Web lists-archives.com

Re: [Samba] Share authentication problem -- [Solved]




Hi Louis,

and thanks for your help. Hope you already read that the problem came from an old SID in Windows. Samba Versions are 4.6.13 on SuSE 42.3 as a Member and 4.5.12-debian on Debian.

Smbclient is not found, for the idmap-misconfig I will try Rowlands and your suggestion.

best regards

Sascha

Am 19.04.2018 um 10:54 schrieb L.P.H. van Belle:
Ok, please post of both servers the smb.conf and tell the samba versions.

You have a misconfiguration in these.

WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated
^^^^^^^^^^^^^^^^^^^^^^^^^^^
"idmap gid"="10000-20000"
"idmap uid"="10000-20000"
You need something like this example.
     # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
     ## map id's outside to domain to tdb files.
     idmap config * : backend = tdb
     idmap config * : range = 2000-9999

     ## map ids from the domain and (*) the range may not overlap !
     idmap config NTDOM : backend = ad
     idmap config NTDOM : schema_mode = rfc2307
     idmap config NTDOM : range = 10000-3999999
     ## these to depend on how u use samba. ( 4.6+)
     #idmap config NTDOM : unix_nss_info = yes
     #idmap config NTDOM : unix_primary_group = yes


If thats fixed my first guess would be..
You use: smbclient -L \\SambaFS -Uusername
You should use :  Smbclient -L \\FQDN -Uusername
And depending on the samba/smblcient versions add -mSMB1

Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Sascha Wiechmann via samba
Verzonden: donderdag 19 april 2018 10:08
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Share authentication problem

Hi @ll !

I am trying to set up a samba fileserver in SuSe 42.3 as
domain member
in a debian based Samba4 AD. The join seems to be ok, as I can get
/wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
I can also list all browsable shares with /smbclient -L \\SambaFS
-Uusername/, but when i add -k, I get following errors :

/SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed
(next[(null)]): NT_STATUS_INVALID_PARAMETER//
//SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
//session setup failed: NT_STATUS_INVALID_PARAMETER/

/-------------------------------------------------------------
---------------------------/

So bought a book  from Stefan Kania for Samba4 in AD that I worked
through site to site - but I do not get access to shares for
the domain
members except the domain admin. Windows prompts for user
authentification.
The "profiles" share works perfect and is owned to the same
gid than the
other "general" share is. I would like to use Windows
Rightsmanagement
for the shares in future. Some Informations :

/Samba1:/ # getent passwd mjackson//
//mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/

/Samba1:/ # ls -ln /home/samba
total 4
drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata
/

/Samba1:/ # ls -lh /home/samba
total 4.0K
drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/

and another one for the working profiles share:

/Samba1:/home # ls -lh
total 4.0K
drwxrwx--T  3 root                  domain users   27 Apr 17
10:46 profile
drwxrwsr-x  3 administrator   domain users   25 Apr 18 10:37 samba
drwxr-xr-x 19 samba1            users        4.0K Apr 19 08:56 samba1
/

/Samba1:/home # ls -ln
total 4
drwxrwx--T  3     0         10013   27 Apr 17 10:46 profile
drwxrwsr-x  3 10003     10013   25 Apr 18 10:37 samba
drwxr-xr-x 19  1000         100 4096 Apr 19 08:56 samba1/

--------------------------------------------------------------
-------------

S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
WARNING: The "idmap gid" option is deprecated <------- what is the
actual way? :)
WARNING: The "idmap uid" option is deprecated
lp_load_ex: changing to config backend registry
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated
Enter SAMDOM\mjackson's password:
OS=[Windows 6.1] Server=[Samba
4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64]

          Sharename       Type      Comment
          ---------       ----      -------
          IPC$                    IPC       IPC Service (Samba
4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64)
domData Disk      Famous domdata
          test2                   Disk      tester
OS=[Windows 6.1] Server=[Samba
4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64]

          Server               Comment
          ---------            -------

          Workgroup            Master
          ---------                -------
          WORKGROUP     SOMEPC

smb.conf :

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global]
"idmap gid"="10000-20000"
"idmap uid"="10000-20000"
"usershare allow guests"="No"
"workgroup"="SAMDOM"
"template homedir"="/home/%D/%U"
"winbind refresh tickets"="yes"
"netbios name"="Samba1"
"wins support"="Yes"
"winbind enum users"="yes"
"winbind enum groups"="yes"
"winbind use default domain"="yes"
"idmap config * : range"="10000 - 19999"
"idmap config SAMDOM: backend"="rid"
"idmap config SAMDOM : range"="1000000 - 1999999"
"store dos attributes"="yes"
"vfs objects"="acl_xattr"
"hide unreadable"="yes"
"security"="ads"
"realm"="SAMDOM.TEST"

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\Admin-Share]
"browseable"="no"
"read only"="no"
"path"="/home/samba"
"comment"="AdminShare"
"guest ok"="no"
"inherit acls"="yes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\profile]
"guest ok"="no"
"browseable"="no"
"read only"="no"
"profile acls"="yes"
"comment"="User Profile"
"path"="/home/profile"

[HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\domData]
"path"="/home/samba/domdata/"
"comment"="Famous domdataLW"
"guest ok"="no"
"read only"="no"

Any help is much appreciated, thanks in advance!

br

Sascha


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba