Greetings everyone,
I have an Ubuntu 14.04 Server with Samba and Winbind 4.1.6 joined to my Windows (SBS 2011 Standard) domain as a file server and have used it successfully to save client/workstation backups to several times already. Suddenly, it began denying access to the shares with "group not recognized" errors. I investigated, and while wbinfo -u and -g would show domain users and groups, getent would show only local users and groups. I am not sure what happened but I did install webmin and I uninstalled apparmor - not sure if either of these did something (I know webmin will modify your conf files if you mess with it). I have since uninstalled webmin and reinstalled apparmor but the errors continue. I subsequently followed Rabbit2345's wonderful instructions at
http://www.linuxquestions.org/questi...nd-4175516531/ and now getent is returning domain user and group info again! Sadly though, my shares are still inaccessible by domain members. It prompts for credentials when attempting to access the shares, but returns "access denied" errors, regardless of how I enter the credentials (with or without the DOMAIN\ before the username).
Also please note that I have successfully changed the group owner of my share directories to "domain users" (this attribute was previously lost and set back to root somehow).
Here are my conf files below. If anyone has any pointers for me, I would be ever so grateful!
Quote:
# New smb.conf file created by Josh to configure Samba Server April 2015
[global]
log file = /var/log/samba/samba.log
security = ads
local master = no
client use spnego = yes
load printers = no
workgroup = JRCFI
log level = 2
client ntlmv2 auth = yes
preferred master = no
domain master = no
realm = JRSERVER.JRCFI.LOCAL
idmap config *:range = 10000-99999
encrypt passwords = yes
restrict anonymous = 2
template shell = /bin/bash
template homedir = /home/%D/%U
netbios name = DIAKONOS
wins server = jrserver.jrcfi.local
server string = diakonos
idmap config *:backend = rid
allow trusted domains = no
# password server = jrserver.jrcfi.local
restrict anonymous = 2
# Uncommenting the following will allow all Domain Users to see all
# shares without a password - the equivalent of allowing "Everyone"
# to read the share.
# valid users = @"Domain Users"
# Commenting out these older style idmap configuration settings
# idmap uid = 10000-99999
# idmap gid = 10000-99999
# idmap backend = tdb
# Winbind settings grouped
# winbind allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind trusted domains only = no
[public1]
comment = Public Share 1
path = /public1/
# valid users = "@JRCFI\Domain Users"
force group = "domain users"
writable = yes
force create mode = 0660
create mask = 0777
directory mask = 0777
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
read only = no
[public2]
comment = Public Share 2
path = /public2/
# valid users = "@JRCFI\Domain Users"
force group = "domain users"
writable = yes
force create mode = 0660
create mask = 0777
directory mask = 0777
access based share enum = yes
hide unreadable = yes
read only = no
|
Here is my nsswitch.conf for reference:
Quote:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
|
Kerberos seems to be working fine - as in, I can get tickets for domain users using kinit no problem... Here is my /etc/krb5.conf anyway just fyi:
Quote:
[libdefaults]
default_realm = JRCFI.LOCAL
ticket_lifetime = 24000
dns_lookup_realm = true
dns_lookup_kdc = true
dns_fallback = yes
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
JRCFI.LOCAL = {
kdc = jrserver.jrcfi.local:88
admin_server = jrserver.jrcfi.local
default_domain = jrserver.jrcfi.local
}
# ATHENA.MIT.EDU = {
# kdc = kerberos.mit.edu:88
# kdc = kerberos-1.mit.edu:88
# kdc = kerberos-2.mit.edu:88
# admin_server = kerberos.mit.edu
# default_domain = mit.edu
# }
# MEDIA-LAB.MIT.EDU = {
# kdc = kerberos.media.mit.edu
# admin_server = kerberos.media.mit.edu
# }
# ZONE.MIT.EDU = {
# kdc = casio.mit.edu
# kdc = seiko.mit.edu
# admin_server = casio.mit.edu
# }
# MOOF.MIT.EDU = {
# kdc = three-headed-dogcow.mit.edu:88
# kdc = three-headed-dogcow-1.mit.edu:88
# admin_server = three-headed-dogcow.mit.edu
# }
# CSAIL.MIT.EDU = {
# kdc = kerberos-1.csail.mit.edu
# kdc = kerberos-2.csail.mit.edu
# admin_server = kerberos.csail.mit.edu
# default_domain = csail.mit.edu
# krb524_server = krb524.csail.mit.edu
# }
# IHTFP.ORG = {
# kdc = kerberos.ihtfp.org
# admin_server = kerberos.ihtfp.org
# }
# GNU.ORG = {
# kdc = kerberos.gnu.org
# kdc = kerberos-2.gnu.org
# kdc = kerberos-3.gnu.org
# admin_server = kerberos.gnu.org
# }
# 1TS.ORG = {
# kdc = kerberos.1ts.org
# admin_server = kerberos.1ts.org
# }
# GRATUITOUS.ORG = {
# kdc = kerberos.gratuitous.org
# admin_server = kerberos.gratuitous.org
# }
# DOOMCOM.ORG = {
# kdc = kerberos.doomcom.org
# admin_server = kerberos.doomcom.org
# }
# ANDREW.CMU.EDU = {
# kdc = kerberos.andrew.cmu.edu
# kdc = kerberos2.andrew.cmu.edu
# kdc = kerberos3.andrew.cmu.edu
# admin_server = kerberos.andrew.cmu.edu
# default_domain = andrew.cmu.edu
# }
# CS.CMU.EDU = {
# kdc = kerberos.cs.cmu.edu
# kdc = kerberos-2.srv.cs.cmu.edu
# admin_server = kerberos.cs.cmu.edu
# }
# DEMENTIA.ORG = {
# kdc = kerberos.dementix.org
# kdc = kerberos2.dementix.org
# admin_server = kerberos.dementix.org
# }
# stanford.edu = {
# kdc = krb5auth1.stanford.edu
# kdc = krb5auth2.stanford.edu
# kdc = krb5auth3.stanford.edu
# master_kdc = krb5auth1.stanford.edu
# admin_server = krb5-admin.stanford.edu
# default_domain = stanford.edu
# }
# UTORONTO.CA = {
# kdc = kerberos1.utoronto.ca
# kdc = kerberos2.utoronto.ca
# kdc = kerberos3.utoronto.ca
# admin_server = kerberos1.utoronto.ca
# default_domain = utoronto.ca
# }
[domain_realm]
.jrcfi.local = JRCFI.LOCAL
jrcfi.local = JRCFI.LOCAL
# .mit.edu = ATHENA.MIT.EDU
# mit.edu = ATHENA.MIT.EDU
# .media.mit.edu = MEDIA-LAB.MIT.EDU
# media.mit.edu = MEDIA-LAB.MIT.EDU
# .csail.mit.edu = CSAIL.MIT.EDU
# csail.mit.edu = CSAIL.MIT.EDU
# .whoi.edu = ATHENA.MIT.EDU
# whoi.edu = ATHENA.MIT.EDU
# .stanford.edu = stanford.edu
# .slac.stanford.edu = SLAC.STANFORD.EDU
# .toronto.edu = UTORONTO.CA
# .utoronto.ca = UTORONTO.CA
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
|
Thanks for any pointers anyone might have!
Josh Scott
Boise ID area
