[Samba] After some time "denied due to share security descriptor"
L.P.H. van Belle
belle at bazuin.nl
Tue Sep 15 11:02:58 UTC 2015
Beware that if you need nfs4 with kerberos, you need the krb5.conf
Nfs needs it to get the realm.
source : https://wiki.debian.org/NFS/Kerberos
See the Tips.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 15 september 2015 12:46
> Aan: sambalist
> Onderwerp: Re: [Samba] After some time "denied due to share security
> descriptor"
>
> On 15/09/15 11:22, Alessandro Briosi wrote:
> >
> >
> > Il 15/09/2015 11:49, Rowland Penny ha scritto:
> >> On 15/09/15 10:22, Alessandro Briosi wrote:
> >>>
> >>> This is the file server configuration, just in case you can spot
> >>> something wrong.
> >>> (don't think krb5.conf is used)
> >>
> >> OH yes it is!
> >>
> >>>
> >>> smb.conf
> >>>
> >>> [global]
> >>> workgroup = DOMAIN
> >>> realm = AD.DOMAIN.NET
> >>> security = ads
> >>> idmap config * : range = 16777216-33554431
> >>> template shell = /sbin/nologin
> >>>
> >>> netbios name = srvfile1
> >>> netbios aliases = srvfile
> >>> reset on zero vc = yes
> >>>
> >>> server string =
> >>> encrypt passwords = yes
> >>>
> >>> load printers = no
> >>> printing = bsd
> >>> printcap name = /dev/null
> >>> disable spoolss = yes
> >>>
> >>> idmap config *:backend = tdb
> >>> idmap config *:range = 10000-20000
> >>> idmap config DOMAIN:backend = ad
> >>> idamp config DOMAIN:schema_mode = rfc2307
> >>> idmap config DOMAIN:range = 1000-40000
> >>>
> >>> winbind nss info = rfc2307
> >>> winbind trusted domains only = no
> >>> winbind use default domain = yes
> >>> winbind enum users = yes
> >>> winbind enum groups = yes
> >>> winbind offline logon = false
> >>>
> >>> store dos attributes = Yes
> >>> create mask = 0770
> >>> force create mode = 0770
> >>> directory mask = 0770
> >>>
> >>> [sharename]
> >>> path = /home/SHARES/sharename
> >>> read only = no
> >>>
> >>
> >> OK, this:
> >> idmap config * : range = 16777216-33554431
> >> Conflicts with this:
> >> idmap config *:range = 10000-20000
> >> And the above is inside this:
> >> idmap config DOMAIN:range = 1000-40000
> >>
> >> sssd running? if not, remove the top line and adjust the other two so
> >> they do not overlap.
> >>
> >
> > I have tried sssd, but it won't work as expected, so reverted back to
> > winbind.
> > I'll fix the idmaps, but don't think that's a problem.
> >> I would also add the following two lines:
> >>
> >> vfs objects = acl_xattr
> >> map acl inherit = Yes
> >>
> >
> > I removed this because it was creating a lot of trouble with
> permissions.
> > Now I manage all with the old and simple Unix permissions and
> > everything works as expected...
> >>> --------------------------------------------
> >>> krb5.conf
> >>>
> >>> [logging]
> >>> default = FILE:/var/log/krb5libs.log
> >>> kdc = FILE:/var/log/krb5kdc.log
> >>> admin_server = FILE:/var/log/kadmind.log
> >>>
> >>> [libdefaults]
> >>> dns_lookup_realm = false
> >>> ticket_lifetime = 24h
> >>> renew_lifetime = 7d
> >>> forwardable = true
> >>> rdns = false
> >>> default_ccache_name = KEYRING:persistent:%{uid}
> >>>
> >>> [realms]
> >>> # EXAMPLE.COM = {
> >>> # kdc = kerberos.example.com
> >>> # admin_server = kerberos.example.com
> >>> # }
> >>>
> >>> [domain_realm]
> >>> # .example.com = EXAMPLE.COM
> >>> # example.com = EXAMPLE.COM
> >>>
> >> Set krb5.conf to:
> >>
> >> [libdefaults]
> >> default_realm = AD.DOMAIN.NET
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >>
> >
> > ok. will do.
> > But on the wiki there's no mention about the krb5.conf file for an AD
> > member server.
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> >
> > I had the impression that it was used in 3.x versions of samba, but
> > samba4 would use the DNS/configuration to resolve the REALM.
>
> Taking this back on-list:
>
> Thanks for making me test this out, I just took it as read that you
> needed the krb5.conf file. This it would seem was a *BIG* mistake, I
> removed krb5.conf, flushed the winbind cache and restarted smbd, nmbd
> and winbind on a Unix client. It still works, so it would seem you don't
> need the /etc/krb5.conf file after all :-)
>
> Rowland
> >
> > thanks,
> > Alessandro
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list