Web lists-archives.com

Re: [Samba] samba 2.4.6 to 2.4.7 update on Fedora update 26 to 27, can't connect to shares




Thanks Rowland :-)

On 1 March 2018 at 18:49, Rowland Penny <rpenny@xxxxxxxxx> wrote:

> On Thu, 1 Mar 2018 14:32:58 +1100
> Norman Gaywood via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > I've just updated my samba 2.4.6 to samba 2.4.7 via updating Fedora
> > 26 to 27
> I think you mean you have upgrade from 4.6.x to 4.7.x ;-)
>

Oops yeah, 4.6.x to 4.7.x :-)


> > System was working in F26. But in F27 users cannot connect to the
> > service definitions:
> >
> > $ smbclient //turing/ngaywood
> > Enter UNE\ngaywood's password:
> > Anonymous login successful
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> > The server system is configured as (testparm output):
> > [global]
> >         auth methods = guest sam_ignoredomain winbind:ntdomain
> >         log file = /var/log/samba/log.%m
> >         max log size = 500
> >         realm = AD.UNE.EDU.AU
> >         security = ADS
> >         server string = Science and Technology turing Samba Server
> > Version %v
> >         wins server = 129.180.3.55
> >         workgroup = UNE
> >         idmap config * : backend = tdb
> >         cups options = raw
> >
> > On the server, wbinfo lists all the users:
> >
> > # wbinfo -u | grep ngaywood
> > UNE\ngaywood
> >
> > Perhaps something to do with this in log.smdb?
> > [2018/03/01 14:22:26.232980,
> > 3] ../lib/util/access.c:365(allow_access) Allowed connection from
> > 129.180.72.132 (129.180.72.132) [2018/03/01 14:22:30.456440,  3]
> > ../source3/lib/util_procid.c:54(pid_to_procid)
> >   pid_to_procid: messaging_dgm_get_unique failed: No such file or
> > directory
> >
> > But I'm not sure what that means.
> >
> > Also have these messages generated by testparm:
> >
> > WARNING: The "auth methods" option is deprecated
> > WARNING: The "profile acls" option is deprecated
>
> Fairly obvious, both the parameters are deprecated, so you shouldn't
> use them ;-)
>
> idmap range not specified for domain '*'
> > ERROR: Invalid idmap range for domain *!
> >
>
> You haven't set the 'idmap config' lines correctly, which may mean you
> are using sssd instead. If this is the case, then you are asking in the
> wrong place, you need to ask on the sssd-users mailing list.
>

OK, I see now I need to setup the idmap. I've tried a few things but I'm
not sure what I'm doing yet.

User logins are configured to use sssd which is configured to use an
openldap server.

Samba was configured to be a domain member of an AD server. The usernames
are the same in both AD and openldap.
There are also local users not in AD and openldap.

However, the AD server does not contain unix uid/gid attributes.

Previously (in samba 4.6.x) windows users were able to map their linux
/home (and other shared accounts) to their windows system.

samba was configured to use winbind. linux users use the nsswitch.conf:
passwd:      files nis sss systemd
shadow:     files nis sss
group:       files nis sss systemd


> If you aren't using sssd, can you post the smb.conf that is on disk
> i.e. the output of cat.
>
>
So seems to me I'm not using sssd with samba. sssd is using our openldap,
samba is using AD.

Here is a redacted (removed some comments, share definitions and most
usernames) smb.conf file
[global]
workgroup = UNE
server string = Science and Technology turing Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

; max protocol = SMB2

# --------------------------- Logging Options -----------------------------

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 500
       log level = 3 passdb:5 auth:10 winbind:2
#       log level = 1 passdb:2 auth:2
#        log level = 1 passdb:1 auth:1

# ----------------------- Standalone Server Options ------------------------

; security = user
; passdb backend = tdbsam

# ----------------------- Domain Members Options ------------------------

# security = domain
security = ads
       auth methods = guest sam_ignoredomain winbind:ntdomain
#        auth methods = guest sam_ignoredomain ntdomain
passdb backend = tdbsam
        encrypt passwords    = true
; realm = MY_REALM
       realm = ad.une.edu.au

; password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------

; security = user
; passdb backend = tdbsam

; domain master = yes
; domain logons = yes

# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =

# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:

; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options
----------------------------

; local master = no
; os level = 33
; preferred master = yes

#----------------------------- Name Resolution
-------------------------------

; wins support = yes
wins server = 129.180.3.55
; wins proxy = yes

; dns proxy = yes

# --------------------------- Printing Options -----------------------------

load printers = yes
cups options = raw

; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups

# --------------------------- File System Options
---------------------------

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes


#============================ Share Definitions
==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

[Profiles]
comment = Network Profiles Share
path = /var/lib/samba/profiles
#path = %H/samba/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
force user = %U
valid users = %U
printable = no
profile acls = yes
csc policy = disable

#####################################################################################
# turing shares

[math101]
   path = %H
   volume = math101
   read only = no
   force user = math101
   valid users = math101 ngaywood auser2 auser3




-- 
Norman Gaywood, Computer Systems Officer
School of Science and Technology
University of New England
Armidale NSW 2351, Australia

ngaywood@xxxxxxxxxx  http://turing.une.edu.au/~ngaywood
Phone: +61 (0)2 6773 2412  Mobile: +61 (0)4 7862 0062

Please avoid sending me Word or Power Point attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba