Web lists-archives.com

Re: [Samba] R: cannot list/access samba share from Windows client




On Mon, 8 Jan 2018 18:27:44 +0100
Andrea Rossetti <andy.ros@xxxxxxxxx> wrote:

> Thanks for the rapid reply!
> 
> I think the problem was in the server role options I’ve modified it
> in  “server member” and now I’m able to list the shares under
> \\linuxserver from any domain user authenticated in a Windows pc AD
> member. But now 1. Execute computer management from a Windows domain
> member client as a domain admin user (run as
> com_spoleto\rossetti.admin that is a “domain admins” member 2. Right
> click on computer management -> connect to another computer ->
> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools”
> -> I expand “Shared Folders” -> click on “Shares”  right click on
> “share” -> Click Properties -> click on tab “Security”. In this tab I
> have the message “You musr have Read permission to view the
> properties of this object” even if I have granted
> SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If
> I execute “Computer Management” as “com_spoleto\adminserver” user (I
> explained below the reason I used this user) I can view/modify the
> ACLs.
> 
> Please see MY inline comments, and at the end of this message I
> pasted my modified config files:
> 
> Inviato da Posta per Windows 10
> 
> Da: Rowland Penny
> Inviato: lunedì 8 gennaio 2018 15:15
> A: samba@xxxxxxxxxxxxxxx
> Cc: Andrea Rossetti
> Oggetto: Re: [Samba] cannot list/access samba share from Windows
> client
> 
> 
> 
> >>The Linux samba server is an Ubuntu server
> >> 16.04 and I successfully added this samba server to a awindows
> >> active directory domain (Windows server 2012 R2). I login to the
> >> domain server machine as a domain admins user but II’m not able to
> >> list/access to the share when I digit in Windows Explorer
> >> \\servername I have the access denied with the request to insert
> >> the credential of a user enabled to it. Only the user mapped
> >> in  /etc/samba/user.map can manage the server via the ADUC
> >> interface and list, but I’ve assigned the SeDiskOperatorPrivilege
> >> to all domain admin Group
> 
> >The only mapping in the user.map should be Administrator to root.
> 
> I’ve mapped the user COM_SPOLETO\adminserver because it is an
> enterprise admin as the COM_SPOLETO\Administrator For security
> reasons we have disabled the Administrator user account. In fact I
> used adminserver to grant SeDiskOperatoPrivilege do
> “com_spoleto\domain admins” group (see lines below)
> 
> >>  root@SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
> >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
> >>   COM_SPOLETO\Domain Admins
> >>   BUILTIN\Administrators
> 
> >> -----------------------------------------------------------------------------
> >> My /etc/samba/user.map
> >> !root = COM_SPOLETO\Adminserver
> 
> >It is Administrator not Adminserver
> 
> As just explained the adminserver is for us the enterprise domain
> admin.
> 
> ----------------------------------------------
> My modified /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = COM_SPOLETO
>         realm = COMUNE.SPOLETO.LOCAL
>         server string = %h server (Samba, Ubuntu)
>         interfaces = lo ens32
>         bind interfaces only = Yes
>         server role = member server
>         security = ADS
>         map to guest = Bad User
>         username map = /etc/samba/user.map
>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client signing = if_required
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         idmap config * : backend = tdb
>         map acl inherit = Yes
>         store dos attributes = Yes
>         vfs objects = acl_xattr
> 
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         create mask = 0700
>         printable = Yes
>         browseable = No
> 
> 
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
> 
> 
> [share]
>         comment = Progetti QGIS per Lizmap
>         path = /home/data/share
>         read only = No
> -------------------------------------------------------------------------------
> 
> My modified /etc/nsswitch.conf
> 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
> 
> passwd:         compat sss
> group:          compat sss
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis sss
> sudoers:        files sss
> --------------------------------------------------------------------------------
> 
> My modified /etc/krb5.conf
> 
> [libdefaults]
>          default_realm = COMUNE.SPOLETO.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true


You are now solely using sssd for the authentication, you need to ask
on the sssd-users mailing list, either that or purge sssd and set up
winbind correctly.

I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
help any further.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba