HPE Community
Operating System - Linux
1828397 Members
3003 Online
109977 Solutions
New Discussion

Samba Errors when trying to mount shares using my AD Account on XP

 
Jon Schneider_1
Advisor

‎10-03-2006 09:57 AM

‎10-03-2006 09:57 AM

Samba Errors when trying to mount shares using my AD Account on XP

Ok...attached are the config files. I have authentication working with winbind where I can log into the console and via ssh to my linux server, however when I try to connect to a share I created with SAMBA it just tells me access is denied. Any assistance appreciated.

smb.conf:

workgroup = SCLHS
netbios name = RLINUX97
realm = SCLHS.NET
server string = RLINUX97
printcap name = /etc/printcap
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 100
security = ads
password server = soad5.sclhs.net, soad4.sclhs.net, soad3.sclhs.net
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = no
preferred master = no
wins server = soad5.sclhs.net:10.90.0.1 soad4.sclhs.net:10.90.0.4 soad3.sclhs.net:10.91.1.40
dns proxy = no
client use spnego = yes
idmap uid = 50001-65000
idmap gid = 50001-65000
winbind separator = _
winbind nested groups = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
winbind use default domain = yes
enable privileges = yes

[pub]
comment = Public Data Folder
read only = no
path = /pub
valid users = @SCLHS_"Domain Users"

krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = SCLHS.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
SCLHS.NET = {
kdc = soad4.sclhs.net:88
kdc = soad5.sclhs.net:88
kdc = soad3.sclhs.net:88
#admin_server = kerberos.example.com:749
default_domain = sclhs.net
}

[domain_realm]
.sclhs.net = SCLHS.NET
sclhs.net = SCLHS.NET

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_winbind.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so

account sufficient pam_winbind.so
account required pam_unix.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so md5 shadow nullok use_authtok
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so

messages appears as follows:

Oct 3 16:21:15 rlinux97 smbd[11132]: [2006/10/03 16:21:15, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:15 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:15 rlinux97 smbd[11132]: [2006/10/03 16:21:15, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:15 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:15 rlinux97 smbd[11132]: [2006/10/03 16:21:15, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:15 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:15 rlinux97 smbd[11132]: [2006/10/03 16:21:15, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:15 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:21:16 rlinux97 smbd[11132]: [2006/10/03 16:21:16, 0] smbd/service.c:set_current_service(150)
Oct 3 16:21:16 rlinux97 smbd[11132]: chdir (/pub) failed
Oct 3 16:40:29 rlinux97 pam_winbind[11233]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER
Oct 3 16:40:29 rlinux97 pam_winbind[11233]: request failed, but PAM error 0!
Oct 3 16:40:29 rlinux97 pam_winbind[11233]: internal module error (retval = 3, user = `jons')
Oct 3 16:43:51 rlinux97 kernel: audit(1159911831.434:1426): avc: denied { execmod } for pid=7946 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=11698622 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Oct 3 16:43:51 rlinux97 kernel: audit(1159911831.466:1427): avc: denied { execmod } for pid=7946 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=11698622 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Oct 3 16:43:59 rlinux97 kernel: audit(1159911839.818:1428): avc: denied { execmod } for pid=7946 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=11698823 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Oct 3 16:43:59 rlinux97 kernel: audit(1159911839.854:1429): avc: denied { execmod } for pid=7946 comm="firefox-bin" name="libflashplayer.so" dev=dm-0 ino=11698823 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
Oct 3 16:47:17 rlinux97 kernel: audit(1159912037.466:1430): avc: denied { write } for pid=11271 comm="smbd" name="krb5.conf" dev=dm-0 ino=15075135 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file
Thank you, sir! May I have another!?
0 Kudos
Reply
7 REPLIES 7
Ivan Ferreira
Honored Contributor

‎10-04-2006 03:22 AM

‎10-04-2006 03:22 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

>>>> chdir (/pub) failed

Does /pub directory exists?

Oct 3 16:40:29 rlinux97 pam_winbind[11233]: request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER
Oct 3 16:40:29 rlinux97 pam_winbind[11233]: request failed, but PAM error 0!
Oct 3 16:40:29 rlinux97 pam_winbind[11233]: internal module error (retval = 3, user = `jons')

Can you logon to the system using jons user? Does it really exists?


>>>> Oct 3 16:47:17 rlinux97 kernel: audit(1159912037.466:1430): avc: denied { write } for pid=11271 comm="smbd" name="krb5.conf" dev=dm-0 ino=15075135 scontext=user_u:system_r:smbd_t:s0 tcontext=user_u:object_r:etc_t:s0 tclass=file

You should disable SELinux.

What is the output of:

net ads status
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Jon Schneider_1
Advisor

‎10-04-2006 03:58 AM

‎10-04-2006 03:58 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

/pub exists with 766 octal perms

OK...I disabled SElinux

Here is my net ads status results:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: rlinux97
distinguishedName: CN=rlinux97,CN=Computers,DC=sclhs,DC=net
instanceType: 4
whenCreated: 20061003184213.0Z
whenChanged: 20061003184316.0Z
uSNCreated: 4881986
uSNChanged: 4882020
name: rlinux97
objectGUID: 0f767b4d-312a-4da7-bb72-4945c6f05ca5
userAccountControl: 69632
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 128044505357840391
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-73586283-1214440339-839522115-7697
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: rlinux97$
sAMAccountType: 805306369
dNSHostName: rlinux97.sclhs.net
servicePrincipalName: HOST/rlinux97.sclhs.net
servicePrincipalName: HOST/RLINUX97
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=sclhs,DC=net
isCriticalSystemObject: FALSE
lastLogonTimestamp: 128043745338784910
-------------- Security Descriptor (revision: 1, type: 0x8c14)
owner SID: S-1-5-21-73586283-1214440339-839522115-512
group SID: S-1-5-21-73586283-1214440339-839522115-513
------- (system) ACL (revision: 4, size: 28, number of ACEs: 1)
------- ACE (type: 0x02, flags: 0xd2, size: 0x14, mask: 0xd016b)
access SID: S-1-1-0
access type: SYSTEM AUDIT
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
[All validate writes]
[Write All Properties]
[Delete Subtree]
[Change Password]
[Reset Password]
[Delete]
[Modify Permissions]
[Modify Owner]
------- (user) ACL (revision: 4, size: 1872, number of ACEs: 40)
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x18, mask: 0xf01ff)
access SID: S-1-5-32-548
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0xf01ff)
access SID: S-1-5-18
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x00, size: 0x24, mask: 0x301d4)
access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[Delete Subtree]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x20, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x20094)
access SID: S-1-5-11
access type: ALLOWED
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x100, object flags: 0x1)
access SID: S-1-1-0
access type: ALLOWED OBJECT
Permissions:
[Change Password]
[Reset Password]
------- ACE (type: 0x00, flags: 0x00, size: 0x14, mask: 0x3)
access SID: S-1-5-10
access type: ALLOWED
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x3, object flags: 0x1)
access SID: S-1-5-32-550
access type: ALLOWED OBJECT
Permissions:
[Create All Child Objects]
[Delete All Child Objects]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x30, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-517
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x30, object flags: 0x1)access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x28, mask: 0x8, object flags: 0x1)
access SID: S-1-5-10
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x38, mask: 0x8, object flags: 0x1)
access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[All validate writes]
------- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x48, mask: 0x20, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-512
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x00, size: 0x2c, mask: 0x10, object flags: 0x1)access SID: S-1-5-32-560
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
------- ACE (type: 0x00, flags: 0x10, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-73586283-1214440339-839522115-3406
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x1a, size: 0x24, mask: 0x10000000)
access SID: S-1-5-21-73586283-1214440339-839522115-3406
access type: ALLOWED
Permissions:
------- ACE (type: 0x00, flags: 0x10, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-73586283-1214440339-839522115-1751
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x1a, size: 0x24, mask: 0x10000000)
access SID: S-1-5-21-73586283-1214440339-839522115-1751
access type: ALLOWED
Permissions:
------- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0xf01bd)
access SID: S-1-5-32-544
access type: ALLOWED
Permissions:
[Create All Child Objects]
[List Contents]
[All validate writes]
[Read All Properties]
[Write All Properties]
[List Object]
[Change Password]
[Reset Password]
[Delete]
[Read Permissions]
[Modify Permissions]
[Modify Owner]
------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0xf01ff)
access SID: S-1-5-21-73586283-1214440339-839522115-519
access type: ALLOWED
Permissions: [Full Control]
------- ACE (type: 0x00, flags: 0x12, size: 0x24, mask: 0x4)
access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED
Permissions:
[List Contents]
------- ACE (type: 0x00, flags: 0x12, size: 0x18, mask: 0x4)
access SID: S-1-5-32-554
access type: ALLOWED
Permissions:
[List Contents]
------- ACE (type: 0x05, flags: 0x12, size: 0x2c, mask: 0x1, object flags: 0x1)
access SID: S-1-5-32-548
access type: ALLOWED OBJECT
Permissions:
[Create All Child Objects]
------- ACE (type: 0x05, flags: 0x1a, size: 0x48, mask: 0x10, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-3334
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
------- ACE (type: 0x05, flags: 0x1a, size: 0x48, mask: 0x10, object flags: 0x3)access SID: S-1-5-21-73586283-1214440339-839522115-3334
access type: ALLOWED OBJECT
Permissions:
[Read All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x12, size: 0x38, mask: 0x20, object flags: 0x1)access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[Write All Properties]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x60094, object flags: 0x2)
access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
[Modify Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x38, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-21-73586283-1214440339-839522115-2178
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x48, mask: 0x100, object flags: 0x3)
access SID: S-1-5-21-73586283-1214440339-839522115-6166
access type: ALLOWED OBJECT
Permissions:
[Change Password]
[Reset Password]
------- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
------- ACE (type: 0x05, flags: 0x1a, size: 0x2c, mask: 0x20094, object flags: 0x2)
access SID: S-1-5-32-554
access type: ALLOWED OBJECT
Permissions:
[List Contents]
[Read All Properties]
[List Object]
[Read Permissions]
-------------- End Of Security Descriptor
Thank you, sir! May I have another!?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-04-2006 07:13 AM

