[Samba] Permission Denied
mathias dufresne
infractory at gmail.com
Tue Dec 8 16:02:13 UTC 2015
On any Linux system where you want to be able to use AD users as system
users you need to configure PAM. This because it is PAM which discuss with
the tool you have chosen to retrieve users information from AD and then
build system users with these information.
I think you also need to configure PAM for file servers connected to some
domain (AD or NT4) for the underlaying system knows which user (system
user, ie uid, gid, groups...) access to some shared file, to grant or
refuse this access.
The short way to put it would be: to configure your system configure PAM,
without PAM configured only applications are configured: kinit could work,
net command too, wbinfo also... but not getent and so all application
relying to system side won't work (example from your first post: "id"
command rely on getent/PAM/nss/don't ask precisely and so won't work)
This can't be completely true as frontier between system and application is
more than fine (PAM is an app after all and a system could do what you want
it does without PAM configured -> a Samba DC without PAM configured can be
fully managed, just ACLs would lack beauty I expect).
2015-12-08 16:20 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>:
> You are right! I haven't configured PAM for winbind on the DCs, probably
> because I don't need this.
>
> Any reasons why I should, if I manage my domain from Windows ADUC and
> don't log-on to the DCs as Administrator locally?
>
> Ole
>
>
>
> Am 08.12.2015 um 14:39 schrieb mathias dufresne:
>
>> Ole,
>>
>> Did you configure PAM to use AD as a users source ? You need to have
>> Winbind or SSSD or nslcd configured to access your AD + configure PAM +
>> configure nsswitch.conf. Then you will system users from AD (ie "getent
>> passwd my-ad-account" would work).
>>
>> Cheers,
>>
>> mathias
>>
>> 2015-12-07 20:54 GMT+01:00 Rowland penny <rpenny at samba.org>:
>>
>> On 07/12/15 19:42, Ole Traupe wrote:
>>>
>>> If I do this (rely on the user map file containing "!root =
>>>>
>>>>> BPN\Administrator BPN\administrator"), should I expect "id
>>>>>> Administrator"
>>>>>> to give anything?
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>> Only a Samba AD DC, you will not get anything from 'getent
>>>>> Administrator' on a Unix domain member, but remember, with the user map
>>>>> 'Administrator' becomes 'root' :-)
>>>>>
>>>>> Yes, and I can manage share permissions via ADUC due to the user
>>>> mapping.
>>>>
>>>> But on the DCs I still get "No such user" (although I don't have any
>>>> appearent problem).
>>>>
>>>> Ole
>>>>
>>>>
>>>>
>>>>
>>>> Have you changed anything on the DCs ? Are the winbind nss links in
>>> place
>>> ? (not sure if this makes any difference, but I always create them)
>>>
>>> if I run 'id Administrator', I get:
>>>
>>> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group
>>> Policy Creator Owners),3000006(SAMDOM\Enterprise
>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins)
>>>
>>> 'getent password Administrator' returns:
>>>
>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash
>>>
>>> Rowland
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list