Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] getting ERROR: failed to setup guest info. But I cannot setup a guest account due to security policies
1,338 views
Skip to first unread message
Jon West
Nov 12, 2013, 9:50:01 AM11/12/13
to
I'm trying to set up samba so that we can login to our RHEL 5.5 machines
with our Windows 2008 R2 Active directory credentials. I am succesfully
able to join the domain, but I cannot get the SMBD deamon to stay running
and my log.smbd log is show the
ERROR: failed to setup guest info.
error. Due to security policies I have erased the account nobody, and any other
account that has no actual user associated with it, so there is no guest type
account to set in the smb.conf
This is the smb.conf I currently have
[Global]
netbios name = MYARCHLINUX
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = %h ArchLinux Host
security = ads
encrypt passwords = yes
password server = pdc.example.com
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = pdc.example.com
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
I've removed actual domain names. I'm using Samba3x 3.6.6. Any help
would be greatly appreciated
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
with our Windows 2008 R2 Active directory credentials. I am succesfully
able to join the domain, but I cannot get the SMBD deamon to stay running
and my log.smbd log is show the
ERROR: failed to setup guest info.
error. Due to security policies I have erased the account nobody, and any other
account that has no actual user associated with it, so there is no guest type
account to set in the smb.conf
This is the smb.conf I currently have
[Global]
netbios name = MYARCHLINUX
workgroup = EXAMPLE
realm = EXAMPLE.COM
server string = %h ArchLinux Host
security = ads
encrypt passwords = yes
password server = pdc.example.com
idmap config * : backend = rid
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = pdc.example.com
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
I've removed actual domain names. I'm using Samba3x 3.6.6. Any help
would be greatly appreciated
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Nov 12, 2013, 11:30:02 AM11/12/13
to
On Tue, 2013-11-12 at 09:41 -0500, Jon West wrote:
> I'm trying to set up samba so that we can login to our RHEL 5.5 machines
> with our Windows 2008 R2 Active directory credentials. I am succesfully
> able to join the domain, but I cannot get the SMBD deamon to stay running
> and my log.smbd log is show the
Hi
> I'm trying to set up samba so that we can login to our RHEL 5.5 machines
> with our Windows 2008 R2 Active directory credentials. I am succesfully
> able to join the domain, but I cannot get the SMBD deamon to stay running
> and my log.smbd log is show the
If that's all you want to do and you have posted the entirety of your
smb.conf then you shouldn't be running smbd. Is this the full setup?
Cheers,
Steve
Rowland Penny
Nov 12, 2013, 11:50:02 AM11/12/13
to
On 12/11/13 16:25, steve wrote:
> On Tue, 2013-11-12 at 09:41 -0500, Jon West wrote:
>> I'm trying to set up samba so that we can login to our RHEL 5.5 machines
>> with our Windows 2008 R2 Active directory credentials. I am succesfully
>> able to join the domain, but I cannot get the SMBD deamon to stay running
>> and my log.smbd log is show the
> Hi
> If that's all you want to do and you have posted the entirety of your
> smb.conf then you shouldn't be running smbd. Is this the full setup?
> Cheers,
> Steve
>
>
HI, I don't think that is the problem, he only has this in smb.conf:
> On Tue, 2013-11-12 at 09:41 -0500, Jon West wrote:
>> I'm trying to set up samba so that we can login to our RHEL 5.5 machines
>> with our Windows 2008 R2 Active directory credentials. I am succesfully
>> able to join the domain, but I cannot get the SMBD deamon to stay running
>> and my log.smbd log is show the
> Hi
> If that's all you want to do and you have posted the entirety of your
> smb.conf then you shouldn't be running smbd. Is this the full setup?
> Cheers,
> Steve
>
>
idmap config * : backend = rid
idmap config * : range = 10000-20000
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 1100-50000
idmap config EXAMPLE:backend = rid
idmap config * : range = 210000-3100000
idmap config * : backend = tdb
I think he wants the computer to run as a fileserver, in which case smbd
needs to run, but until he posts a bit more info, it is a bit hard to
say which way to go next.
Rowland
Jon West
Nov 12, 2013, 12:30:03 PM11/12/13
to
Yes All I am trying to do is authenticate via AD, my linux box will not be
hosting files. There are shares on the windows domain controller that I
need to mount on my linux machine however and I'm trying to figure out the
best way to go about that. I don't want to have my users have to type in a
username and password every time they want to mount the windows share as
that might also be against security policy.
hosting files. There are shares on the windows domain controller that I
need to mount on my linux machine however and I'm trying to figure out the
best way to go about that. I don't want to have my users have to type in a
username and password every time they want to mount the windows share as
that might also be against security policy.
Rowland Penny
Nov 12, 2013, 12:40:02 PM11/12/13
to
On 12/11/13 17:22, Jon West wrote:
> Yes All I am trying to do is authenticate via AD, my linux box will not be
> hosting files. There are shares on the windows domain controller that I
> need to mount on my linux machine however and I'm trying to figure out the
> best way to go about that. I don't want to have my users have to type in a
> username and password every time they want to mount the windows share as
> that might also be against security policy.
So no users info will be stored on the Linux machine in question, in
> Yes All I am trying to do is authenticate via AD, my linux box will not be
> hosting files. There are shares on the windows domain controller that I
> need to mount on my linux machine however and I'm trying to figure out the
> best way to go about that. I don't want to have my users have to type in a
> username and password every time they want to mount the windows share as
> that might also be against security policy.
which case, turn it off and unplug it, then set samba up on all the
linux machines and join them to the domain, alter your Linux users to be
also windows users and there you go. i.e. Linux clients can also be
windows clients
Rowland
steve
Nov 12, 2013, 12:50:03 PM11/12/13
to
I'm assuming that the only information given by the OP is the whole
story. They seem to just want to authenticate against AD. Nothing else.
Conclusion:
Change smb.conf to Rowland's version above, kill smbd and start winbind.
That's it.
HTH
Steve
Jon West
Nov 12, 2013, 1:00:02 PM11/12/13
to
Sorry by "Linux Users" I meant the literal definition, i.e. people using
linux, not people with accounts on my RHEL machines, our users all have
windows domain accounts as well. What I want is for someone to be able to
login to a RHEL machine with AD credentials then mount (type cifs) a
windows share (that resides on a native windows fileserver) without having
to type in their windows username and password at every time of mounting
(ie mount -t cifs //server/share username=ADname /Locallinuxdir) is that
possible?
linux, not people with accounts on my RHEL machines, our users all have
windows domain accounts as well. What I want is for someone to be able to
login to a RHEL machine with AD credentials then mount (type cifs) a
windows share (that resides on a native windows fileserver) without having
to type in their windows username and password at every time of mounting
(ie mount -t cifs //server/share username=ADname /Locallinuxdir) is that
possible?
Jon West
Nov 12, 2013, 1:00:02 PM11/12/13
to
You are correct, only want to authenticate with AD credentials, also want
to be able to mount a windows share (from the native windows machine) on
the linux machine without having to type in domain credentials at each time
of mount or have the passwords stored in plaintext on the linux machine
to be able to mount a windows share (from the native windows machine) on
the linux machine without having to type in domain credentials at each time
of mount or have the passwords stored in plaintext on the linux machine
steve
Nov 12, 2013, 1:10:01 PM11/12/13
to
On Tue, 2013-11-12 at 12:52 -0500, Jon West wrote:
> Sorry by "Linux Users" I meant the literal definition, i.e. people using
> linux, not people with accounts on my RHEL machines, our users all have
> windows domain accounts as well. What I want is for someone to be able to
> login to a RHEL machine with AD credentials then mount (type cifs) a
> windows share (that resides on a native windows fileserver) without having
> to type in their windows username and password at every time of mounting
> (ie mount -t cifs //server/share username=ADname /Locallinuxdir) is that
> possible?
>
Hi
> Sorry by "Linux Users" I meant the literal definition, i.e. people using
> linux, not people with accounts on my RHEL machines, our users all have
> windows domain accounts as well. What I want is for someone to be able to
> login to a RHEL machine with AD credentials then mount (type cifs) a
> windows share (that resides on a native windows fileserver) without having
> to type in their windows username and password at every time of mounting
> (ie mount -t cifs //server/share username=ADname /Locallinuxdir) is that
> possible?
>
When you joined the domain, it should have created a keytab at
/etc/krb5.conf
If so, and winbind is running and you have corrected the idmap entries
in smb.conf and configured pam_winbind in /etc/pam.d/common-auth then
you can mount from the windows server but you'll have to kerberise it:
mount -t cifs //server/hare -o username=MACHINE$,multiuser,sec=krb5
where MACHINE$ is the name of your Red Hat client. Specifically, the
machine key which te domain join created.
HTH
Steve
steve
Nov 12, 2013, 1:10:02 PM11/12/13
to
On Tue, 2013-11-12 at 12:57 -0500, Jon West wrote:
> You are correct, only want to authenticate with AD credentials, also
> want to be able to mount a windows share (from the native windows
> machine) on the linux machine without having to type in domain
> credentials at each time of mount or have the passwords stored in
> plaintext on the linux machine
>
**posts are crossing. I'll shut up until we sync.
> You are correct, only want to authenticate with AD credentials, also
> want to be able to mount a windows share (from the native windows
> machine) on the linux machine without having to type in domain
> credentials at each time of mount or have the passwords stored in
> plaintext on the linux machine
>
Steve
Rowland Penny
Nov 12, 2013, 1:10:03 PM11/12/13
to
On 12/11/13 17:52, Jon West wrote:
> Sorry by "Linux Users" I meant the literal definition, i.e. people
> using linux, not people with accounts on my RHEL machines,
They are called domain users
> Sorry by "Linux Users" I meant the literal definition, i.e. people
> using linux, not people with accounts on my RHEL machines,
> our users all have windows domain accounts as well.
these are also domain users
> What I want is for someone to be able to login to a RHEL machine with
> AD credentials then mount (type cifs) a windows share (that resides on
> a native windows fileserver) without having to type in their windows
> username and password at every time of mounting (ie mount -t cifs
> //server/share username=ADname /Locallinuxdir) is that possible?
>
Yes, Autofs, Steves your man for this.
> AD credentials then mount (type cifs) a windows share (that resides on
> a native windows fileserver) without having to type in their windows
> username and password at every time of mounting (ie mount -t cifs
> //server/share username=ADname /Locallinuxdir) is that possible?
>
Rowland Penny
Nov 12, 2013, 1:10:03 PM11/12/13
to
On 12/11/13 18:04, steve wrote:
> On Tue, 2013-11-12 at 12:57 -0500, Jon West wrote:
>> You are correct, only want to authenticate with AD credentials, also
>> want to be able to mount a windows share (from the native windows
>> machine) on the linux machine without having to type in domain
>> credentials at each time of mount or have the passwords stored in
>> plaintext on the linux machine
>>
> **posts are crossing. I'll shut up until we sync.
> Steve
>
>
No, I'll shut up, you tell him about Autofs
> On Tue, 2013-11-12 at 12:57 -0500, Jon West wrote:
>> You are correct, only want to authenticate with AD credentials, also
>> want to be able to mount a windows share (from the native windows
>> machine) on the linux machine without having to type in domain
>> credentials at each time of mount or have the passwords stored in
>> plaintext on the linux machine
>>
> **posts are crossing. I'll shut up until we sync.
> Steve
>
>
Rowland
Jon West
Nov 12, 2013, 1:20:01 PM11/12/13
to
yeah sorry, I'm reading using the archives since the first 2 replies didn't
get sent to my inbox for some reason and a new thread is being made every
time I reply from the archives
On Tue, Nov 12, 2013 at 1:06 PM, Rowland Penny
<rowlan...@googlemail.com>wrote:
get sent to my inbox for some reason and a new thread is being made every
time I reply from the archives
On Tue, Nov 12, 2013 at 1:06 PM, Rowland Penny
<rowlan...@googlemail.com>wrote:
steve
Nov 12, 2013, 1:20:03 PM11/12/13
to
On Tue, 2013-11-12 at 18:06 +0000, Rowland Penny wrote:
> On 12/11/13 18:04, steve wrote:
> > On Tue, 2013-11-12 at 12:57 -0500, Jon West wrote:
> >> You are correct, only want to authenticate with AD credentials, also
> >> want to be able to mount a windows share (from the native windows
> >> machine) on the linux machine without having to type in domain
> >> credentials at each time of mount or have the passwords stored in
> >> plaintext on the linux machine
> >>
> > **posts are crossing. I'll shut up until we sync.
> > Steve
> >
> >
> No, I'll shut up, you tell him about Autofs
>
> Rowland
>
LOL. Putting on autofs hat! Let's make a start. this could be a long
> On 12/11/13 18:04, steve wrote:
> > On Tue, 2013-11-12 at 12:57 -0500, Jon West wrote:
> >> You are correct, only want to authenticate with AD credentials, also
> >> want to be able to mount a windows share (from the native windows
> >> machine) on the linux machine without having to type in domain
> >> credentials at each time of mount or have the passwords stored in
> >> plaintext on the linux machine
> >>
> > **posts are crossing. I'll shut up until we sync.
> > Steve
> >
> >
> No, I'll shut up, you tell him about Autofs
>
> Rowland
>
one. . .
Will need to know what needs mounting. @Jon can you give us a bit more
detail of the stuff you need cifs-ing over to the Red Hat clients? Or
maybe you'd be satisfied with a permanent fstab mount?
Cheers,
Steve
Jon West
Nov 12, 2013, 1:30:02 PM11/12/13
to
Sure, its a single windows share that's hosted on a windows machine thats a
part of an AD domain. This can be done by typing in the user ADusername and
ADpassword as the username and password arguments in the mount commad
(mount -t cifs blah blah blah -o username=username password=password blah
blah blah) But due to security policy we can't have people typing out their
passwords in plaintext on the screen and I can't have a password file to
look up to store those passwords, plus it would be annoying to have to go
and change the file every time a user changes their domain password. What I
would like to happen is for the user to just be able to type "mount -t cifs
//server/share /localdir" I can't have the domain passwords displayed in
plain text or transmitted in plain text
part of an AD domain. This can be done by typing in the user ADusername and
ADpassword as the username and password arguments in the mount commad
(mount -t cifs blah blah blah -o username=username password=password blah
blah blah) But due to security policy we can't have people typing out their
passwords in plaintext on the screen and I can't have a password file to
look up to store those passwords, plus it would be annoying to have to go
and change the file every time a user changes their domain password. What I
would like to happen is for the user to just be able to type "mount -t cifs
//server/share /localdir" I can't have the domain passwords displayed in
plain text or transmitted in plain text
steve
Nov 12, 2013, 1:50:01 PM11/12/13
to
On Tue, 2013-11-12 at 13:27 -0500, Jon West wrote:
> Sure, its a single windows share that's hosted on a windows machine
> thats a part of an AD domain. This can be done by typing in the user
> ADusername and ADpassword as the username and password arguments in
> the mount commad (mount -t cifs blah blah blah -o username=username
> password=password blah blah blah) But due to security policy we can't
> have people typing out their passwords in plaintext on the screen and
> I can't have a password file to look up to store those passwords, plus
> it would be annoying to have to go and change the file every time a
> user changes their domain password. What I would like to happen is for
> the user to just be able to type "mount -t
> cifs //server/share /localdir" I can't have the domain passwords
> displayed in plain text or transmitted in plain text
>
OK. We'll automount it whenever the user goes to the share. No passwords
> Sure, its a single windows share that's hosted on a windows machine
> thats a part of an AD domain. This can be done by typing in the user
> ADusername and ADpassword as the username and password arguments in
> the mount commad (mount -t cifs blah blah blah -o username=username
> password=password blah blah blah) But due to security policy we can't
> have people typing out their passwords in plaintext on the screen and
> I can't have a password file to look up to store those passwords, plus
> it would be annoying to have to go and change the file every time a
> user changes their domain password. What I would like to happen is for
> the user to just be able to type "mount -t
> cifs //server/share /localdir" I can't have the domain passwords
> displayed in plain text or transmitted in plain text
>
or usernames. All Kerberos.
AD hostname adserver
Share that needs mounting someplace (could be c:\users\jon\someplace)
Mount point on client /home/someplace
/etc/auto.master
/home /etc/auto.someplace
/etc/auto.someplace
someplace -fstype=cifs, sec=krb5,username=MACHINE
$,multiuser ://adserver/someplace
We'll need to know the cifs.upcall config in:
/etc/request-key.conf
Make sure autofs and cifs-utils are installed and that /home/someplace
does not exist.
fire up autofs and have a look at the output of mount
Now login as a domain user and go to /home/someplace
Any problems: tail -28 /var/log/messages
just after you attempt the mount.
HTH
Steve
Jon West
Nov 12, 2013, 2:00:02 PM11/12/13
to
ok I've got my hw, I'll give it a try and check back with any questions
tomorrow. In the mean time, Im actually curious about what I would need to
do (or anyone for that matter) to solve the guest user problem. What if you
can't have a guest user on the system so you have nothing to set that to in
smb.conf
tomorrow. In the mean time, Im actually curious about what I would need to
do (or anyone for that matter) to solve the guest user problem. What if you
can't have a guest user on the system so you have nothing to set that to in
smb.conf
Rowland Penny
Nov 12, 2013, 2:10:01 PM11/12/13
to
On 12/11/13 18:52, Jon West wrote:
> ok I've got my hw, I'll give it a try and check back with any
> questions tomorrow. In the mean time, Im actually curious about what I
> would need to do (or anyone for that matter) to solve the guest user
> problem. What if you can't have a guest user on the system so you have
> nothing to set that to in smb.conf
>
>
OK, I'll say something again, are you saying that you have removed the
> ok I've got my hw, I'll give it a try and check back with any
> questions tomorrow. In the mean time, Im actually curious about what I
> would need to do (or anyone for that matter) to solve the guest user
> problem. What if you can't have a guest user on the system so you have
> nothing to set that to in smb.conf
>
>
'nobody' user? if so, why???????
Rowland
Volker Lendecke
Nov 12, 2013, 3:20:01 PM11/12/13
to
On Tue, Nov 12, 2013 at 01:52:47PM -0500, Jon West wrote:
> ok I've got my hw, I'll give it a try and check back with any questions
> tomorrow. In the mean time, Im actually curious about what I would need to
> do (or anyone for that matter) to solve the guest user problem. What if you
> can't have a guest user on the system so you have nothing to set that to in
> smb.conf
If all you need is to authenticate, you should not start
> ok I've got my hw, I'll give it a try and check back with any questions
> tomorrow. In the mean time, Im actually curious about what I would need to
> do (or anyone for that matter) to solve the guest user problem. What if you
> can't have a guest user on the system so you have nothing to set that to in
> smb.conf
smbd. Winbind should not require nobody.
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kon...@sernet.de
0 new messages