Hello everyone

Im having some issues with ACL on directories and folders

im having a samba server running user auth against a win2k ADS...

For some odd reason my ACL on the directories have changed from something like this:

example:
default:group:DOMAIN\Domain Admins:rwx
to
default:group:10001:rwx

And now no users can connect to and list the shares anymore...

Does anyone have some clues to where I should be looking in order of fixing this? Anyone had the same experience/problems?

I have had a similar problem using LDAP authentication when the GID's of the groups on the LDAP server didn't match the GID's of the groups on local machine... that is about the only thing I can think of off the top of my head.

PS. I disabled the smiles in your post so the example wasn't messed up.

Ty very much for your reply

I have been all over WWW searching for info about this issue...

After some long debugging and no success at solving the problem here is what I know:

I cant add any of my WK2 ADS domain groups but i can add the users to my access controle list of files and directories...
Same goes for the samba. I cant add groups "@DOMAIN+domain admins" but "DOMAIN+user" works perfectly

Also some samba log files level 3:

[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN1.0]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [Windows for Workgroups 3.1a]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [LM1.2X002]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN2.1]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_nt1(333)
using SPNEGO
[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/negprot.c:reply_negprot(555)
Selected protocol NT LM 0.12

---

[2005/10/10 14:56:23, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/sesssetup.c:reply_spnego_kerberos(179)
Ticket name is [hl@TARP.DK]


---

[2005/10/10 14:56:24, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/password.c:register_vuid(241)
UNIX uid 10315 is UNIX user TARP+hl, and will be vuid 100
[2005/10/10 14:56:24, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/password.c:register_vuid(270)
Adding homes service for user 'TARP+hl' using home directory: '/home/TARP/hl'

---

[2005/10/10 14:56:24, 2, pid=8274, effective(0, 0), real(0, 0)] smbd/service.c:make_connection_snum(321)
user 'TARP+hl' (from session setup) not permitted to access this share (IPC$)
[2005/10/10 14:56:24, 3, pid=8274, effective(0, 0), real(0, 0)] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Some more system log files

Oct 3 10:12:50 install smbd[6826]: [2005/10/03 10:12:50, 0] lib/util_sock.c:get_peer_addr(1150)
Oct 3 10:12:50 install smbd[6826]: getpeername failed. Error was Transport endpoint is not connected
Oct 3 10:12:50 install smbd[6826]: [2005/10/03 10:12:50, 0] lib/util_sock.c:write_socket_data(430)
Oct 3 10:12:50 install smbd[6826]: write_socket_data: write failure. Error = Connection reset by peer
Oct 3 10:12:50 install smbd[6826]: [2005/10/03 10:12:50, 0] lib/util_sock.c:write_socket(455)
Oct 3 10:12:50 install smbd[6826]: write_socket: Error writing 4 bytes to socket 7: ERRNO = Connection reset by peer
Oct 3 10:12:50 install smbd[6826]: [2005/10/03 10:12:50, 0] lib/util_sock.c:send_smb(647)
Oct 3 10:12:50 install smbd[6826]: Error writing 4 bytes to client. -1. (Connection reset by peer)

----


Oct 3 10:56:47 install smbd[7208]: [2005/10/03 10:56:47, 0] lib/util_sock.c:get_peer_addr(1150)
Oct 3 10:56:47 install smbd[7208]: getpeername failed. Error was Transport endpoint is not connected
Oct 3 10:56:47 install smbd[7208]: [2005/10/03 10:56:47, 0] lib/util_sock.c:write_socket_data(430)
Oct 3 10:56:47 install smbd[7208]: write_socket_data: write failure. Error = Connection reset by peer
Oct 3 10:56:47 install smbd[7208]: [2005/10/03 10:56:47, 0] lib/util_sock.c:write_socket(455)
Oct 3 10:56:47 install smbd[7208]: write_socket: Error writing 4 bytes to socket 26: ERRNO = Connection reset by peer
Oct 3 10:56:47 install smbd[7208]: [2005/10/03 10:56:47, 0] lib/util_sock.c:send_smb(647)
Oct 3 10:56:47 install smbd[7208]: Error writing 4 bytes to client. -1. (Connection reset by peer)


---

Oct 3 11:25:34 install smbd[7331]: [2005/10/03 11:25:34, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:34 install smbd[7331]: Can't become connected user!
Oct 3 11:25:37 install smbd[7331]: [2005/10/03 11:25:37, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:37 install smbd[7331]: Can't become connected user!
Oct 3 11:25:38 install smbd[7331]: [2005/10/03 11:25:38, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:38 install smbd[7331]: Can't become connected user!
Oct 3 11:25:38 install smbd[7331]: [2005/10/03 11:25:38, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:38 install smbd[7331]: Can't become connected user!
Oct 3 11:25:41 install smbd[7331]: [2005/10/03 11:25:41, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:41 install smbd[7331]: Can't become connected user!
Oct 3 11:25:41 install smbd[7331]: [2005/10/03 11:25:41, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:41 install smbd[7331]: Can't become connected user!
Oct 3 11:25:43 install smbd[7331]: [2005/10/03 11:25:43, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:43 install smbd[7331]: Can't become connected user!
Oct 3 11:25:43 install smbd[7331]: [2005/10/03 11:25:43, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:43 install smbd[7331]: Can't become connected user!
Oct 3 11:25:44 install smbd[7331]: [2005/10/03 11:25:44, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:44 install smbd[7331]: Can't become connected user!
Oct 3 11:25:45 install smbd[7331]: [2005/10/03 11:25:45, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:45 install smbd[7331]: Can't become connected user!
Oct 3 11:25:45 install smbd[7331]: [2005/10/03 11:25:45, 0] smbd/service.c:make_connection_snum(577)
Oct 3 11:25:45 install smbd[7331]: Can't become connected user!


-----------


Oct 6 06:59:16 install smbd[8426]: [2005/10/06 06:59:16, 0] lib/util_sock.c:write_socket_data(430)
Oct 6 06:59:16 install smbd[8426]: write_socket_data: write failure. Error = Connection reset by peer
Oct 6 06:59:16 install smbd[8426]: [2005/10/06 06:59:16, 0] lib/util_sock.c:write_socket(455)
Oct 6 06:59:16 install smbd[8426]: write_socket: Error writing 4 bytes to socket 25: ERRNO = Connection reset by peer
Oct 6 06:59:16 install smbd[8426]: [2005/10/06 06:59:16, 0] lib/util_sock.c:send_smb(647)
Oct 6 06:59:16 install smbd[8426]: Error writing 4 bytes to client. -1. (Connection reset by peer)
Oct 6 07:17:20 install smbd[8466]: [2005/10/06 07:17:20, 0] lib/util_sock.c:get_peer_addr(1150)
Oct 6 07:17:20 install smbd[8466]: getpeername failed. Error was Transport endpoint is not connected
Oct 6 07:17:20 install smbd[8466]: [2005/10/06 07:17:20, 0] lib/util_sock.c:write_socket_data(430)
Oct 6 07:17:20 install smbd[8466]: write_socket_data: write failure. Error = Connection reset by peer
Oct 6 07:17:20 install smbd[8466]: [2005/10/06 07:17:20, 0] lib/util_sock.c:write_socket(455)
Oct 6 07:17:20 install smbd[8466]: write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer
Oct 6 07:17:20 install smbd[8466]: [2005/10/06 07:17:20, 0] lib/util_sock.c:send_smb(647)
Oct 6 07:17:20 install smbd[8466]: Error writing 4 bytes to client. -1. (Connection reset by peer)


---

ection_snum(577)
Oct 10 14:08:49 install smbd[7727]: Can't become connected user!
Oct 10 14:09:23 install smbd[7736]: [2005/10/10 14:09:23, 0, pid=7736, effective(0, 0), real(0, 0)] smbd/service.c:make_conn\
ection_snum(577)
Oct 10 14:09:23 install smbd[7736]: Can't become connected user!
Oct 10 14:09:41 install smbd[7761]: [2005/10/10 14:09:41, 0, pid=7761, effective(0, 0), real(0, 0)] auth/auth_util.c:make_se\
rver_info_info3(1195)
Oct 10 14:09:41 install smbd[7761]: make_server_info_info3: pdb_init_sam failed!
Oct 10 14:09:41 install smbd[7761]: [2005/10/10 14:09:41, 0, pid=7761, effective(0, 0), real(0, 0)] smbd/service.c:make_conn\
ection_snum(577)
Oct 10 14:09:41 install smbd[7761]: Can't become connected user!
Oct 10 14:10:14 install smbd[7874]: [2005/10/10 14:10:14, 0, pid=7874, effective(0, 0), real(0, 0)] auth/auth_util.c:make_se\
rver_info_info3(1195)
Oct 10 14:10:14 install smbd[7874]: make_server_info_info3: pdb_init_sam failed!
Oct 10 14:10:14 install smbd[7874]: [2005/10/10 14:10:14, 0, pid=7874, effective(0, 0), real(0, 0)] smbd/service.c:make_conn\
ection_snum(577)
Oct 10 14:10:14 install smbd[7874]: Can't become connected user!
Oct 10 14:12:59 install syslog-ng[3357]: STATS: dropped 0
Oct 10 15:05:59 install smbd[8299]: [2005/10/10 15:05:59, 0, pid=8299, effective(0, 0), real(0, 0)] lib/util_sock.c:write_so\
cket_data(430)
Oct 10 15:05:59 install smbd[8299]: write_socket_data: write failure. Error = Connection reset by peer
Oct 10 15:05:59 install smbd[8299]: [2005/10/10 15:05:59, 0, pid=8299, effective(0, 0), real(0, 0)] lib/util_sock.c:write_so\
cket(455)
Oct 10 15:05:59 install smbd[8299]: write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer
Oct 10 15:05:59 install smbd[8299]: [2005/10/10 15:05:59, 0, pid=8299, effective(0, 0), real(0, 0)] lib/util_sock.c:send_smb\
(647)
Oct 10 15:05:59 install smbd[8299]: Error writing 4 bytes to client. -1. (Connection reset by peer)
Oct 10 15:12:59 install syslog-ng[3357]: STATS: dropped 0

I have no problem mapping the UID however I think there is a problem mapping the GID yes?

if I change idmap GID to 17000-20000
and idmap UID to 10000-16999

getent group should return groups from 17000 and up?
(Now it hands out IDs from 10000+)

and here my smb.conf

[global]
workgroup = TARP
realm = TARP.DK
server string = Install
interfaces = eth0
security = ADS
map to guest = Bad User
password server = DC1.TARP.DK
enable privileges = Yes
username map = /etc/samba/smbusers
log level = 3 passdb:5 auth:10 winbind:10
syslog = 5
log file = /var/log/samba/test.%M.log
debug pid = Yes
debug uid = Yes
printcap cache time = 750
printcap name = cups
show add printer wizard = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain master = No
ldap ssl = no
socket address =
idmap uid = 10000-16999
idmap gid = 17000-20000
winbind separator = +
valid users = "@TARP+Domain Users"
admin users = "@TARP+domain admins"
read list = "@TARP+Domain Users"
write list = "@TARP+Domain Users"
printer admin = @ntadmin, root, administrator
map acl inherit = Yes
cups options = raw
include = /etc/samba/dhcp.conf
dos filemode = Yes
dos filetimes = Yes
dos filetime resolution = Yes
fake directory create times = Yes

[preinstall]
comment = Preinstall software
path = /var/samba/preInstall
read only = No
inherit acls = Yes

Sorry for my lots of posts also I noticed the following when playing around with wbinfo

wbinfo -r TARP+hl
10000
10001
10010
10011
10012
10013
10015
10016
10017
10036

normally you would have Group names there?

install:/var/log/samba # wbinfo -n TARP+hl
S-1-5-21-220523388-1957994488-854245398-2811 User (1)
install:/var/log/samba # wbinfo --user-sids=S-1-5-21-220523388-1957994488-854245398-2811
Could not get group SIDs for user SID S-1-5-21-220523388-1957994488-854245398-2811
install:/var/log/samba #