Web lists-archives.com

[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder




I joined my Debian 9 server into a Active Directory Structure as a domain member. Not as a DC. Then when I try to share a folder on this server and the client PC can't correctly authenticate and use the folder. It keeps saying "Access Denied" on Windows client PC. There is no error in log files (/var/log/samba/). If I allow anonymous users, it works fine. I used to use the same configuration on Debian 7 and it worked.

What is wrong?

/etc/samba/smb.conf:

[global]
  workgroup = MP
  realm = INTRANET.OBFUSCATEDDOMAIN
  server string = %h server
  wins server = intranet.obfuscateddomain
  dns proxy = no
interfaces = ens32 lo

  log file = /var/log/samba/log.%m
  max log size = 1000
  panic action = /usr/share/samba/panic-action %d
security = ads
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes
  map to guest = bad user
load printers = no

idmap config MP : schema_mode = rfc2307
idmap config MP : range = 10000000-29999999
idmap config MP : default = yes
idmap config MP : backend = ad
idmap config * : range = 20000-29999
idmap config *:backend = rid
  winbind enum groups = yes
  winbind enum users = yes
   local master = no
   domain master = no
   preferred master = no
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind use default domain = yes
   invalid users = root
   template homedir = /home/%D/%U
   template shell = /bin/bash
   winbind offline logon = yes
   winbind refresh tickets = yes

[GR-UITEC]
   comment       = Pasta para GR-UITEC
   path = /home/apache/desenvolvimento
   readonly  = no

   valid users = MP\bruno.guimaraes
   admin users = MP\bruno.guimaraes
   force user   = www-data
   force group = www-data



/etc/nsswitch.conf:

passwd: compat winbind

group:          compat winbind

shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis



/etc/krb5.conf

[libdefaults]
default_realm = INTRANET.OBFUSCATEDDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
   INTRANET.OBFUSCATEDDOMAIN = {
       kdc = INTRANET.OBFUSCATEDDOMAIN:88
       admin_server = INTRANET.OBFUSCATEDDOMAIN
   }
[domain_realm]
   .intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
   intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN


[cid:part1.4D015579.7A457904@mpba.mp.br]


att,

--
Bruno Guimarães Sousa

Missão do MPBA: Defender a sociedade e o regime democrático para garantia da cidadania plena.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba