Web lists-archives.com

[Samba] samba share management / connection problem




Hello,
I have setup and ADDC and an file server.
On fileserver i can see domain users with wbinfo and getent passwd.

When I try to manage a share on the fileserver
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs)
I get an error "Computer cannot be managed. Verify that the network path
is correct ...." and after that "you do not have permission to see the
list of shares for windows clients samba"

The I try to connect to the AD member with smbclient I get


root@fileserver:/var/log/samba# smbclient -k -L
fileserver.ad.example.com -d 3 -U admin
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=192.168.122.7 bcast=192.168.122.255
netmask=255.255.255.0
Client started (version 4.2.14-Debian).
Connecting to 192.168.122.7 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/fileserver.ad.example.com@xxxxxxxxxxxxxx
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
root@fileserver:/var/log/samba#


root@fileserver:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@xxxxxxxxxxxxxx

Valid starting       Expires              Service principal
22.02.2017 14:54:15  23.02.2017 00:54:15
krbtgt/ad.example.com@xxxxxxxxxxxxxx
	renew until 23.02.2017 14:54:12
22.02.2017 15:05:00  23.02.2017 00:54:15
cifs/kes-fileserver.ad.example.com@xxxxxxxxxxxxxx

root@fileserver:/var/log/samba# getent passwd someuser
someuser:*:7072:30000:someuser:/home/users/someuser:/bin/bash


[global]
       security = ADS
       workgroup = AD
       realm = AD.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 3

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use an read-write-enabled back end, such as tdb.
       idmap config * : backend = tdb
       idmap config * : range = 1000-1005

       # idmap config for the AD domain
       # alf has uid 1006
       idmap config AD:backend = ad
       idmap config AD:schema_mode = rfc2307
       idmap config AD:range = 1006-999999

        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/users/%U
        template shell = /bin/bash

        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[Demo]
       path = /home/demo/
       read only = no
       valid users = +AD\"Domain Users"
       guest ok = yes

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba