Web lists-archives.com

Re: [Samba] Share authentication problem

Hi Rowland,

Thank you very much for your help! The main problem was fixed today - and i have to apologize for bothering sambalist because it was an error40 (40cm in front of the PC). In my test enviroment, there was still an old, non-existing SID on the domdata share, however - after deleting the access permissions in Windows and adding new, everything goes fine now. I answered your additional questions below :)

Am 19.04.2018 um 10:50 schrieb Rowland Penny:
On Thu, 19 Apr 2018 10:08:12 +0200
Sascha Wiechmann via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi @ll !

I am trying to set up a samba fileserver in SuSe 42.3 as domain
member in a debian based Samba4 AD. The join seems to be ok, as I can
get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
I can also list all browsable shares with /smbclient -L \\SambaFS
-Uusername/, but when i add -k, I get following errors :

/SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed
//SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
//session setup failed: NT_STATUS_INVALID_PARAMETER/


So bought a book  from Stefan Kania for Samba4 in AD that I worked
through site to site
Why ? what is wrong with the Samba wiki ?

The samba wiki was my first try but i got stuck at the same problem - then I thought a book might help me out what I did wrong :)

- but I do not get access to shares for the
domain members except the domain admin. Windows prompts for user
authentification. The "profiles" share works perfect and is owned to
the same gid than the other "general" share is. I would like to use
Windows Rightsmanagement for the shares in future. Some Informations :

/Samba1:/ # getent passwd mjackson//

/Samba1:/ # ls -ln /home/samba
total 4
drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata

You have a problem, there shouldn't be numbers here, there should be
Are you sure there is a problem? ls -ln shows UID and GID, ls -lh the names ?

/Samba1:/ #*ls -ln*  /home/samba
drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata

/Samba1:/ #*ls -lh*  /home/samba
drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/


S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
WARNING: The "idmap gid" option is deprecated <------- what is the
actual way? :)
Try using this smb.conf:

workgroup = SAMDOM
security = ads
netbios name = Samba1
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
winbind use default domain = yes
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 1000000-1999999
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes=yes
hide unreadable=yes

read only=no

comment=User Profile
read only=no

comment=Famous domdataLW
read only=no


I will try it, thanks

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba