[Samba] Cannot browse mode 0700 directories from Windows with security=ads

[Rowland penny]

On 15/04/16 18:18, Ian Collier wrote:
> rpenny at samba.org writes:
>> OK, you have a Samba domain member that is joined to an AD domain and you
>> also say you are running winbindd, but there doesn't seem to be any winbind
>> or 'idmap config' lines in your smb.conf, are you also running sssd ?
> The server has "passwd: files ldap" in nsswitch.conf and sssd is not
> running, but "getent passwd randomuser" does the right thing.  I'm not
> 100% sure how this works if I'm honest, because it was set up by someone
> else and we do run sssd on our *ix machines as a general rule.

If your computer is joined to an AD domain, is running Samba with 
'security = ADS' and winbindd is running, the line in /etc/nsswitch 
should be 'passwd: files winbind' (the group line should be 'group: 
files winbind')

Your users should not be in /etc/passwd, they should only be in AD (as 
should your groups)

>
>> If you are not running sssd, can I suggest having a look here:
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> You will probably want to use the 'rid' backend
> OK I will look at that in detail later, but it mentions putting winbind
> in nsswitch.conf which I don't think we want to do.

Oh you do, you really do, If not, either run 'sssd' (which will do what 
running winbind does) and replace 'ldap' in /etc/nsswitch.conf with 
'sss', or turn Samba off.


>
> I'm not entirely sure what the idmap backend thing does although my
> impression is that it's for when you are using winbind to provide
> services to NSS, which we're not doing here.

No, if you use winbind with the 'rid' backend, this will allocate UIDs & 
GIDs as required, this makes your windows users Unix users i.e. they 
only need to exist in one place, AD

>
> I have previously tried adding "backend = nss" but it didn't seem to
> have any effect.

Use 'backend = rid'

Rowland
> Ian Collier.
>