[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Rowland Penny
rpenny at samba.org
Fri Mar 29 16:33:54 UTC 2019
On Fri, 29 Mar 2019 16:14:20 +0000
Stephen via samba <samba at lists.samba.org> wrote:
> Hi there, I wonder if anyone can help me?
>
> I recently created an active directory setup with a primary domain
> controller ad1 and secondary domain controller ad2 for a domain
> SAMDOM.
Nope, you have two AD DC's, one called 'ad1' and one called 'ad2'
Apart from the FSMO roles, all DC's are equal.
> In-line with what I understand to be Samba best practices I
> then setup a separate file-server fs1 on which I created a file
> share, /fsrv/shares/OgdenFiles/. This has all been done using Samba
> version 4.5.16-Debian, on Raspbian.
Roll on 'Buster' ;-) 4.5.x is well EOL.
>
> The domain and fileshare do appear to work, and I have confirmed that
> I can logon as SAMDOM/Administrator and apparently read and write to
> the share without issue in Windows 10 without issue. Creation of new
> text files on the share works as normal.
>
> The problem I am having is that although I am able to log onto the
> domain as SAMDOM/stephene I am not able to use this regular
> *unprivileged* account to access the OgdenFiles share in Windows. I
> keep on getting "Access Denied" messages in Windows, and a large grey
> box appears asking me to re-enter my username and password to access
> the share FS1.
>
> Below is my smb.conf for my fileserver FS1:
>
> pi at fs1:~ $ cat /etc/samba/smb.conf
> [global]
> workgroup = samdom
> realm = samdom.example.com
> netbios name = fs1
> security = ADS
> dns forwarder = XXX XXX XXX (obliterated here for privacy
> reasons!)
You might as well 'obliterate' totally, it is only used on a DC.
> idmap config * : backend = tdb
> idmap config *:range = 3000-7999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> [OgdenFiles]
> path = /fsrv/shares/OgdenFiles
> read only = no
>
>
> When I enter wbinfo on the fileserver I can see the user account
> stephene that I wish to use to access the share, but it doesn't seem
> to work in Windows.
>
> pi at fs1:~ $ wbinfo -u
> stephenellwood
> administrator
> krbtgt
> guest
So, stephenellwood is an AD user, but is it also a Unix user?
Have you added RFC2307 attributes to AD ?
Have you installed these packages: libpam-winbind libnss-winbind
libpam-krb5
Have you added 'winbind' to the 'passwd' & 'group' lines
in /etc/nsswitch.conf ?
Rowland
More information about the samba
mailing list