Web lists-archives.com

Re: [Samba] Samba and AD based home shares are visible but not accessible




On Tue, 20 Jun 2017 20:21:14 +0000
"Cybulski, Adam M via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> I've set up a CentOS system in my predominantly windows environment.
> Getting it to authenticate users with ssh based on AD user groups
> using KRB5 and SSSD was comparatively easy, but I am not able to
> share files from it.
> 
> I followed the guide here to get as far as I did:
> https://www.centos.org/forums/viewtopic.php?t=52872
> 
> When I browse to the server using \\<serverIP<file://%3cserverIP>> I
> am presented with the folder
> USERAID@xxxxxxxxxxxxxxx<mailto:USERAID@xxxxxxxxxxxxxxx> which
> corresponds to the account I am logged into the windows computer
> with. However, when I try to open it, I am told I do not have
> permission. I tried to create a non home folder, that all members of
> the AD group would be able to have access to, but I seem to be
> experiencing the same result.
> 
> Here is my smb.conf file, sanitized, but with as much information
> intact as I could manage. I have been at this all day battling it out
> with suggestions from google and previous posts in this mailing list
> with no success.
> 
> 
> # See smb.conf.example for a more detailed config file or
> # read the smb.conf manpage.
> # Run 'testparm' to verify the config is correct after
> # you modified it.
> 
> [global]
> workgroup = <simplified domain name>
> realm = univ.school.edu
> netbios name = hostname
> password server = *
> server string = Samba Server Version %v
> security =ADS
> log file = /var/log/samba/log.%m
> max log size = 5000
> load printers = No
> idmap config * : backend = tdb
> log level = 4
> local master = no
> domain master = no
> preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> name resolve order = wins bcast host lmhosts
> #username map script = /bin/echo
> 
> #============================ Share Definitions
> ==============================
> 
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> valid users = UserAID@xxxxxxxxxxxxxxx,
> @"linuxprojectgroup@xxxxxxxxxxxxxxx" read only = no
> 
> [share]
> comment = share
> path = /share
> browseable = yes
> writable = yes
> valid users = @"linuxprojectgroup@xxxxxxxxxxxxxxx"

Hi, do you want it to work, or do you want to use sssd ?

If the later, then I suggest you contact the sssd-users mailing list,
you are not using Samba for authentication.

If you do want it to work, then Samba recommends using winbind, see
here for how to set up a Unix domain member:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba