Web lists-archives.com

Re: [Samba] New AD user cannot access file share from member server

On Mon, 19 Jun 2017 02:24:50 +0200
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I run a very small Samba AD, consisting of a Samba AD DC and a Samba
> AD Member Server, acting as file server.
> Today, I added a new user to the AD but I simply can't manage to get
> access to the file server - only for this user, all others are
> working fine.
> My AD is rfc2307 based, so I manually have to add UID's. I did so for
> the new user, the ID is within range and not in use. I double checked
> and compared all other attributes with those of an existing user, no
> difference, all matches.
> As it's working from the other user profiles, it can be deducted that
> there is no network issue. But I did check DNS, just to be safe.
> Running wbinfo -U and getent passwd show the correct information, the
> new user is there. Using kinit I can request a Kerberos ticket for
> him.
> I'm not sure if it matters but if I run wbinfo -U on the DC, it will
> put the realm in front of the username, i.e. SAMDOM\user. On the
> member server, the realm is not shown.
> Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server
> works fine. But if I run the same command without the -N switch, I get
> session setup failed: NT_STATUS_ACCESS_DENIED
> I really don't know where else to look. I rebooted the two servers,
> updated Samba to its latest version (4.6.5), ran sysvolreset.. all to
> no avail.
> Probably I'm missing some step here. Hope someone can help me see it.
> /etc/samba/smb.conf
> [global]
>   netbios name = MEMBERSERVER
>   workgroup = SAMDOM
>   security = ADS
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   username map = /etc/samba/samba_usermap
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-9999
>   idmap config MEILEN:backend = ad
>   idmap config MEILEN:schema_mode = rfc2307
>   idmap config MEILEN:range = 10000-99999
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = Yes
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes

OK, it should work, I can see just one problem now that you are
using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap
config SAMDOM : unix_nss_info = yes'

Try this and report back.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba