[Samba] Cannot access shared home directories from linux machine

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 12:56:43 MDT 2014 

On 10/07/14 19:50, isofx wrote:
> Am 10.07.2014 20:24, schrieb Rowland Penny:
>> On 10/07/14 19:18, isofx wrote:
>>> Am 10.07.2014 18:14, schrieb Rowland Penny:
>>>> On 10/07/14 17:01, isofx wrote:
>>>>>
>>>>>> Hi, you seem to be using the 'rid' backend on the machine you are 
>>>>>> trying to connect from:
>>>>>>
>>>>>> idmap config * : backend = rid
>>>>>> idmap config * : range = 10000 - 49999
>>>>>> idmap uid = 50000 - 100000
>>>>>> idmap gid = 50000 - 100000
>>>>>>
>>>>>> Doing this will ensure that you will definitely get a different 
>>>>>> id number for the user on the client against the one that they 
>>>>>> will have on the Samba4 server (incidentally, you are running an 
>>>>>> AD DC not a NT style PDC). I would suggest that you give your 
>>>>>> users & groups uid & gidNumbers and set the client to use these.
>>>>>>
>>>>>> Once this is setup, you should be able to connect via smbclient 
>>>>>> etc to the server, once this is working, you can move onto the 
>>>>>> cifs setup.
>>>>>>
>>>>>> Just what OS is the client running? idmap uid & gid where 
>>>>>> replaced some time ago.
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> Thanks for the hint - this is my first samba setup and I got the 
>>>>> idmap configuration from a guide I found online and used it 
>>>>> without looking into the rid backend.
>>>>>
>>>>> I would configure the UID & GIDs via RSAT-Tools - but how can I 
>>>>> configure the client (terminal server) to use them?
>>>>>
>>>>> Both the server and the client are running Debian Wheezy.
>>>>>
>>>>> Kind regards,
>>>>> Rainhard
>>>>
>>>> Just what do you mean by terminal server? If you mean a std linux 
>>>> client then have a look here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>
>>>> But if you mean a 'thin-client' or ltsp client, then sorry but I 
>>>> haven't a clue.
>>>>
>>>> Rowland
>>>>
>>>
>>> It's just a debian machine that will be used as terminal server 
>>> (i.e. thin-clients and other windows/linux clients connect via a 
>>> remote desktop connection).
>>>
>>> I read through the link you provided and configured the following:
>>>
>>> [global]
>>> netbios name = TS01
>>> server string = TS01
>>>
>>> workgroup = DOMAIN
>>> realm = KARMEL.INTERN
>>>
>>> security = ADS
>>> local master = no
>>> preferred master = no
>>> dns proxy = no
>>>
>>> encrypt passwords = true
>>> kerberos method = secrets and keytab
>>>
>>> winbind use default domain = yes
>>> winbind trusted domains only = no
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>> winbind nss info = rfc2307
>>>
>>> idmap config DOMAIN:backend = ad
>>> idmap config DOMAIN:schema_mode = rfc2307
>>> idmap config DOMAIN:range = 10000 - 15000
>>>
>>> Via RSAT Tools, I added the group "demo group" with GID 14000 and a 
>>> member of the group "demo" with UID 12000.
>>>
>>> However, it seems I'm missing some configuration:
>>>
>>> root at ts01:/var/lib/samba# wbinfo -u
>>> administrator
>>> demo
>>> test
>>> krbtgt
>>> guest
>>> root at ts01:/var/lib/samba# wbinfo -g
>>> allowed rodc password replication group
>>> enterprise read-only domain controllers
>>> denied rodc password replication group
>>> read-only domain controllers
>>> group policy creator owners
>>> ras and ias servers
>>> domain controllers
>>> enterprise admins
>>> domain computers
>>> cert publishers
>>> dnsupdateproxy
>>> domain admins
>>> domain guests
>>> schema admins
>>> domain users
>>> demo group
>>> dnsadmins
>>> root at ts01:/var/lib/samba# wbinfo -i demo
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user demo
>>>
>>> I ran "net cache flush" to get rid of the mappings from the previous 
>>> rid configuration. As you can see, the "demo group" and "demo" are 
>>> availabe through wbinfo -u and -g, however it fails to get any 
>>> detail information with wbinfo -i .
>>>
>>> Any ideas what I may be missing? I did not change anything in the 
>>> DCs configuration.
>>>
>>> Kind regards,
>>> Rainhard
>>>
>>>
>>>
>> Have you joined the machine to the domain? what is in 
>> /etc/nsswitch.conf?
>>
>> Rowland
>>
>
>
> Yes, I joined the domain using "samba-tool domain join domain.intern 
> member". Here's my /etc/nsswitch.conf:
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns mdns4_minimal [NOTFOUND=return] mdns4
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
OK, try this smb.conf:

[global]
netbios name = TS01
workgroup = DOMAIN
security = ADS
realm = KARMEL.INTERN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = TS01
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = yes
winbind normalize names = yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-15000
idmap config DOMAIN : schema_mode = rfc2307
domain master = no
local master = no
preferred master = no
dns proxy = no

It is based on one I know to work, stop samba, change smb.conf, rejoin 
the domain, restart samba and try again. This all depends on you having 
at least one AD user having a uidNumber and Domain Users having a gidNumber.

Rowland

More information about the samba mailing list