adding homes service for user 'UWCSTU\grade2' using home directory: '/home/UWCSTU/grade2' [2004/11/04 17:20:05, 3] param/loadparm.c:lp_add_home(2341) adding home's share [grade2] for user 'UWCSTU\grade2' at '/home/UWCSTU/grade2' -- Why is it adding homes services? domain_A_pdc should get domain_b_user info from domain_b_pdc (which it uses ldap to get the sambaHomeDrive and sambaHomePath). It is like when winbind successfully maps the user, it does not know the homepath or the homedrive. As far as I understand - that's how Samba works with builtin shares - [homes] and [printers] - it creates the right shares on the fly. Funny thing - I have userA's home share getting created in both Domains, but since in DomainB this path does not exists - Nobody have access to this share. But H: is correctly mapped to the share specified as sambaHomePath. What I mean - these lines do not indicate an error - I have the sames lines but mapping works. This is the result when I add winbind into nsswitch.conf. But if I don't (like your case)... I cannot even login as user_b for domain_b at the xp computer. It is because the user_b is not even found in the local database file. With winbind in nsswitch.conf, getent passwd and getent group will return the user and group in the trusted domain. And the shares will have problem with valid users = @Domain_B\Domain Users. Igor, I really wonder how your scenario works... Questions:- 1. Does your getent passwd and getent group show the trusted domain accounts? I don't know how I did it work previously without winbind in nsswitch.conf but after cleaning everything and stating from the scratch I realized that I do need it there for accounts from trusted domains. In my both domains I have: % grep winbind /etc/nsswitch.conf passwd: ldap winbind files group: ldap winbind files Yes, both getent passwd and getent group shows me accounts and grooups from trusted domain as well. 2. Does your smb.conf for shares work if you want certain groups in the trusted domain to access it? Can you give an example of how to do it? (e.g valid users = ... ) With winbind in nsswitch.conf the full names work. I've tried 'valid users = @DomainA\Domain Users' for a share and it works - userA from this group has access to the share and userB - does not. You just need to make sure that UNIX permission on the share's path allows access for users on this group as well. 3. I have the proper sambaHomePath and sambaHomeDrive as yours. Is there any winbind settings you have in the smb.conf that cause it to work? The only winbind related entries in smb.conf in both Domains are: % grep idmap /etc/samba/smb.conf ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 4. Do you specify the auth methods in the smb.conf? No, I don't - they are default to those for 'security = user': % testparm -sv | grep auth method auth methods = 5. You have winbind running? Yes, I do. And it works according to the entries appearing in LDAP. 6. Do you have pam_winbind in your pam.d directory files (e.g login, ssh...)? No, I don't use pam_winbind (no winbind in any of the /etc/pam.d/* files). To be honest, I don't even know what it could be used for. On related note - I did have problem with user login when I had 'obey pam restrictions = Yes' in smb.conf. It caused Samba to fail when it asks PAM to verify account of the user from the trusting domain. Thats all
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Was this is for the case with winbind in the /etc/nsswitch.conf or without it? As I've described in my previouse message - I was wrong - you do need winbind in /etc/nsswitch.conf for things to work. I'd suggest to increase log level to 5 - there could be more helpful information. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
You are right... I need winbind... this log is when it does not have... trying to emulate what you are doing.. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Was this is for the case with winbind in the /etc/nsswitch.conf or without it? As I've described in my previouse message - I was wrong - you do need winbind in /etc/nsswitch.conf for things to work. I'd suggest to increase log level to 5 - there could be more helpful information. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error:
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I did smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user and I got :- Domain=[UWCSTU] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I think it has to do with the UNIX and NIS groups required for @Domain_A\Domain Users to work. On the Domain_B_PDC 's log file on Domain_A, it is like this:- [2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam(293) Finding user STAFF\achow [2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is staff\achow [2004/11/04 08:40:52, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [STAFF\achow]! [2004/11/04 08:40:52, 5] auth/auth_util.c:fill_sam_account(960) fill_sam_account: located username was [STAFF\achow] [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/11/04 08:40:52, 5] lib/smbldap.c:smbldap_search(963) smbldap_search: base = [ou=Group,ou=studentnet,dc=uwcsea,dc=org], filter = [((objectClass=sambaGroupMapping)(gidNumber=1))], scope = [2] [2004/11/04 08:40:52, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 4] lib/substitute.c:automount_server(323) Home server: gloin [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10139 Primary group is 1 and contains 3 supplementary groups Group[ 0]: 1 Group[ 1]: 10013 Group[ 2]: 10014 [2004/11/04 08:40:52, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: winbind authentication for user [achow] succeeded [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 5] auth/auth.c:check_ntlm_password(292) check_ntlm_password: PAM Account for user [STAFF\achow] succeeded [2004/11/04 08:40:52, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [achow] - [achow] - [STAFF\achow] succeeded [2004/11/04 08:40:52, 5] auth/auth_util.c:free_user_info(1306) attempting to free (and zero) a user_info structure [2004/11/04 08:40:52, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2004/11/04 08:40:52, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(222) User name: STAFF\achowReal name: Adrian Chow [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(241) UNIX uid 10139 is UNIX user STAFF\achow, and will be vuid 100 [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(270) Adding homes service for user 'STAFF\achow' using home directory: '/home/STAFF/achow' [2004/11/04 08:40:52, 3] param/loadparm.c:lp_add_home(2341) adding home's share [achow] for user 'STAFF\achow' at '/home/STAFF/achow' [2004/11/04 08:40:52, 3] smbd/process.c:process_smb(1092) Transaction 3 of length 84 [2004/11/04 08:40:52, 5] lib/util.c:show_msg(439) [2004/11/04 08:40:52, 5] lib/util.c:show_msg(449) size=80 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=0 smb_pid=26725 smb_uid=100 smb_mid=4 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=0 (0x0) smb_vwv[ 2]=0 (0x0) smb_vwv[ 3]=1 (0x1) smb_bcc=37 [2004/11/04 08:40:52, 3] smbd/process.c:switch_message(887) switch message SMBtconX (pid 20987) conn 0x0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I left out something. Regarding your question:- Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The answer is yes ONLY if valid users = Domain_A\domain_A_user. Valid users = domain_a_user does not work. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Just to let you now that the smbclient //domain_b_pdc/shared -U domain_a/domain_a_user is working. To make it work, I have to put winbind in the nsswitch.conf. The reason why it did not work is 2 fold:- 1. The Domain Users in the domain_A is very large (397 users). When I did getent group on domain_b, it does not actually show up domain_A\domain users. But after a while after restarting the daemon, it will appear. Maybe through out my testing, every change in the smb.conf file, I will restart the winbind daemon and hence have lots of problem. 2. I did not test the smbclient on domain_b_pdc. smbclient //domain_a_pdc/shared -U domain_b/domain_b_user would also have work earlier as the domain users in domain_b is very small. Also to let you know that I have upgraded to samba 3.07 for both PDCs. I think partial to the problem I had earlier, it is because of using different versions (3.04 and 3.07). HOWEVER, the original problem of mapping the home directory still exist. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I did not change any settings in the PDC and suddenly getent group in domain_B_pdc does not show Domain Users of domain_A_pdc (397 users). The log says this : [2004/11/04 13:27:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-513 in domain STAFF (error: NT_STATUS_UNSUCCESSFUL) [2004/11/04 13:27:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\Domain Users [2004/11/04 13:27:00, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well How should I proceed? Is it a winbind memory cache issue? adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel --- Do you mean that this error message was reported during getent group in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server. The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
