Web lists-archives.com

Re: [Samba] user cannot access shares on new ad-dc

Samba version? 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Klaus Hartnegg via samba
> Verzonden: dinsdag 10 oktober 2017 12:09
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> Hello,
> Is it normal that "Computer Management" cannot configure 
> shared directories of a Samba4 AD-DC? Is this only possible 
> on member servers? 
No, did you set the SePrivileges. 

> It can connect to the DC, but when I click on shares it tells 
> that either the server does not support "virtual disk 
> service" (translated from German), or a firewall blocks the 
> connection. There is no firewall between these machines in my 
> test environment. I started Computer Management as 
> domain-admin on domain-joined Win7.
Go shares, configure there.

> Is it normal that non-admin users (on Win7) get permission 
> denied if they want to look inside of \\dc.ad.domain\sysvol 
> or netlogon? They can look inside these directories on 
> Windows servers, but not on my newly provisioned AD-DC test server.
Yes/No, the non-admin users, its a domain users then No, not normal. 
Not a domain users, yes thats normal. 

When prompted for a username user DOM\user or username@REALM

> They cannot even access a test-share when I make them owner 
> of it with chown.
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the lines 
> "passwd" and "group". But my nsswitch.conf (ubuntu 14) had 
> "compat" there, not "files". Should I replace "compat" with 
> "files", or append "winbind" 
> behind "compat"?
No compat winbind is correct. ( dont set winbind compat )
( debian/ubuntu use compat ) 

> The command "pam-auth-update" does not produce any output. 
> How can I check if it has done anything?
> I can do
>    chown "domain\\user" file
I suggest use getfacl and setfacl 
Since only want windows acces, dont use posix acl, stay with windows ACL. 

> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
Yes, that looks good. 

> I get the impression that winbindd and PAM are needed mostly 
> (only?) if users want to log on to the DC with ssh.
Yes, correct. 

> The page 
> about winbindd describes howto set up templates for shell and 
> homedir. The page about PAM talks about "SSH authentication". 
> I just want to access shares! 
> Reading the wiki I cannot determine what precisely are the 
> required steps to access shares on a DC.

Start at the top. Tested on debian strech, but i dont see 
for ubuntu 14.04 and 16.04 any problems, the steps are almost the same. 
( you might need to change some package name ) 
If you notice a different, make a comment and i'll adapt it. 

Review the file : stretch-base-2.0-samba-minimal-ad.txt
That setup resulted for me in to be able to access a share ( as domain admin ) 


Or same as normal (domain) user and when promted i enter a regular domain\username or username@REALM 
And im also able to access the server. 

So review you setup base on this one.



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba