Re: [Samba] New AD user cannot access file share from member server
- Date: Mon, 19 Jun 2017 07:19:21 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] New AD user cannot access file share from member server
On Mon, 19 Jun 2017 02:24:50 +0200
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:
> I run a very small Samba AD, consisting of a Samba AD DC and a Samba
> AD Member Server, acting as file server.
> Today, I added a new user to the AD but I simply can't manage to get
> access to the file server - only for this user, all others are
> working fine.
> My AD is rfc2307 based, so I manually have to add UID's. I did so for
> the new user, the ID is within range and not in use. I double checked
> and compared all other attributes with those of an existing user, no
> difference, all matches.
> As it's working from the other user profiles, it can be deducted that
> there is no network issue. But I did check DNS, just to be safe.
> Running wbinfo -U and getent passwd show the correct information, the
> new user is there. Using kinit I can request a Kerberos ticket for
> I'm not sure if it matters but if I run wbinfo -U on the DC, it will
> put the realm in front of the username, i.e. SAMDOM\user. On the
> member server, the realm is not shown.
> Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server
> works fine. But if I run the same command without the -N switch, I get
> session setup failed: NT_STATUS_ACCESS_DENIED
> I really don't know where else to look. I rebooted the two servers,
> updated Samba to its latest version (4.6.5), ran sysvolreset.. all to
> no avail.
> Probably I'm missing some step here. Hope someone can help me see it.
> netbios name = MEMBERSERVER
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> username map = /etc/samba/samba_usermap
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config MEILEN:backend = ad
> idmap config MEILEN:schema_mode = rfc2307
> idmap config MEILEN:range = 10000-99999
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
OK, it should work, I can see just one problem now that you are
using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap
config SAMDOM : unix_nss_info = yes'
Try this and report back.
To unsubscribe from this list go to the following URL and read the