[Samba] After some time "denied due to share security descriptor"

L.P.H. van Belle belle at bazuin.nl
Tue Sep 15 11:02:58 UTC 2015 

Beware that if you need nfs4 with kerberos, you need the krb5.conf 
Nfs needs it to get the realm.  

source : https://wiki.debian.org/NFS/Kerberos 
See the Tips. 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 15 september 2015 12:46
> Aan: sambalist
> Onderwerp: Re: [Samba] After some time "denied due to share security
> descriptor"
> 
> On 15/09/15 11:22, Alessandro Briosi wrote:
> >
> >
> > Il 15/09/2015 11:49, Rowland Penny ha scritto:
> >> On 15/09/15 10:22, Alessandro Briosi wrote:
> >>>
> >>> This is the file server configuration, just in case you can spot
> >>> something wrong.
> >>>  (don't think krb5.conf is used)
> >>
> >> OH yes it is!
> >>
> >>>
> >>> smb.conf
> >>>
> >>> [global]
> >>>    workgroup = DOMAIN
> >>>    realm = AD.DOMAIN.NET
> >>>    security = ads
> >>>    idmap config * : range = 16777216-33554431
> >>>    template shell = /sbin/nologin
> >>>
> >>>    netbios name = srvfile1
> >>>    netbios aliases = srvfile
> >>>    reset on zero vc = yes
> >>>
> >>>    server string =
> >>>    encrypt passwords = yes
> >>>
> >>>    load printers = no
> >>>    printing = bsd
> >>>    printcap name = /dev/null
> >>>    disable spoolss = yes
> >>>
> >>>    idmap config *:backend = tdb
> >>>    idmap config *:range = 10000-20000
> >>>    idmap config DOMAIN:backend = ad
> >>>    idamp config DOMAIN:schema_mode = rfc2307
> >>>    idmap config DOMAIN:range = 1000-40000
> >>>
> >>>    winbind nss info = rfc2307
> >>>    winbind trusted domains only = no
> >>>    winbind use default domain = yes
> >>>    winbind enum users  = yes
> >>>    winbind enum groups = yes
> >>>    winbind offline logon = false
> >>>
> >>>    store dos attributes = Yes
> >>>    create mask = 0770
> >>>    force create mode = 0770
> >>>    directory mask = 0770
> >>>
> >>> [sharename]
> >>>   path = /home/SHARES/sharename
> >>>   read only = no
> >>>
> >>
> >> OK, this:
> >>    idmap config * : range = 16777216-33554431
> >> Conflicts with this:
> >>    idmap config *:range = 10000-20000
> >> And the above is inside this:
> >>    idmap config DOMAIN:range = 1000-40000
> >>
> >> sssd running? if not, remove the top line and adjust the other two so
> >> they do not overlap.
> >>
> >
> > I have tried sssd, but it won't work as expected, so reverted back to
> > winbind.
> > I'll fix the idmaps, but don't think that's a problem.
> >> I would also add the following two lines:
> >>
> >>         vfs objects = acl_xattr
> >>         map acl inherit = Yes
> >>
> >
> > I removed this because it was creating a lot of trouble with
> permissions.
> > Now I manage all with the old and simple Unix permissions and
> > everything works as expected...
> >>> --------------------------------------------
> >>> krb5.conf
> >>>
> >>> [logging]
> >>>  default = FILE:/var/log/krb5libs.log
> >>>  kdc = FILE:/var/log/krb5kdc.log
> >>>  admin_server = FILE:/var/log/kadmind.log
> >>>
> >>> [libdefaults]
> >>>  dns_lookup_realm = false
> >>>  ticket_lifetime = 24h
> >>>  renew_lifetime = 7d
> >>>  forwardable = true
> >>>  rdns = false
> >>>  default_ccache_name = KEYRING:persistent:%{uid}
> >>>
> >>> [realms]
> >>> # EXAMPLE.COM = {
> >>> #  kdc = kerberos.example.com
> >>> #  admin_server = kerberos.example.com
> >>> # }
> >>>
> >>> [domain_realm]
> >>> # .example.com = EXAMPLE.COM
> >>> # example.com = EXAMPLE.COM
> >>>
> >> Set krb5.conf to:
> >>
> >> [libdefaults]
> >>      default_realm = AD.DOMAIN.NET
> >>      dns_lookup_realm = false
> >>      dns_lookup_kdc = true
> >>
> >
> > ok. will do.
> > But on the wiki there's no mention about the krb5.conf file for an AD
> > member server.
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> >
> > I had the impression that it was used in 3.x versions of samba, but
> > samba4 would use the DNS/configuration to resolve the REALM.
> 
> Taking this back on-list:
> 
> Thanks for making me test this out, I just took it as read that you
> needed the krb5.conf file. This it would seem was a *BIG* mistake, I
> removed krb5.conf, flushed the winbind cache and restarted smbd, nmbd
> and winbind on a Unix client. It still works, so it would seem you don't
> need the /etc/krb5.conf file after all :-)
> 
> Rowland
> >
> > thanks,
> > Alessandro
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list