[Samba] Domain users can't browse or access shares

Tim lists at kiuni.de
Sat Feb 14 00:36:06 MST 2015 

You are using idmap module rid for your domain. I think getent passwd could not resolve anything because of your id range. I would try a range of 1000 (one thousand)-99999 and see what happens.
New users in AD start with a rid of 1000. Well known Users like administrator got their rid starting in the 500 range.

You should think of using rfc2307.

Regards
Tim

Am 12. Februar 2015 10:51:47 MEZ, schrieb sk at green.no:
>samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43:
> 
>> OK, make the [global] part of your smb.conf look like this:
>> 
>> [global]
>>          netbios name = bgo-nfs01
>>          workgroup = GREENREEFERS
>>          security = ADS
>>          realm = GREENREEFERS.NO
>>          dedicated keytab file = /etc/krb5.keytab
>>          kerberos method = secrets and keytab
>>          server string = %h server
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          winbind use default domain = yes
>>          winbind trusted domains only = no
>>          winbind nested groups = yes
>>          winbind refresh tickets = Yes
>>          winbind nss info = rfc2307
>>          idmap config *:backend = tdb
>>          idmap config *:range = 2000-9999
>>          idmap config GREENREEFERS:backend = rid
>>          idmap config GREENREEFERS:range=10000-99999
>>          load printers = no
>>          printing = bsd
>>          printcap name = /dev/null
>>          disable spoolss = yes
>>          preferred master = no
>>          local master = no
>>          template homedir = /dev/null
>>          template shell = /bin/true
>>          syslog = 0
>>          log file = /var/log/samba/log.%m
>>          max log size = 1000
>>          dns proxy = No
>>          interfaces = eth1 lo
>>          bind interfaces only = yes
>>          log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3
>>          panic action = /usr/share/samba/panic-action %d
>>          valid users = @"GREENREEFERS\grr"
>>          vfs objects = acl_xattr
>>          map acl inherit = Yes
>>          store dos attributes = Yes
>> 
>> Check that /etc/krb5.conf exists and looks like this:
>> 
>> [libdefaults]
>>       default_realm = GREENREEFERS.NO
>>       dns_lookup_realm = false
>>       dns_lookup_kdc = true
>> 
>> Check that /etc/resolv.conf points to your AD DC (first on list)
>> 
>> Check that the passwd & group lines in /etc/nsswitch.conf contain 
>'winbind'
>
>Hi, sorry for late answer.
>
>I did change the [global], and pasted smb.cfg here: 
>http://pastebin.com/WRNCKu42
>I changed the krb5.conf file and pasted it here:  
>http://pastebin.com/JqSavqD1
>nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN
>resolv.conf have been correct all the time, I have verified now as
>well.
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list