[Samba] Users can't mount shares on a domain member file server
MAS Jean-Louis
jean-louis.mas at imag.fr
Fri Dec 18 14:15:51 UTC 2020
Le 16/12/2020 à 18:25, Rowland penny via samba a écrit :
> I think I might know what is the problem, but first, you do not need these:
>
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
Those objectclass provides a lot of attributes we currently use, mostly
for our Linux users.
If I delete them, I guess our users will not be able to connect to Linux
servers, which are not part of our Samba domain but use our AD for
authentication (with nslcd mappings)
> You have changed the primaryGroupID, why ?
Old accounts, such as mine as been created like that, most of them has
been changed to 'Domain users' times ago. Now my primaryGroupID is correct
# ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com
sAMAccountName=jlmas | grep primaryGroupID
primaryGroupID: 513
I checked our AD, and all our users have the right primaryGroupID
> Windows expects that every users primary group is Domain Users and now
> it is whatever '2906' is, this is what I think your problem is. Samba
> also requires Domain Users, though to be honest I am unsure whether it
> requires the name or the numeric ID, but it looks like which ever it is
> that winbind does not like this.
I have flushed the winbind cache
Now uid and gid are OK, but unixHomeDirectory and loginShell are not
$ getent passwd jlmas
jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false
I followed all the tips in the troubleshooting page :
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
The only wrong point came from 'net ads testjoin'
# net ads testjoin
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]:
An invalid parameter was passed to a service or function.
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]:
An invalid parameter was passed to a service or function.
Join to domain is not valid: An invalid parameter was passed to a
service or function.
same command with full debug (-d 10) we've got this just before the
above logs
gensec_update_done: gse_krb5[0x5642b959ab30]:
NT_STATUS_INVALID_PARAMETER
tevent_req[0x5642b95a6f70/../../source3/librpc/crypto/gse.c:843]:
state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct
gensec_gse_update_state (0x5642b95a7120)] timer[(nil)]
finish[../../source3/librpc/crypto/gse.c:856]
gensec_spnego_create_negTokenInit_step: gse_krb5: creating
NEG_TOKEN_INIT for ldap/our-ad.example.com failed (next[(null)]):
NT_STATUS_INVALID_PARAMETER
gensec_update_done: spnego[0x5642b95a2780]: NT_STATUS_INVALID_PARAMETER
tevent_req[0x5642b95a73d0/../../auth/gensec/spnego.c:1631]: state[3]
error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct
gensec_spnego_update_state (0x5642b95a7580)] timer[(nil)]
finish[../../auth/gensec/spnego.c:2038]
Regards
--
Jean Louis Mas
More information about the samba
mailing list