Web lists-archives.com

[Samba] Unable to access shares




Hi,

I am testing 2 samba AD DCs running self compiled 4.7.0rc5 and 2 member servers
that are running samba-4.6.2-8.el7.x86_64 that I am trying to get setup as file
servers.

The file server smb.conf looks like the following:

[global]
    security = ADS
    workgroup = SAMDOM
    realm = SAMDOM.MYDOMAIN.COM

    winbind use default domain = yes
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:unix_nss_info = yes
    idmap config SAMDOM:range = 10000-999999

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    # Logging
    log file = /var/log/samba/%m.log
    log level = 1

    ## Samba Shared directories
[users]
    path = /home/samba/users/
    readonly = no

When I try to access the users share from a windows 7 box that is a domain
member logged in as administrator, I can access it as expected. If I login
to the same windows box as a normal user who is a member of the Domain
Users group, I am denied.

I have setup a group called "Unix Admins" which is a member of the Domain
Admins group. The Unix Admins and Domain users groups have unix gids
assigned to them.

Getent group shows the following:

(vfs1 pts9) # getent group "SAMDOM\Domain Users"
domain users:x:10000:
(vfs1 pts9) # getent group "SAMDOM\Unix Admins"
unix admins:x:10001:
(vfs1 pts9) #

Getent passwd shows the following:
(vfs1 pts9) # getent passwd "SAMDOM\tuser"
tuser:*:10001:10000:Test User:/home/samba/tuser:/bin/false
(vfs1 pts9) #

Permissions on the users directory are as follows:

(vfs1 pts9) # ll -d users/
drwxrwx---+ 3 root unix admins 23 Aug 31 22:27 users/

(vfs1 pts9) # getfacl users
# file: users
# owner: root
# group: unix\040admins
user::rwx
user:root:rwx
group::rwx
group:domain\040users:rwx
group:unix\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:domain\040users:rwx
default:group:unix\040admins:rwx
default:mask::rwx
default:other::r-x

(vfs1 pts9) #

As you can see above my test user is a member of the Domain Users group and if
I am reading the above permissions correctly, domain users has rwx permissions.

Does anyone have any idea what I am doing wrong?

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba