[Samba] Users can't mount shares on a domain member file server
Rowland penny
rpenny at samba.org
Fri Dec 18 14:49:59 UTC 2020
On 18/12/2020 14:15, MAS Jean-Louis via samba wrote:
> Le 16/12/2020 à 18:25, Rowland penny via samba a écrit :
>
>> I think I might know what is the problem, but first, you do not need
>> these:
>>
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>
> Those objectclass provides a lot of attributes we currently use,
> mostly for our Linux users.
> If I delete them, I guess our users will not be able to connect to
> Linux servers, which are not part of our Samba domain but use our AD
> for authentication (with nslcd mappings)
Well, you would guess wrong 😁
posixAccount and shadowAccount are auxiliaryClasses of the 'user'
objectclass and inetOrgPerson is a subclass of 'user' , so you don't
need them to get the attributes.
>
>> You have changed the primaryGroupID, why ?
>
> Old accounts, such as mine as been created like that, most of them has
> been changed to 'Domain users' times ago. Now my primaryGroupID is
> correct
>
> # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com
> sAMAccountName=jlmas | grep primaryGroupID
>
> primaryGroupID: 513
>
> I checked our AD, and all our users have the right primaryGroupID
>
>> Windows expects that every users primary group is Domain Users and
>> now it is whatever '2906' is, this is what I think your problem is.
>> Samba also requires Domain Users, though to be honest I am unsure
>> whether it requires the name or the numeric ID, but it looks like
>> which ever it is that winbind does not like this.
>
> I have flushed the winbind cache
>
> Now uid and gid are OK, but unixHomeDirectory and loginShell are not
>
> $ getent passwd jlmas
> jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false
You have a line missing from your smb.conf:
idmap config EXAMPLE : unix_nss_info = yes
> The only wrong point came from 'net ads testjoin'
>
> # net ads testjoin
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]:
> An invalid parameter was passed to a service or function.
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]:
> An invalid parameter was passed to a service or function.
> Join to domain is not valid: An invalid parameter was passed to a
> service or function.
Did you run the command as root, if not try again using root or sudo
Rowland
More information about the samba
mailing list