LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-23-2010, 02:30 PM   #1
noahbeach
LQ Newbie
 
Registered: Nov 2010
Posts: 1

Rep: Reputation: 0
domain users can't access samba shares on domain member server


Issue
When trying to mount samba share off of domain member server sysimage in Windows receive error "There are currently no logon servers available to service this logon request". When trying to mount.cifs from PDC to samba share on sysimage receive error "mount error(13): Permission denied".

Background:

PDC is ClearOS 5.2 named "dc0"
Samba file server is CentOS 5.5 x86_64 named "sysimage"

dc0 Samba version is samba - 3.5.5-1.1.v5.i386
sysimage Samba version is samba-3.0.33-3.29.el5_5.1.x86_64

dc0 is configured correctly to my knowledge, windows machines can join domain, domain users can log into windows machines, user directories are mapped properly, logon scripts run properly.

sysimage ldap authentication is set up as shown in "Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution" from samba's documentation.

getent passwd correctly shows local and domain users on sysimage
getent group correctly shows local and domain groups on sysimage

sysimage was successfully joined to the domain using the above documentation.

I cannot login to sysimage using a domain account, but i can login with root and then su - to a domain account and can write to files/folders that that account has permission to.

I can chown files and folders to domain users and groups with no issue.

wbinfo -t output on sysimage:
Code:
checking the trust secret via RPC calls succeeded
wbinfo -u displays domain users
wbinfo -g displays domain groups

wbinfo -a domainUserName%domainUserPassword output:
Code:
plaintext password authentication succeeded
challenge/response password authentication succeeded
the ll on my shared directory is:
Quote:
[root@sysimage ~]# ll /srv/
total 8
drwxrwx--- 2 root domain_users 4096 Nov 23 17:48 test
files
smb.conf on sysimage
Code:
[global]
unix charset = LOCALE
workgroup = PLPNETWORK
security = DOMAIN
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
wins server = 192.168.0.2
winbind trusted domains only = Yes

# LDAP
include = /etc/samba/smb.ldap.conf

# Winbind
include = /etc/samba/smb.winbind.conf

[test]
comment = Test Share
path = /srv/test
valid users = %S
read only = No
browseable = Yes
available = Yes
smb.ldap.conf on sysimage
Code:
passdb backend = ldapsam:ldap://192.168.0.2
ldap admin dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = yes
ldap suffix = dc=PLPNetwork,dc=com
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
smb.winbind.conf on sysimage
Code:
idmap backend = ldap:ldap://192.168.0.2/
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://192.168.0.2
idmap alloc config : ldap_base_dn = ou=idmap,dc=PLPNetwork,dc=com
idmap alloc config : ldap_user_dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
/etc/ldap.conf from sysimage
Code:
URI     ldap://dc0.plpnetwork.com ldap://dc0.plpnetwork.com:636
host    192.168.0.2
base    dc=PLPNetwork,dc=com
binddn  cn=manager,cn=internal,dc=PLPNetwork,dc=com
bindpw  XXXXXXXXXXXXXXXXX

pam_password exop

nss_base_passwd ou=Users,ou=Accounts,dc=PLPNetwork,dc=com?one
nss_base_shadow ou=Users,ou=Accounts,dc=PLPNetwork,dc=com?one
nss_base_group  ou=Groups,ou=Accounts,dc=PLPNetwork,dc=com?one
ssl     no
/etc/nsswitch.conf on sysimage
Code:
passwd:         files ldap 
shadow:         files ldap
group:          files ldap

hosts:          files dns wins
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
aliases:        files
smb.conf from dc0 minus shares info
Code:
[global]
# Setting password change timeout
passwd chat timeout = 10

# General
netbios name = dc0
workgroup = PLPNETWORK
server string = Domain Controller for PLPNetwork

# Logging
syslog = 0
log level = 1
log file = /var/log/samba/%L-%m
max log size = 0
utmp = Yes

# Network
bind interfaces only = yes
interfaces = lo eth0 
smb ports = 139

# Printing
printcap name = /etc/printcap
load printers = Yes

# Security settings
security = user
guest account = guest
#restrict anonymous = 2

# WINS
wins support = Yes
wins server = 

# PDC
domain logons = Yes
add machine script = /usr/sbin/samba-add-machine "%u"
logon drive =
logon script = logon.exe
logon path =
logon home =

# Other
preferred master = Yes
domain master = Yes
unix password sync = Yes
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
username map = /etc/samba/smbusers
wide links = No

# LDAP
include = /etc/samba/smb.ldap.conf

# Winbind
include = /etc/samba/smb.winbind.conf
smb.winbind.conf from dc0
Code:
# This file is automatically updated by ldapsync -- please do not edit.
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://127.0.0.1
idmap alloc config : ldap_base_dn = ou=idmap,dc=PLPNetwork,dc=com
idmap alloc config : ldap_user_dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
smb.ldap.conf from dc0
Code:
# This file is automatically updated by ldapsync -- please do not edit.
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = no
ldap suffix = dc=PLPNetwork,dc=com
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
ldap.conf from dc0
Code:
# This file is automatically updated by ldapsync -- please do not edit.
host                        localhost
base                        dc=PLPNetwork,dc=com
scope                       sub
timelimit                   50
pagesize                    20000
bind_policy                 soft
pam_lookup_policy           yes
pam_password                exop
nss_initgroups_ignoreusers  root,ldap
nss_schema                  rfc2307bis
nss_map_attribute           uniqueMember member
ssl                         no
ldap_version                3
pam_filter                  objectclass=posixAccount
nss_base_passwd             ou=Users,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_passwd             ou=Computers,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_shadow             ou=Users,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_group              ou=Groups,ou=Accounts,dc=PLPNetwork,dc=com
tls_checkpeer               no
Any help would be greatly appreciated.
 
Old 11-24-2010, 05:16 AM   #2
jlcasado
LQ Newbie
 
Registered: Oct 2010
Location: Madrid - Spain
Distribution: RHEL
Posts: 26

Rep: Reputation: 1
Hi,

It seems that you have already done a lot of investigation and carefull setup so just some ideas that came to my mind while reading your post...maybe they help you:
  1. Does the samba work if you use the server's IP address instead of the server name?
  2. I assume the you joined the server to the domain using the net ads join command, have you tried to check if this has worked fine with net ads testjoin command?
  3. I would try to set security=ADS for the sysimage server and retry to net ads join command.
  4. Regarding the problem with domain users not able to log into the server, could you post your /etc/pam.d/system-auth file?

Best regards
jose
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba without domain and users with domains cannot log in to the shares Maverick2k Linux - Server 2 04-08-2009 06:41 AM
Samba or NFS for a new domain member server srosa Linux - Networking 7 05-05-2006 03:58 PM
Samba domain member server (DMS) group permissions in network with a Samba PDC srosa Linux - Networking 0 05-01-2006 05:55 PM
Samba 3.0.21a and Samba Domain Member Servers in a Windows 2003 ADS Domain ramz Linux - Networking 3 04-09-2006 08:26 PM
Samba.. NT domain users access denied.. however.. StamfordRob Slackware 3 03-24-2005 04:38 PM


All times are GMT -5. The time now is 02:07 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration