List Info

Thread: Samba / Winbind / LDAP - Can't access shares
Samba / Winbind / LDAP - Can't access shares
country flaguser name
United Kingdom		 2007-04-17 19:22:45 
Hi All,

I have the following setup. Samba/LDAP PDC, Samba BDC, Samba
member 
server, Win2K member server, 300  Win XP Client PCs.

I can access the shares on the PDC from all  Win XP clients.
I can 
access the shares on the Win2K member server from all XP
clients, I 
can't however access any of the shares on the Samba BDC or
Samba member  
server from the XP clients.

LDAP is working fine and PAM/LDAP/NSS are working fine.
Getent  works 
for users and groups on all samba servers and net groupmap
list provides 
identical group mapping  across all samba servers. I can do
things like  
chmod  user."Domain Admins"  and it works. I can
use setfacl and 
generate acls with Domain groups in them and it works but I
cannot 
access the shares on the Samba servers from anywhere on the
network. 
wbinfo works on the samba member server but  cannot lookup
users and 
groups when run on the PDC and BDC.

OS's are Mandriva 2007 and Ubuntu Edgy. Samba version is
3.0.23d. All 
machines names are resolvable via nmblookup and nslookup and
I've been 
through every document and howto I can find as well as loads
of Google 
searches but have not managed to resolve it yet.

All help gratefully received. Cheers,

Jools

SMB Conf's are as follows:

PDC:

[global]

# General Options for domain
        workgroup = BGS
        netbios name = SMB5
        server string = Samba Server %v
        log file = /var/log/samba/%m.log
        max log size = 50
 #      hosts allow = 172.20.0. 172.20.1. 172.20.2. 127.
        map to guest = bad user
        security = user
        encrypt passwords = yes
        smb passwd file = /etc/samba/smbpasswd
#       unix password sync = Yes
#       pam password change = yes
#       passwd program = /usr/bin/passwd '%u'
#       passwd chat = *Nadmin1*UNIX*password* %nn 
*Re*ype*nadmin1*UNIX*password* %nn 
#       *passwdall*authenti
cation*tokens*updated*successfully*
#       username map = /etc/samba/smbusers
        include = /etc/samba/smb.conf.%m
        wins support = yes
#       wins server = 127.0.0.1
        dns proxy = no
        dos charset = 850
        unix charset = ISO8859-1
        admin users = BGSadmin3 BGSadmin1 BGSadmin2
+"BGSDomain Admins"
        log level = 10
#       winbind separator = +
#       winbind enum users = yes
#       winbind enum groups = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
#       winbind use default domain =yes

# Tune Samba and detrmine its priority in the Domain
        socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
#       remote announce = 172.20.0.255 172.20.1.255
172.20.2.255 
172.20.3.255
        local master = yes
        domain logons = yes
        wins support = yes
        os level = 254
        domain master = yes
        preferred master = yes
        name resolve order = wins lmhosts bcast
# Set the paths to the various resources on the Domain
        domain logons = yes
        logon script = %G.bat
        logon path = \%LProfiles%U

# Define the interaction between smbldap tools and the
server's LDAP backend
#       ldap password sync = yes
        unix password sync = Yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = *Nadmin1*password* %nn
*Retype*nadmin1*password* %nn
        add user script = /usr/sbin/smbldap-useradd -m '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add user to group script =
/usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script =
/usr/sbin/smbldap-groupmod -x 
'%u' '%g'
        set primary group script = /usr/sbin/smbldap-usermod
-g '%g' '%u'
        add group script = /usr/sbin/smbldap-groupadd '%g'
&& 
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print
$2}'
        delete group script = /usr/sbin/smbldap-groupdel
'%g'
        add machine script = /usr/sbin/smbldap-useradd -w -d
/dev/null 
-c 'Machine Account' -s /bin/false '%u'

# Allow members of Domain Admins to add machine accounts
        enable privileges = yes

# Define ID backend structure
# passdb backend = smbpasswd guest
#       passdb backend = tdbsam:/etc/samba/passdb.tdb
        passdb backend = ldapsam:ldap://localhost
# In case of compatibility issues
# Use the samba2 LDAP schema:
# passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com
smbpasswd guest
        idmap backend = ldap:ldap://localhost
        ldap admin dn = 
cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
#       ldap ssl = start_tls
#ldap port = 389
        ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
        ldap machine suffix = ou=Hosts
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
# Example for AD-ish layout:
# ldap machine suffix = cn=Computers
# ldap user suffix = cn=Users
# ldap group suffix = cn=Groups
# ldap idmap suffix = cn=Idmap

#============================ Share Definitions 
==============================
[homes]
    comment = Home Directories
    browseable = no
    writable = yes
    veto files = 
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.mp4/*.mpg/*.mpeg/*.ra
/*.ram/*.bas/*.bat/*.rar/
    create mask = 0660
    directory mask = 0770
    preexec = /bin/echo "%u logged in to %m at
%T" >> 
/var/log/samba/logons.log
    postexec = /bin/echo "%u logged off of %m at
%T" >> 
/var/log/samba/logons.log

# You can enable VFS recycle bin and on-access
virus-scanning on a per
# share basis:
# Uncomment the next 2 lines (make sure you create a
.recycle folder in
# the base of the share and ensure all users will have write
access to it.
# For virus scanning, install samba-vscan-clamav and ensure
the clamd 
service
# is running
#   vfs objects = vscan-clamav recycle
#   vscan-clamav: config-file =
/etc/samba/vscan-clamav.conf

# Un-comment the following and create the netlogon directory
for Domain 
Logons
[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no

# Un-comment the following to provide a specific roving
profile share
# the default is to use the user's home directory
[Profiles]
path = /spare/samba/profiles
browseable = no
guest ok = yes
writable = yes
#vfs objects = fake_perms

# A share allowing administrators to set ACLs on, or access
for backup 
purposes
# all files (as root).
[admin]
path = /
admin users = +"BGSDomain Admins"
valid users = +"BGSDomain Admins"
browseable = no
writeable = yes


BDC:

[global]
workgroup = BGS
  passdb backend =
ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
  domain master = no
  domain logons = yes
  wins server = SMB5
  ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
  ldap user suffix = ou=People
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Hosts
  ldap idmap suffix = ou=Idmap
  ldap admin dn =
cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
  idmap backend =
ldap:ldap://smb5.bordnegrammar.kent.sch.uk
  idmap uid = 10000-20000
  idmap gid = 10000-20000

[netlogon]
comment = Network Logon Service
path = /spare/samba/netlogon
guest ok = yes
writable = no

Member Server:

[global]
workgroup = BGS
  passdb backend =
ldapsam:ldap://smb5.bordengrammar.kent.sch.uk
  domain master = no
  domain logons = no
  wins server = 172.20.0.105
  security = domain
  ldap suffix = dc=bordengrammar,dc=kent,dc=sch,dc=uk
  ldap user suffix = ou=People
  ldap group suffix = ou=Group
  ldap machine suffix = ou=Hosts
  ldap idmap suffix = ou=Idmap
  ldap admin dn =
cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk
  idmap backend =
ldap:ldap://smb5.bordengrammar.kent.sch.uk
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
#  winbind separator = +
#  winbind use default domain = yes

[Apps]
comment = old P-drive structure
path = /share/apps
browseable = yes
read list = +"BGSDomain Admins" +"BGSDomain
Users" +BGSteachers 
BGSpupils
write list = +"BGSDomain Admins"
+"BGSDomain Users" +BGSteachers
create mask = 744
directory mask = 755
force group = users

[odrive]
comment = odrive
path = /share/odrive
browseable = yes
read list = +BGSteachers "Domain Admins"
write list = +BGSteachers "Domain Admins"
create mask = 660
directory mask = 770

[staff]
comment = Shared Directory for Staff Access Only
path = /share/staff
browseable = yes
read list = +"BGSDomain Admins" +BGSteachers
+BGSadmin
write list = +"BGSDomain Admins" +BGSteachers
+BGSadmin
valid users = +"BGSDomain Admins" +BGSteachers
+BGSadmin
invalid users = +BGSpupils
create mask = 660
directory mask = 770
force group = teachers
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1

[Departmental]
comment = Shared Directory for Pupils
path = /share/Departmental-Files
browseable = yes
read list = +"BGSDomain Admins" +BGSteachers
write list = +"BGSDomain Admins" +BGSteachers
valid users = +"BGSDomain Admins" +BGSteachers
invalid users = +BGSpupils
create mask = 0660
directory mask = 770
force user = %U
force group = %G

[pupils]
comment = Shared Directory for Pupils
path = /share/pupils
browseable = yes
read list = +"BGSDomain Admins" +BGS"Domain
Users" +BGSpupils 
+BGSteachers +BGSmiscreants
write list = +"BGSDomain Admins"
+BGS"Domain Users" +BGSpupils 
+BGSteachers +BGSmiscreants
create mask = 660
directory mask =770
force user = %U
force group = +BGSteachers
veto files = 
/*.exe/*.mp3/*.scr/*.vbs/*.asf/*.wma/*.wmv/*.mp4/*.mpg/*.mpe
g/*.ra/*.ram/*.bas/*.bat/*.rar/
vfs objects = recycle
recycle:repository = .recycle
recycle:keeptree = 1
recycle:noversions = 1

[coursadmin1ork]
comment = Read-Write for Teachers Read only for Pupils
path = /share/coursadmin1ork
browseable = yes
#read list = +"BGSDomain Admins" +BGSteachers
+BGSpupils
#write list = +"BGSDomain Admins" +BGSteachers
#create mask = 0664
#directory mask = 0775

[admins]
comment = Access for Admins Only
path = /share/admins
browseable =  yes
read list = +"BGSDomain Admins" admin3 admin1
admin2
write list = +"BGSDomain Admins" admin3 admin1
admin2
create mask = 660
directory mask = 770

[resources]
comment = Open Share for Distribution
path = /share/resources
browseable = yes
read list = +"BGSDomain Admins" +BGSteachers
+BGSpupils +BGS"Domain 
Users"
write list = +"BGSDomain Admins"
create mask = 440
directory mask = 770

[library]
        browseable = yes
        read list = +"BGSDomain Admins","Domain 
Users",+BGSteachers,+BGSpupils,+BGSlibrarians
        write list = jfj,gpc,+"BGSDomain
Admins",+BGSlibrarians
        path = /share/library
        force group = +BGSlibrarians
        force user = +BGSgpc
        comment = Library Share
        create mode = 660
        directory mode = 770

[free-software]
comment = Open Share for Distribution
path = /share/free-software
browseable = yes
read list = +"BGSDomain Admins" +BGSteachers
+BGSpupils
write list = +"BGSDomain Admins"
create mask = 640
directory mask = 770

[mcafee]
comment = Updates for McAfee
path = /share/mcafee
browseable = yes
write list = BGSadmin2 BGSadmin3 BGSadmin1 BGSupdater
+BGSupdaters 
+"BGSDomain Admins" "Domain Users"
create mask = 660
directory mask = 770
# force user = admin1
# force group = +"BGSDomain Admins"

-- 
To unsubscribe from this list go to the following URL and
read the
instructions:  https:
//lists.samba.org/mailman/listinfo/samba
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )