From: Bjoern Meier on
hi,

> [homes]
>        comment = Home Directories
>        valid users = DOMAIN\%S, DOMAIN\admin
>        admin users = DOMAIN\admin


I guess homes is a special share where every user (only the user with
credentials have access to his very own home-directory) has access
with a home-directory.

So my advise is: comment out home and set a share with a path to /home
- don't worry access rights are handled by the system (should be, if
the home-directory is set up well).

Greetings,
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Bjoern Meier on
hi Eric,



2010/2/10 Eric Peterson <ericrpeterson(a)sbcglobal.net>

> Bjoern,
>
> Could you please provide the actual settings of the share you are
> suggesting would be placed in the smb.conf file? Or are you suggesting
> creating a specific share for each user?
>
> Thanks,
> Eric Peterson
>


> well, we've created a new directory /homesdirs/ which is a samba-share (f.
e. to setup profile-folders in the AD). The access rights is set by Windows
with ACL support on samba. Domain security policy adds administratoter to
each profile-folder.

Greetings,
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Eric Peterson on
Bjoern,
 
OK I understand that you have created a directory on the Samba server.
 
I am not a Samba expert, so what I need to know is the configuration entered in the smb.conf that you are using.
You could run "testparm" to create the data, then edit it to replace any confidential information, e.g. replace the actual domain name with DOMAIN, or user names with USER.
 
If you could provide that information I would be most grateful.
 
Thanks,
Eric Peterson

--- On Wed, 2/10/10, Bjoern Meier <bjoern.meier(a)googlemail.com> wrote:


From: Bjoern Meier <bjoern.meier(a)googlemail.com>
Subject: Re: [Samba] Having problem with "valid users" in Active Directory/Samba environment
To: "Eric Peterson" <ericrpeterson(a)sbcglobal.net>
Cc: samba(a)lists.samba.org
Date: Wednesday, February 10, 2010, 11:59 AM


hi Eric,




2010/2/10 Eric Peterson <ericrpeterson(a)sbcglobal.net>






Bjoern,
 
Could you please provide the actual settings of the share you are suggesting would be placed in the smb.conf file? Or are you suggesting creating a specific share for each user?
 
Thanks,
Eric Peterson

 




well, we've created a new directory /homesdirs/ which is a samba-share (f. e. to setup profile-folders in the AD). The access rights is set by Windows with ACL support on samba. Domain security policy adds administratoter to each profile-folder.

Greetings,
Björn



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Eric Peterson on
Dale,

I was hoping that there was someone out there who:
a) uses Samba integrated with Active Directory, and
b) successfully uses the Samba permissions to allow "domain admin" members
access to the shares of "domain users" from XP workstations.
To narrow the scope of the troubleshooting, I am looking for a known working
smb.conf configuration that supports this.
Then I can make sure my smb.conf uses a similar configuratation and, if the
problem persists, focus my troubleshooting on other areas.

To answer your questions...

Yes we've also tried adding permission for a group but that did not work
either.
With Samba log level set to 3, we have observed the following in the
logfile:
[2010/02/10 21:35:09, 3] smbd/password.c:269(register_existing_vuid)
register_existing_vuid: User name: DOMAIN\admin Real name: Admin, admin
[2010/02/10 21:35:09, 3] smbd/password.c:279(register_existing_vuid)
register_existing_vuid: UNIX uid 10002 is UNIX user DOMAIN\admin, and will
be vuid 101
[2010/02/10 21:35:09, 3] smbd/password.c:211(register_homes_share) Adding
homes service for user 'DOMAIN\admin' using home directory:
'/home/DOMAIN/admin'
[2010/02/10 21:35:09, 3] param/loadparm.c:6126(lp_add_home) adding home's
share [socolofsky] for user 'DOMAIN\admin' at '/home/DOMAIN/admin'

The 'getent' does not report on users with Active Directory credentials,
those are managed by perhaps winbindd, which is part of the integration with
AD.
Yes the "admin" user has a uid, as you can see above.
Yes the admin user is in the group domain admins:
DOMAIN\admin(a)server:/etc/samba$ id
uid=10002(DOMAIN\admin) gid=10020(DOMAIN\domain admins)
groups=10017(DOMAIN\color
printers),10018(DOMAIN\itdept),10019(DOMAIN\concordanceadmin),10020(DOMAIN\domain
admins),10021(DOMAIN\everyone - DOMAIN),10022(DOMAIN\conference room
resources),10087(DOMAIN\help desk),10089(DOMAIN\records
management),10090(DOMAIN\public folder management)

Following are the remaining entries in the logfile (no attempt was made to
connect to another share in this session).

[2010/02/10 21:35:09, 3] smbd/service.c:1047(make_connection_snum)
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service IPC$ initially as
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:12, 3] smbd/msdfs.c:828(get_referred_path)
get_referred_path: |admin| in dfs path \server\admin is not a dfs root.
[2010/02/10 21:35:12, 3] smbd/service.c:807(make_connection_snum) Connect
path is '/home/DOMAIN/admin' for service [admin]
[2010/02/10 21:35:12, 1] smbd/service.c:1047(make_connection_snum)
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service admin initially as
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:12, 3] smbd/sec_ctx.c:310(set_sec_ctx)
[2010/02/10 21:35:12, 3] smbd/reply.c:754(reply_tcon_and_X) tconX
service=admin
[2010/02/10 21:35:15, 1] smbd/service.c:1047(make_connection_snum)
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service public_rw initially
as user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:20, 1] smbd/service.c:1226(close_cnum) __ffff_10.0.3.56
(::ffff:10.0.3.56) closed connection to service admin
[2010/02/10 21:35:20, 3] smbd/connection.c:31(yield_connection) Yielding
connection to admin
[2010/02/10 21:35:22, 3] libads/authdata.c:302(decode_pac_data) Found
account name from PAC: admin [admin, admin]
[2010/02/10 21:35:22, 3] smbd/sesssetup.c:348(reply_spnego_kerberos)
Ticket name is [admin(a)DOMAIN.COM]
[2010/02/10 21:35:22, 3] smbd/password.c:269(register_existing_vuid)
register_existing_vuid: User name: DOMAIN\admin Real name: admin, admin
[2010/02/10 21:35:22, 3] smbd/password.c:279(register_existing_vuid)
register_existing_vuid: UNIX uid 10002 is UNIX user DOMAIN\admin, and will
be vuid 107
[2010/02/10 21:35:22, 3] smbd/password.c:211(register_homes_share) Adding
homes service for user 'DOMAIN\admin' using home directory:
'/home/DOMAIN/admin'
[2010/02/10 21:35:22, 3] param/loadparm.c:6126(lp_add_home) adding home's
share [admin] for user 'DOMAIN\admin' at '/home/DOMAIN/admin'
[2010/02/10 21:35:22, 3] smbd/service.c:807(make_connection_snum) Connect
path is '/home/DOMAIN/admin' for service [admin]
[2010/02/10 21:35:22, 1] smbd/service.c:1047(make_connection_snum)
__ffff_10.0.3.56 (::ffff:10.0.3.56) connect to service admin initially as
user DOMAIN\admin (uid=10002, gid=10020) (pid 8819)
[2010/02/10 21:35:33, 1] smbd/service.c:1226(close_cnum) __ffff_10.0.3.56
(::ffff:10.0.3.56) closed connection to service admin

Thanks,
Eric Peterson

----- Original Message -----
From: "Dale Schroeder" <dale(a)BriannasSaladDressing.com>
To: "Eric Peterson" <ericrpeterson(a)sbcglobal.net>
Sent: Wednesday, February 10, 2010 1:53 PM
Subject: Re: [Samba] Having problem with "valid users" in Active
Directory/Samba environment


> Eric,
>
> The log results look like Samba is unfamiliar with the user "admin".
> Do "getent passwd" and "getent group" return the expected results?
> Does the user "admin" appear in the "getent passwd" listing (with a uid
> in the 10000-20000 range)?
> Does the user "admin" appear as a member of "Domain Admins" in the
> "getent group" listing?
>
> If all the above are yes, consider trying the following:
> In [homes], change each instance of DOMAIN\admin to @"DOMAIN\Domain
> Admins" to see if other domain admins (such as the default
> "administrator") can access the home shares.
>
> This should give you a place to start troubleshooting.
>
> Dale
>
> On 02/09/2010 10:45 PM, Eric Peterson wrote:
>> We have a Ubuntu/Samba setup to serve Windows-XP users using Active
>> Directory credentials.
>> The application is a backup service using rsync from their workstations
>> to the server.
>> Ubuntu: 9.10, Samba: 3.4.0.
>> The backups work fine, and individual users logged onto XP with AD
>> credentials can see the contents of their shares on the server.
>> However, we have been unable to configure Samba to allow specified users
>> (domain admins) access to Samba shares, which is needed for
>> administration of the shares.
>>
>> The "valid user" and "admin user" constructs are not working in our
>> environment.
>> When smb.conf is configured with these constructs (see testparm output
>> below), which should allow access, instead we get an error message on the
>> XP side and the following messages in /var/log/samba: (in the example,
>> trying to access the share \\<server>\wirt)
>>
>> [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file)
>> process_usershare_file: stat of /var/lib/samba/usershares/wirt failed.
>> Permission denied
>> [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file)
>> process_usershare_file: stat of /var/lib/samba/usershares/wirt failed.
>> Permission denied
>> [2010/02/08 21:31:21, 0] param/loadparm.c:8546(process_usershare_file)
>> process_usershare_file: stat of /var/lib/samba/usershares/wirt failed. No
>> such file or directory
>> [2010/02/08 21:31:21, 0] smbd/service.c:1188(make_connection)
>> __ffff_10.0.3.56 (::ffff:10.0.3.56) couldn't find service wirt
>>
>> The error in XP says: "Windows cannot find '\\<server>\wirt'. Check the
>> spelling and try again...."
>>
>> Is there something wrong with the smb.conf settings, or something else
>> that needs to be done to allow domain admins access to user shares?
>> Could something with the pam or winbind settings explain this behavior?
>>
>> One clue is that when we cranked the log level to 3, the log messages
>> indicated that the Samba connection was being made to a UNIX user
>> DOMAIN\lfvr3tk1$ rather than DOMAIN\admin as would be expected. The name
>> of the admin's XP computer is "lfvr3tk1". The logfile is quite large so I
>> did not include it here.
>>
>> What's going on????
>>
>> Thanks,
>> Eric Peterson
>>
>>
>> ======output from testparm=========
>>
>> Load smb config files from /etc/samba/smb.conf
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[public]"
>> Processing section "[public_rw]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>>
>> [global]
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> server string = %h server (Samba, Ubuntu)
>> security = ADS
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> pam password change = Yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> unix password sync = Yes
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> dns proxy = No
>> usershare allow guests = Yes
>> panic action = /usr/share/samba/panic-action %d
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template shell = /bin/bash
>>
>> [homes]
>> comment = Home Directories
>> valid users = DOMAIN\%S, DOMAIN\admin
>> admin users = DOMAIN\admin
>>
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> create mask = 0700
>> printable = Yes
>> browseable = No
>> browsable = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/lib/samba/printers
>>
>> [public]
>> path = /export/public
>> guest ok = Yes
>>
>> [public_rw]
>> path = /export/public_rw
>> read only = No
>> guest ok = Yes
>>
>>


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.432 / Virus Database: 271.1.1/2679 - Release Date: 02/10/10
07:40:00

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Bjoern Meier on
hi,


2010/2/13 Eric Peterson <ericrpeterson(a)sbcglobal.net>:
> Dale,
>
> I was hoping that there was someone out there who:
> a) uses Samba integrated with Active Directory, and

we do

> b) successfully uses the Samba permissions to allow "domain admin" members
> access to the shares of "domain users" from XP workstations.
> To narrow the scope of the troubleshooting, I am looking for a known working
> smb.conf  configuration that supports this.
> Then I can make sure my smb.conf uses a similar configuratation and, if the
> problem persists, focus my troubleshooting on other areas.

we also do. I though i've described the way we done this. Samba +Ext3
both a supporting ACLs.
Here some hints

- You can add access right for a specific folders with setfacl -R -m
u:domain/administrator:rwx <folders> AND setfacl -R -m
default:u:domain/administrator:rwx <folders>
- Then: Samba Creates home-directories like /home/DOMAIN/user we
create a share homesdir with path =/home/DOMAIN + valid user =
@DOMAIN/administrators (the user directories are for they personal
use)
- we also have a share /data/profiles in which Windows creates the
roaming profiles. You may guess we have this share read and writes for
all domain members.
- we tell windows (with the domain security policy) to add the
administrator with full access to all profiles

What more information do you need?

Greetings,
Björn
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba