[Samba] Cannot access shared home directories from linux machine

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 15:03:21 MDT 2014 

On 10/07/14 21:07, isofx wrote:
> Am 10.07.2014 20:56, schrieb Rowland Penny:
>> On 10/07/14 19:50, isofx wrote:
>>> Am 10.07.2014 20:24, schrieb Rowland Penny:
>>>> On 10/07/14 19:18, isofx wrote:
>>>>> Am 10.07.2014 18:14, schrieb Rowland Penny:
>>>>>> On 10/07/14 17:01, isofx wrote:
>>>>>>>
>>>>>>>> Hi, you seem to be using the 'rid' backend on the machine you 
>>>>>>>> are trying to connect from:
>>>>>>>>
>>>>>>>> idmap config * : backend = rid
>>>>>>>> idmap config * : range = 10000 - 49999
>>>>>>>> idmap uid = 50000 - 100000
>>>>>>>> idmap gid = 50000 - 100000
>>>>>>>>
>>>>>>>> Doing this will ensure that you will definitely get a different 
>>>>>>>> id number for the user on the client against the one that they 
>>>>>>>> will have on the Samba4 server (incidentally, you are running 
>>>>>>>> an AD DC not a NT style PDC). I would suggest that you give 
>>>>>>>> your users & groups uid & gidNumbers and set the client to use 
>>>>>>>> these.
>>>>>>>>
>>>>>>>> Once this is setup, you should be able to connect via smbclient 
>>>>>>>> etc to the server, once this is working, you can move onto the 
>>>>>>>> cifs setup.
>>>>>>>>
>>>>>>>> Just what OS is the client running? idmap uid & gid where 
>>>>>>>> replaced some time ago.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>> Thanks for the hint - this is my first samba setup and I got the 
>>>>>>> idmap configuration from a guide I found online and used it 
>>>>>>> without looking into the rid backend.
>>>>>>>
>>>>>>> I would configure the UID & GIDs via RSAT-Tools - but how can I 
>>>>>>> configure the client (terminal server) to use them?
>>>>>>>
>>>>>>> Both the server and the client are running Debian Wheezy.
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Rainhard
>>>>>>
>>>>>> Just what do you mean by terminal server? If you mean a std linux 
>>>>>> client then have a look here:
>>>>>>
>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>>
>>>>>> But if you mean a 'thin-client' or ltsp client, then sorry but I 
>>>>>> haven't a clue.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>> It's just a debian machine that will be used as terminal server 
>>>>> (i.e. thin-clients and other windows/linux clients connect via a 
>>>>> remote desktop connection).
>>>>>
>>>>> I read through the link you provided and configured the following:
>>>>>
>>>>> [global]
>>>>> netbios name = TS01
>>>>> server string = TS01
>>>>>
>>>>> workgroup = DOMAIN
>>>>> realm = KARMEL.INTERN
>>>>>
>>>>> security = ADS
>>>>> local master = no
>>>>> preferred master = no
>>>>> dns proxy = no
>>>>>
>>>>> encrypt passwords = true
>>>>> kerberos method = secrets and keytab
>>>>>
>>>>> winbind use default domain = yes
>>>>> winbind trusted domains only = no
>>>>> winbind enum groups = yes
>>>>> winbind enum users = yes
>>>>> winbind nss info = rfc2307
>>>>>
>>>>> idmap config DOMAIN:backend = ad
>>>>> idmap config DOMAIN:schema_mode = rfc2307
>>>>> idmap config DOMAIN:range = 10000 - 15000
>>>>>
>>>>> Via RSAT Tools, I added the group "demo group" with GID 14000 and 
>>>>> a member of the group "demo" with UID 12000.
>>>>>
>>>>> However, it seems I'm missing some configuration:
>>>>>
>>>>> root at ts01:/var/lib/samba# wbinfo -u
>>>>> administrator
>>>>> demo
>>>>> test
>>>>> krbtgt
>>>>> guest
>>>>> root at ts01:/var/lib/samba# wbinfo -g
>>>>> allowed rodc password replication group
>>>>> enterprise read-only domain controllers
>>>>> denied rodc password replication group
>>>>> read-only domain controllers
>>>>> group policy creator owners
>>>>> ras and ias servers
>>>>> domain controllers
>>>>> enterprise admins
>>>>> domain computers
>>>>> cert publishers
>>>>> dnsupdateproxy
>>>>> domain admins
>>>>> domain guests
>>>>> schema admins
>>>>> domain users
>>>>> demo group
>>>>> dnsadmins
>>>>> root at ts01:/var/lib/samba# wbinfo -i demo
>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>> Could not get info for user demo
>>>>>
>>>>> I ran "net cache flush" to get rid of the mappings from the 
>>>>> previous rid configuration. As you can see, the "demo group" and 
>>>>> "demo" are availabe through wbinfo -u and -g, however it fails to 
>>>>> get any detail information with wbinfo -i .
>>>>>
>>>>> Any ideas what I may be missing? I did not change anything in the 
>>>>> DCs configuration.
>>>>>
>>>>> Kind regards,
>>>>> Rainhard
>>>>>
>>>>>
>>>>>
>>>> Have you joined the machine to the domain? what is in 
>>>> /etc/nsswitch.conf?
>>>>
>>>> Rowland
>>>>
>>>
>>>
>>> Yes, I joined the domain using "samba-tool domain join domain.intern 
>>> member". Here's my /etc/nsswitch.conf:
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat
>>>
>>> hosts:          files dns mdns4_minimal [NOTFOUND=return] mdns4
>>> hosts:          files dns
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>> OK, try this smb.conf:
>>
>> [global]
>> netbios name = TS01
>> workgroup = DOMAIN
>> security = ADS
>> realm = KARMEL.INTERN
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = TS01
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = yes
>> winbind normalize names = yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config DOMAIN : backend = ad
>> idmap config DOMAIN : range = 10000-15000
>> idmap config DOMAIN : schema_mode = rfc2307
>> domain master = no
>> local master = no
>> preferred master = no
>> dns proxy = no
>>
>> It is based on one I know to work, stop samba, change smb.conf, 
>> rejoin the domain, restart samba and try again. This all depends on 
>> you having at least one AD user having a uidNumber and Domain Users 
>> having a gidNumber.
>>
>> Rowland
>>
>
> So after experimenting a little with different configurations, I ended 
> up with the following smb.conf:
>
> [global]
> netbios name = TS01
> server string = TS01
>
> workgroup = KARMEL
> realm = KARMEL.INTERN
>
> security = ADS
> domain master = no
> local master = no
> preferred master = no
> dns proxy = no
>
> encrypt passwords = true
>
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
> winbind trusted domains only = no
> winbind enum groups = yes
> winbind enum users = yes
> winbind nss info = rfc2307
>
> idmap config * : backend = tdb
> idmap config * : schema_mode = rfc2307
> idmap config * : range = 10000 - 15000
>
> idmap config KARMEL : backend = ad
> idmap config KARMEL : schema_mode = rfc2307
> idmap config KARMEL : range = 15000 - 20000
>
> wbinfo -i is now showing information instead of an error, however it's 
> not the UID/GID i configured via RSAT (14000/12000):
>
> root at ts01:/home/adm3f# wbinfo -i demo
> demo:*:11117:10513:Demo User:/home/KL/demo:/bin/bash
>
> These UID/GIDs are in the range configured for the * : backend = tdb. 
> What I really want, are the UID/GID configured in AD right?
>
> Furthermore, how can I use these UID/GIDs to set permissions on 
> shares? They won't be available on the DC locally, so I have to 
> configure Windows ACLs?
>
> Kind regards,
> Rainhard
Please try the smb.conf I posted earlier, you have a few errors in the 
one that you are trying to use now, one of which is probably giving you 
the problem you are having.

The AD users and groups will be available on the samba 4 AD server, you 
just need to set winbind correctly on the server, but you need to get 
your client working first, one thing at a time.

Rowland

More information about the samba mailing list