[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Stephen stephen at ogdenradar.com
Fri Mar 29 16:14:20 UTC 2019 

Hi there, I wonder if anyone can help me?

I recently created an active directory setup with a primary domain 
controller ad1 and secondary domain controller ad2 for a domain SAMDOM. 
In-line with what I understand to be Samba best practices I then setup a 
separate file-server fs1 on which I created a file share, 
/fsrv/shares/OgdenFiles/. This has all been done using Samba version 
4.5.16-Debian, on Raspbian.

The domain and fileshare do appear to work, and I have confirmed that I 
can logon as SAMDOM/Administrator and apparently read and write to the 
share without issue in Windows 10 without issue. Creation of new text 
files on the share works as normal.

The problem I am having is that although I am able to log onto the 
domain as SAMDOM/stephene I am not able to use this regular 
*unprivileged* account to access the OgdenFiles share in Windows. I keep 
on getting "Access Denied" messages in Windows, and a large grey box 
appears asking me to re-enter my username and password to access the 
share FS1.

Below is my smb.conf for my fileserver FS1:

pi at fs1:~ $ cat /etc/samba/smb.conf
[global]
         workgroup = samdom
         realm = samdom.example.com
         netbios name = fs1
         security = ADS
         dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
idmap config * : backend = tdb
idmap config *:range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nss info = rfc2307
    winbind enum users = yes
    winbind enum groups = yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

[OgdenFiles]
        path = /fsrv/shares/OgdenFiles

        read only = no


When I enter wbinfo on the fileserver I can see the user account 
stephene that I wish to use to access the share, but it doesn't seem to 
work in Windows.

pi at fs1:~ $ wbinfo -u
stephenellwood
administrator
krbtgt
guest

Can anyone possibly suggest what I am doing wrong here - possibly a 
permissions issue? This is a little frustrating as I seem very close to 
getting everything I need working here!

Thanks
Stephen Ellwood

More information about the samba mailing list