Web lists-archives.com

Re: [Samba] cannot list/access samba share from Windows client





Please see inline comments:

On Mon, 8 Jan 2018 14:41:01 +0100
Andrea Rossetti via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> I have a problem to list/access share from Windows client to share
> hosted on samba domain member server. I followed the instruction from
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> step by step but I used sssd instead of winbind for the
> authentication method. 

Then you didn't follow the wiki page.

>The Linux samba server is an Ubuntu server
> 16.04 and I successfully added this samba server to a awindows active
> directory domain (Windows server 2012 R2). I login to the domain
> server machine as a domain admins user but II’m not able to
> list/access to the share when I digit in Windows Explorer
> \\servername I have the access denied with the request to insert the
> credential of a user enabled to it. Only the user mapped
> in  /etc/samba/user.map can manage the server via the ADUC interface
> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
> admin Group

The only mapping in the user.map should be Administrator to root.

> 
>  root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>   COM_SPOLETO\Domain Admins
>   BUILTIN\Administrators
> 
> Is there anyone can help me?
> 
> Below my configuration files.
> ----------------------------------------------------------------------
> My /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = COM_SPOLETO
>         realm = COMUNE.SPOLETO.LOCAL
>         server string = %h server (Samba, Ubuntu)
>         interfaces = lo ens32
>         bind interfaces only = Yes
>         server role = standalone server
>         security = ADS

'server role' is wrong, it is a Unix domain member

>         map to guest = Bad User

>         obey pam restrictions = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

I would remove the above 4 lines, you do not need them in a Unix domain
member smb.conf

> username map = /etc/samba/user.map
 
>unix password sync = Yes

You definitely do not want the above line in a Unix domain member
smb.conf, all your domain members should be in AD.

>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client signing = if_required
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         winbind refresh tickets = Yes

>         idmap config comune.spoleto.local : range = 10000-29999
>         idmap config comune.spoleto.local : backend = rig
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb

As you are using sssd, you don't need the lines above, also it is 'rid'
not 'rig'


> -----------------------------------------------------------------------------
> My /etc/samba/user.map
> !root = COM_SPOLETO\Adminserver

It is Administrator not Adminserver

> ----------------------------------------------------------------
> My /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
> 
> passwd:         compat sss winbind
> group:          compat sss winbind

You either use 'sss' or 'winbind', not both

> shadow:         compat sss

You shouldn't add anything to the shadow line.

> gshadow:        files
> 
> hosts:          files dns winbind

You do not use winbind for hosts

> networks:       files
> 
> protocols:      db files
> services:       db files sss winbind

Same goes for services

> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis sss winbind
> sudoers:        files sss winbind

Same goes for netgroup and sudoers

> ---------------------------------------------------------------------------------------------------------------------
> My /etc/sssd/sssd.conf
> [sssd]

Pointless telling us what your sssd.conf is, it isn't anything to do
with Samba

> -------------------------------------------------------------------------------------------
> My /etc/krb5.conf
> [libdefaults]
>         default_realm = COMUNE.SPOLETO.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 

This is all you need in krb5.conf.

I would make the alterations I have suggested, then choose whether to
use 'sssd' or 'winbind', you cannot use both.
If you decide to continue to use 'sssd' and you still have problems,
you need to ask on the 'sssd-users' mailing list.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba