Web lists-archives.com

Re: [Samba] Samba AD DC: share access denied




On Thu, 15 Nov 2018 15:54:50 +0000
Jens Kuipers <hitmokyhitter@xxxxxxxxxxx> wrote:

> cat /etc/samba/smb.conf
> 
> # Global parameters
> [global]
>   workgroup = LDB-BEHEER
>   realm = LDB-BEHEER.NL
>   netbios name = AD
>   server role = active directory domain controller
>   idmap_ldb:use rfc2307 = yes
> 
>   dns forwarder = 8.8.8.8
>   allow dns updates = nonsecure and secure
> 
> [netlogon]
>   path = /var/lib/samba/sysvol/ldb-beheer.nl/scripts
>   read only = no
> 
> [sysvol]
>   path = /var/lib/samba/sysvol
>   read only = no
> 
> [users]
>   path = /mnt/users/roaming
>   read only = no
> 

Ah, that's better, I can read it now ;-)

The only thing I would say about your smb.conf is that most people would
call the profiles share 'profiles' instead of 'users', the latter is
usually used for the Unix users home directories.

You also posted this:

Getfacl /mnt/users/roaming
getfacl: Removing leading '/' from absolute path names
# file: mnt/users/roaming
# owner: root
# group: LDB-BEHEER\134domain\040users
# flags: -s-
user::rwx
group::r-x
other::r-x

This is undoubtedly shows your problem, the 'roaming' directory is
owned by 'root' and the group is 'Domain Users', the group is wrong! It
should be 'Domain Admins'.
However, even if the group was correct, it still wouldn't work, because
the permissions are incorrect, only 'root' can write to the directory,
'Domain Users' can only read & enter the directory. You need to run:
chgrp 'Domain Admins' /mnt/users/roaming
and
chmod 0770 /mnt/users/roaming
to correct this.

Then go and read this:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba