Web lists-archives.com

Re: [Samba] user cannot access shares on new ad-dc




On Fri, 29 Sep 2017 13:19:44 +0200
Klaus Hartnegg via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> > On 29.09.2017 11:44 Rowland Penny wrote:
> > Have you set up the libnss_winbind links, PAM
> > and /etc/nsswitch.conf ?
> 
> Yes, I had modified two lines in /etc/nsswitch.conf:
>  passwd:         files winbind
>  group:          files winbind
> 
> No, I had not seen a pointer to libnss, but now did
>  ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
>  ln
> -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
> ldconfig
> 
> The wiki page Authenticating_Domain_Users_Using_PAM tell to
> NOT configure PAM on a DC.

I have just checked the page again:
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM


I cannot see where it says not to use on a DC 

> I tried "net cache flush"
> 
> These tests succeed:
>  wbinfo --ping-dc
>  getent passwd COMPANY\\user
>  getent group "COMPANY\\Domain Users"
> 
> 
> The output of “getfacl sysvol” looks strange:
> 
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> I tried "samba-tool ntacl sysvolreset".
> This added a few lines to the output of getfacl:
> 
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 

By 'strange', I take it you are referring to the numbers instead of
names, don't worry, this perfectly normal on a DC. The numbers are the
'xidNumbers' you will find in idmap.ldb

> Users still cannot see the contents of any share.

What does 'getent passwd username' actually produce ?

> 
> What else could be missing?

Not sure, if PAM isn't set up, then set it up by installing the
required packages and try again

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba