Web lists-archives.com

Re: [Samba] New AD user cannot access file share from member server




Thanks for the quick reply, Rowland.

I changed the respective line in my member server's smb.conf, and restarted
smbd, winbindd, and nmbd.

The issue persists. I can access the share with all users except this one.

On 19 June 2017 at 08:19, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
wrote:

On Mon, 19 Jun 2017 02:24:50 +0200
Viktor Trojanovic via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I run a very small Samba AD, consisting of a Samba AD DC and a Samba
> AD Member Server, acting as file server.
>
> Today, I added a new user to the AD but I simply can't manage to get
> access to the file server - only for this user, all others are
> working fine.
>
> My AD is rfc2307 based, so I manually have to add UID's. I did so for
> the new user, the ID is within range and not in use. I double checked
> and compared all other attributes with those of an existing user, no
> difference, all matches.
>
> As it's working from the other user profiles, it can be deducted that
> there is no network issue. But I did check DNS, just to be safe.
>
> Running wbinfo -U and getent passwd show the correct information, the
> new user is there. Using kinit I can request a Kerberos ticket for
> him.
>
> I'm not sure if it matters but if I run wbinfo -U on the DC, it will
> put the realm in front of the username, i.e. SAMDOM\user. On the
> member server, the realm is not shown.
>
> Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server
> works fine. But if I run the same command without the -N switch, I get
>
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I really don't know where else to look. I rebooted the two servers,
> updated Samba to its latest version (4.6.5), ran sysvolreset.. all to
> no avail.
>
> Probably I'm missing some step here. Hope someone can help me see it.
>
> /etc/samba/smb.conf
>
> [global]
>
>   netbios name = MEMBERSERVER
>   workgroup = SAMDOM
>   security = ADS
>   realm = SAMDOM.EXAMPLE.COM
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>
>   username map = /etc/samba/samba_usermap
>
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-9999
>   idmap config MEILEN:backend = ad
>   idmap config MEILEN:schema_mode = rfc2307
>   idmap config MEILEN:range = 10000-99999
>
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = Yes
>
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes

OK, it should work, I can see just one problem now that you are
using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap
config SAMDOM : unix_nss_info = yes'

Try this and report back.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba