[Samba] Domain users can't browse or access shares

Rowland Penny rowlandpenny at googlemail.com
Thu Feb 12 03:10:21 MST 2015 

On 12/02/15 09:51, sk at green.no wrote:
> samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43:
>   
>> OK, make the [global] part of your smb.conf look like this:
>>
>> [global]
>>           netbios name = bgo-nfs01
>>           workgroup = GREENREEFERS
>>           security = ADS
>>           realm = GREENREEFERS.NO
>>           dedicated keytab file = /etc/krb5.keytab
>>           kerberos method = secrets and keytab
>>           server string = %h server
>>           winbind enum users = yes
>>           winbind enum groups = yes
>>           winbind use default domain = yes
>>           winbind trusted domains only = no
>>           winbind nested groups = yes
>>           winbind refresh tickets = Yes
>>           winbind nss info = rfc2307
>>           idmap config *:backend = tdb
>>           idmap config *:range = 2000-9999
>>           idmap config GREENREEFERS:backend = rid
>>           idmap config GREENREEFERS:range=10000-99999
>>           load printers = no
>>           printing = bsd
>>           printcap name = /dev/null
>>           disable spoolss = yes
>>           preferred master = no
>>           local master = no
>>           template homedir = /dev/null
>>           template shell = /bin/true
>>           syslog = 0
>>           log file = /var/log/samba/log.%m
>>           max log size = 1000
>>           dns proxy = No
>>           interfaces = eth1 lo
>>           bind interfaces only = yes
>>           log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3
>>           panic action = /usr/share/samba/panic-action %d
>>           valid users = @"GREENREEFERS\grr"
>>           vfs objects = acl_xattr
>>           map acl inherit = Yes
>>           store dos attributes = Yes
>>
>> Check that /etc/krb5.conf exists and looks like this:
>>
>> [libdefaults]
>>        default_realm = GREENREEFERS.NO
>>        dns_lookup_realm = false
>>        dns_lookup_kdc = true
>>
>> Check that /etc/resolv.conf points to your AD DC (first on list)
>>
>> Check that the passwd & group lines in /etc/nsswitch.conf contain
> 'winbind'
>
> Hi, sorry for late answer.
>
> I did change the [global], and pasted smb.cfg here:
> http://pastebin.com/WRNCKu42
> I changed the krb5.conf file and pasted it here:
> http://pastebin.com/JqSavqD1
> nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN
> resolv.conf have been correct all the time, I have verified now as well.
>

Does 'getent passwd <a domain user>' now show anything ?

Rowland

More information about the samba mailing list