[Samba] After some time "denied due to share security descriptor"

Rowland Penny rowlandpenny241155 at gmail.com
Tue Sep 15 10:45:33 UTC 2015 

On 15/09/15 11:22, Alessandro Briosi wrote:
>
>
> Il 15/09/2015 11:49, Rowland Penny ha scritto:
>> On 15/09/15 10:22, Alessandro Briosi wrote:
>>>
>>> This is the file server configuration, just in case you can spot 
>>> something wrong.
>>>  (don't think krb5.conf is used)
>>
>> OH yes it is!
>>
>>>
>>> smb.conf
>>>
>>> [global]
>>>    workgroup = DOMAIN
>>>    realm = AD.DOMAIN.NET
>>>    security = ads
>>>    idmap config * : range = 16777216-33554431
>>>    template shell = /sbin/nologin
>>>
>>>    netbios name = srvfile1
>>>    netbios aliases = srvfile
>>>    reset on zero vc = yes
>>>
>>>    server string =
>>>    encrypt passwords = yes
>>>
>>>    load printers = no
>>>    printing = bsd
>>>    printcap name = /dev/null
>>>    disable spoolss = yes
>>>
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 10000-20000
>>>    idmap config DOMAIN:backend = ad
>>>    idamp config DOMAIN:schema_mode = rfc2307
>>>    idmap config DOMAIN:range = 1000-40000
>>>
>>>    winbind nss info = rfc2307
>>>    winbind trusted domains only = no
>>>    winbind use default domain = yes
>>>    winbind enum users  = yes
>>>    winbind enum groups = yes
>>>    winbind offline logon = false
>>>
>>>    store dos attributes = Yes
>>>    create mask = 0770
>>>    force create mode = 0770
>>>    directory mask = 0770
>>>
>>> [sharename]
>>>   path = /home/SHARES/sharename
>>>   read only = no
>>>
>>
>> OK, this:
>>    idmap config * : range = 16777216-33554431
>> Conflicts with this:
>>    idmap config *:range = 10000-20000
>> And the above is inside this:
>>    idmap config DOMAIN:range = 1000-40000
>>
>> sssd running? if not, remove the top line and adjust the other two so 
>> they do not overlap.
>>
>
> I have tried sssd, but it won't work as expected, so reverted back to 
> winbind.
> I'll fix the idmaps, but don't think that's a problem.
>> I would also add the following two lines:
>>
>>         vfs objects = acl_xattr
>>         map acl inherit = Yes
>>
>
> I removed this because it was creating a lot of trouble with permissions.
> Now I manage all with the old and simple Unix permissions and 
> everything works as expected...
>>> --------------------------------------------
>>> krb5.conf
>>>
>>> [logging]
>>>  default = FILE:/var/log/krb5libs.log
>>>  kdc = FILE:/var/log/krb5kdc.log
>>>  admin_server = FILE:/var/log/kadmind.log
>>>
>>> [libdefaults]
>>>  dns_lookup_realm = false
>>>  ticket_lifetime = 24h
>>>  renew_lifetime = 7d
>>>  forwardable = true
>>>  rdns = false
>>>  default_ccache_name = KEYRING:persistent:%{uid}
>>>
>>> [realms]
>>> # EXAMPLE.COM = {
>>> #  kdc = kerberos.example.com
>>> #  admin_server = kerberos.example.com
>>> # }
>>>
>>> [domain_realm]
>>> # .example.com = EXAMPLE.COM
>>> # example.com = EXAMPLE.COM
>>>
>> Set krb5.conf to:
>>
>> [libdefaults]
>>      default_realm = AD.DOMAIN.NET
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = true
>>
>
> ok. will do.
> But on the wiki there's no mention about the krb5.conf file for an AD 
> member server.
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> I had the impression that it was used in 3.x versions of samba, but 
> samba4 would use the DNS/configuration to resolve the REALM.

Taking this back on-list:

Thanks for making me test this out, I just took it as read that you 
needed the krb5.conf file. This it would seem was a *BIG* mistake, I 
removed krb5.conf, flushed the winbind cache and restarted smbd, nmbd 
and winbind on a Unix client. It still works, so it would seem you don't 
need the /etc/krb5.conf file after all :-)

Rowland
>
> thanks,
> Alessandro

More information about the samba mailing list