domain users can't access samba shares on domain member server

noahbeach · 11-23-2010, 02:30 PM

Issue
When trying to mount samba share off of domain member server sysimage in Windows receive error "There are currently no logon servers available to service this logon request". When trying to mount.cifs from PDC to samba share on sysimage receive error "mount error(13): Permission denied".

Background:

PDC is ClearOS 5.2 named "dc0"
Samba file server is CentOS 5.5 x86_64 named "sysimage"

dc0 Samba version is samba - 3.5.5-1.1.v5.i386
sysimage Samba version is samba-3.0.33-3.29.el5_5.1.x86_64

dc0 is configured correctly to my knowledge, windows machines can join domain, domain users can log into windows machines, user directories are mapped properly, logon scripts run properly.

sysimage ldap authentication is set up as shown in "Procedure 7.1. Configuration of NSS_LDAP-Based Identity Resolution" from samba's documentation.

getent passwd correctly shows local and domain users on sysimage
getent group correctly shows local and domain groups on sysimage

sysimage was successfully joined to the domain using the above documentation.

I cannot login to sysimage using a domain account, but i can login with root and then su - to a domain account and can write to files/folders that that account has permission to.

I can chown files and folders to domain users and groups with no issue.

wbinfo -t output on sysimage:

Code:

checking the trust secret via RPC calls succeeded

wbinfo -u displays domain users
wbinfo -g displays domain groups

wbinfo -a domainUserName%domainUserPassword output:

Code:

plaintext password authentication succeeded
challenge/response password authentication succeeded

the ll on my shared directory is:

Quote:

[root@sysimage ~]# ll /srv/
total 8
drwxrwx--- 2 root domain_users 4096 Nov 23 17:48 test

files
smb.conf on sysimage

Code:

[global]
unix charset = LOCALE
workgroup = PLPNETWORK
security = DOMAIN
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
wins server = 192.168.0.2
winbind trusted domains only = Yes

# LDAP
include = /etc/samba/smb.ldap.conf

# Winbind
include = /etc/samba/smb.winbind.conf

[test]
comment = Test Share
path = /srv/test
valid users = %S
read only = No
browseable = Yes
available = Yes

smb.ldap.conf on sysimage

Code:

passdb backend = ldapsam:ldap://192.168.0.2
ldap admin dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = yes
ldap suffix = dc=PLPNetwork,dc=com
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8

smb.winbind.conf on sysimage

Code:

idmap backend = ldap:ldap://192.168.0.2/
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://192.168.0.2
idmap alloc config : ldap_base_dn = ou=idmap,dc=PLPNetwork,dc=com
idmap alloc config : ldap_user_dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com

/etc/ldap.conf from sysimage

Code:

URI     ldap://dc0.plpnetwork.com ldap://dc0.plpnetwork.com:636
host    192.168.0.2
base    dc=PLPNetwork,dc=com
binddn  cn=manager,cn=internal,dc=PLPNetwork,dc=com
bindpw  XXXXXXXXXXXXXXXXX

pam_password exop

nss_base_passwd ou=Users,ou=Accounts,dc=PLPNetwork,dc=com?one
nss_base_shadow ou=Users,ou=Accounts,dc=PLPNetwork,dc=com?one
nss_base_group  ou=Groups,ou=Accounts,dc=PLPNetwork,dc=com?one
ssl     no

/etc/nsswitch.conf on sysimage

Code:

passwd:         files ldap 
shadow:         files ldap
group:          files ldap

hosts:          files dns wins
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files
aliases:        files

smb.conf from dc0 minus shares info

Code:

[global]
# Setting password change timeout
passwd chat timeout = 10

# General
netbios name = dc0
workgroup = PLPNETWORK
server string = Domain Controller for PLPNetwork

# Logging
syslog = 0
log level = 1
log file = /var/log/samba/%L-%m
max log size = 0
utmp = Yes

# Network
bind interfaces only = yes
interfaces = lo eth0 
smb ports = 139

# Printing
printcap name = /etc/printcap
load printers = Yes

# Security settings
security = user
guest account = guest
#restrict anonymous = 2

# WINS
wins support = Yes
wins server = 

# PDC
domain logons = Yes
add machine script = /usr/sbin/samba-add-machine "%u"
logon drive =
logon script = logon.exe
logon path =
logon home =

# Other
preferred master = Yes
domain master = Yes
unix password sync = Yes
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
username map = /etc/samba/smbusers
wide links = No

# LDAP
include = /etc/samba/smb.ldap.conf

# Winbind
include = /etc/samba/smb.winbind.conf

smb.winbind.conf from dc0

Code:

# This file is automatically updated by ldapsync -- please do not edit.
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 10000000-19999999
idmap gid = 10000000-19999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://127.0.0.1
idmap alloc config : ldap_base_dn = ou=idmap,dc=PLPNetwork,dc=com
idmap alloc config : ldap_user_dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com

smb.ldap.conf from dc0

Code:

# This file is automatically updated by ldapsync -- please do not edit.
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,cn=internal,dc=PLPNetwork,dc=com
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = no
ldap suffix = dc=PLPNetwork,dc=com
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8

ldap.conf from dc0

Code:

# This file is automatically updated by ldapsync -- please do not edit.
host                        localhost
base                        dc=PLPNetwork,dc=com
scope                       sub
timelimit                   50
pagesize                    20000
bind_policy                 soft
pam_lookup_policy           yes
pam_password                exop
nss_initgroups_ignoreusers  root,ldap
nss_schema                  rfc2307bis
nss_map_attribute           uniqueMember member
ssl                         no
ldap_version                3
pam_filter                  objectclass=posixAccount
nss_base_passwd             ou=Users,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_passwd             ou=Computers,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_shadow             ou=Users,ou=Accounts,dc=PLPNetwork,dc=com
nss_base_group              ou=Groups,ou=Accounts,dc=PLPNetwork,dc=com
tls_checkpeer               no

Any help would be greatly appreciated.

jlcasado · 11-24-2010, 05:16 AM

Hi,

It seems that you have already done a lot of investigation and carefull setup so just some ideas that came to my mind while reading your post...maybe they help you:

Does the samba work if you use the server's IP address instead of the server name?
I assume the you joined the server to the domain using the net ads join command, have you tried to check if this has worked fine with net ads testjoin command?
I would try to set security=ADS for the sysimage server and retry to net ads join command.
Regarding the problem with domain users not able to log into the server, could you post your /etc/pam.d/system-auth file?

Best regards
jose