Web lists-archives.com

Re: [Samba] user cannot access shares on new ad-dc




On Tue, 10 Oct 2017 12:09:28 +0200
Klaus Hartnegg via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> Is it normal that "Computer Management" cannot configure shared 
> directories of a Samba4 AD-DC? Is this only possible on member
> servers? It can connect to the DC, but when I click on shares it
> tells that either the server does not support "virtual disk
> service" (translated from German), or a firewall blocks the
> connection. There is no firewall between these machines in my test
> environment. I started Computer Management as domain-admin on
> domain-joined Win7.
> 
> Is it normal that non-admin users (on Win7) get permission denied if 
> they want to look inside of \\dc.ad.domain\sysvol or netlogon? They
> can look inside these directories on Windows servers, but not on my
> newly provisioned AD-DC test server.
> 
> They cannot even access a test-share when I make them owner of it
> with chown.
> 
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the lines "passwd"
> and "group". But my nsswitch.conf (ubuntu 14) had "compat" there, not 
> "files". Should I replace "compat" with "files", or append "winbind" 
> behind "compat"?
> 
> The command "pam-auth-update" does not produce any output. How can I 
> check if it has done anything?
> I can do
>    chown "domain\\user" file
> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
> 
> I get the impression that winbindd and PAM are needed mostly (only?)
> if users want to log on to the DC with ssh. The page about winbindd 
> describes howto set up templates for shell and homedir. The page
> about PAM talks about "SSH authentication". I just want to access
> shares! Reading the wiki I cannot determine what precisely are the
> required steps to access shares on a DC.
> 
> Klaus
> 

OK, this could get a bit long :-)

As standard, a Samba AD DC is only used for authentication i.e. a user
called 'fred' is trying to connect to the domain, so do we know him ?

If you want to use a Samba AD DC for anything else, then you need to
make the user 'fred' known to the underlying Unix OS, you do this by
creating the libnss_winbind links, either manually or by installing
distro packages, on Ubuntu these will probably be 'libpam-winbind
libpam-krb5 libnss-winbind'
You will also need to check that the passwd & group lines
in /etc/nsswitch.conf have 'winbind' at the end. You may find that the
lines have 'compat' instead of 'files', they are interchangeable as far
Samba is concerned, but see 'man nsswitch.conf' for more info.

Once everything is set up correctly on the DC, 'getent passwd fred' or
'getent group fredgroup' should produce output, if there is no output,
there is either something wrong, or the user (or group) doesn't exist.

There are a lot of webpages out there that tell you to use 'wbinfo' to
check if users or groups exist, this will only tell you that they
exist in AD, it will not tell you if Unix knows who they are.

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba