[Samba] Domain users can't browse or access shares

Mon Feb 9 12:52:43 MST 2015

On 09/02/15 19:18, sk at green.no wrote:
> -----samba-bounces at lists.samba.org wrote: -----
>
>> To: samba at lists.samba.org
>> From: Rowland Penny
>> Sent by: samba-bounces at lists.samba.org
>> Date: 02/09/2015 05:12PM
>> Subject: Re: [Samba] Domain users can't browse or access shares
>>
>> OK, as I thought, your smb.conf is setup to use the winbind 'ad'
>> backend
>> and I am willing to lay another bet with you, you based some of the
>> changes on the samba wiki, if so, did you read what is written under
>> the
>> sample smb.conf ?
>>
>> Thought not, you need to have the users unix attributes in AD before
>> the
>> 'ad' backend will work and as you are using a windows server, it will
>>
>> also need to have 'IDMU' installed.
>>
>> If you will only have windows users connecting to your member server,
>>
>> then change
>>
>> idmap config GREENREEFERS:backend = ad
>> idmap config GREENREEFERS:schema_mode = rfc2307
>> idmap config GREENREEFERS:range=10000-99999
>>
>> To
>>
>> idmap config GREENREEFERS:backend = rid
>> idmap config GREENREEFERS:range=10000-99999
> I did the change, restarted samba and it didn't do any changes.

OK, make the [global] part of your smb.conf look like this:

[global]
         netbios name = bgo-nfs01
         workgroup = GREENREEFERS
         security = ADS
         realm = GREENREEFERS.NO
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = %h server
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind trusted domains only = no
         winbind nested groups = yes
         winbind refresh tickets = Yes
         winbind nss info = rfc2307
         idmap config *:backend = tdb
         idmap config *:range = 2000-9999
         idmap config GREENREEFERS:backend = rid
         idmap config GREENREEFERS:range=10000-99999
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes
         preferred master = no
         local master = no
         template homedir = /dev/null
         template shell = /bin/true
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         dns proxy = No
         interfaces = eth1 lo
         bind interfaces only = yes
         log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3
         panic action = /usr/share/samba/panic-action %d
         valid users = @"GREENREEFERS\grr"
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

Check that /etc/krb5.conf exists and looks like this:

[libdefaults]
      default_realm = GREENREEFERS.NO
      dns_lookup_realm = false
      dns_lookup_kdc = true

Check that /etc/resolv.conf points to your AD DC (first on list)

Check that the passwd & group lines in /etc/nsswitch.conf contain 'winbind'

Rowland