‎10-04-2006 07:13 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

766 is not a good permission for a directory. You should use 755 or 1777. Probably, for a public directory 1777 is the best option. You need read and execute permissions in a directory to be able to chdir to that directory.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Jon Schneider_1
Advisor

‎10-04-2006 10:02 AM

‎10-04-2006 10:02 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

Ok...I changed the perms on that dir to 1777, that didn't seem to affect this however.
Thank you, sir! May I have another!?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-04-2006 10:12 AM

‎10-04-2006 10:12 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

What do you get when you run:

wbinfo -y |grep USERNAME
getent passwd | grep USERNAME

where USERNAME is the name of the user trying to access the samba share? The message that is extrange to me is:

NT_STATUS_NO_SUCH_USER
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Jon Schneider_1
Advisor

‎10-05-2006 02:53 AM

‎10-05-2006 02:53 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

[s000148@rlinux97 ~]$ wbinfo -u | grep S000148
S000148


[s000148@rlinux97 ~]$ getent passwd | grep s000148
s000148:*:50001:50001:Schneider, Jonathan:/home/SCLHS/s000148:/bin/bash
Thank you, sir! May I have another!?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-05-2006 03:52 AM

‎10-05-2006 03:52 AM

Re: Samba Errors when trying to mount shares using my AD Account on XP

Can you post the log again in messages just after you test the access, I want to see it again. To simplify the message, just attach a text file.

The thing is that in the previous log I see:

Oct 3 16:40:29 rlinux97 pam_winbind[11233]: internal module error (retval = 3, user = `jons')

And the user you used with wbinfo is another. Please run the test and attach the log files again. Also attach the smb.log nmbd.log and the log for the computer that is trying to do the access that normally are in the /var/log/samba directory.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.