[Samba] samba share management / connection problem
basti
mailinglist at unix-solution.de
Wed Feb 22 14:22:44 UTC 2017
Hello,
I have setup and ADDC and an file server.
On fileserver i can see domain users with wbinfo and getent passwd.
When I try to manage a share on the fileserver
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs)
I get an error "Computer cannot be managed. Verify that the network path
is correct ...." and after that "you do not have permission to see the
list of shares for windows clients samba"
The I try to connect to the AD member with smbclient I get
root at fileserver:/var/log/samba# smbclient -k -L
fileserver.ad.example.com -d 3 -U admin
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=192.168.122.7 bcast=192.168.122.255
netmask=255.255.255.0
Client started (version 4.2.14-Debian).
Connecting to 192.168.122.7 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/fileserver.ad.example.com at ad.example.com
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
root at fileserver:/var/log/samba#
root at fileserver:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ad.example.com
Valid starting Expires Service principal
22.02.2017 14:54:15 23.02.2017 00:54:15
krbtgt/ad.example.com at ad.example.com
renew until 23.02.2017 14:54:12
22.02.2017 15:05:00 23.02.2017 00:54:15
cifs/kes-fileserver.ad.example.com at ad.example.com
root at fileserver:/var/log/samba# getent passwd someuser
someuser:*:7072:30000:someuser:/home/users/someuser:/bin/bash
[global]
security = ADS
workgroup = AD
realm = AD.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 3
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000-1005
# idmap config for the AD domain
# alf has uid 1006
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 1006-999999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/users/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[Demo]
path = /home/demo/
read only = no
valid users = +AD\"Domain Users"
guest ok = yes
More information about the samba
mailing list