Web lists-archives.com

Re: [Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.




Hi Rowland!

On 29/03/2019 16:33, Rowland Penny via samba wrote
Roll on 'Buster' ;-) 4.5.x is well EOL.

Its not ideal I know! ;) Unfortunately I (and every other Raspberry Pi user) is stuck with this for now since this is the default Samba package that Raspbian currently uses unfortunately. I did check to see if it could be upgraded using apt to something a little more recent but apparently not :(

dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)

You might as well 'obliterate' totally, it is only used on a DC.

Duly noted, thanks for the tip.

So, stephenellwood is an AD user, but is it also a Unix user?

Aha! That's probably why my setup is not working! My passwd file on fs1 below suggests there is no stephenellwood unix user account

pi@fs1:~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
pi:x:1000:1000:,,,:/home/pi:/bin/bash
messagebus:x:105:109::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
avahi:x:108:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

There is obviously a major gap in my understanding here. Have I understood you correctly Rowland? You appear to be suggesting that there must be separate individual linux user account on EVERY samba file server, one new unix user account corresponding to every  active directory account? So what's the point in using a centralised authentication service like active directory then - I don't understand - what does AD actually achieve in Windows networking?

I used the following Samba tutorials to setup my fileserver fs1 but unfortunately these do not mention the need to create user accounts to complement those that active directory creates.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

How do I rectify this? Can you point me at a suitable tutorial?

Have you added RFC2307 attributes to AD ?

I don't know what this means, can you please clarify? All I could find on google was this link https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and I believe I have already followed the instructions there.

Have you installed these packages: libpam-winbind libnss-winbind
libpam-krb5
Yes I definitely installed those packages.
Have you added 'winbind' to the 'passwd' & 'group' lines
in /etc/nsswitch.conf ?
Yes, please see my nsswitch.conf below:

pi@fs1:~ $ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Ser
# If you have the `glibc-doc-reference'
# `info libc "Name Service Switch"' for

passwd:         files winbind
group:          files winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NO
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:          files winbind


Thanks
Stephen


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba