[Samba] Cannot browse mode 0700 directories from Windows with security=ads
rpenny at samba.org
Fri Apr 15 18:00:11 UTC 2016
On 15/04/16 18:18, Ian Collier wrote:
> rpenny at samba.org writes:
>> OK, you have a Samba domain member that is joined to an AD domain and you
>> also say you are running winbindd, but there doesn't seem to be any winbind
>> or 'idmap config' lines in your smb.conf, are you also running sssd ?
> The server has "passwd: files ldap" in nsswitch.conf and sssd is not
> running, but "getent passwd randomuser" does the right thing. I'm not
> 100% sure how this works if I'm honest, because it was set up by someone
> else and we do run sssd on our *ix machines as a general rule.
If your computer is joined to an AD domain, is running Samba with
'security = ADS' and winbindd is running, the line in /etc/nsswitch
should be 'passwd: files winbind' (the group line should be 'group:
Your users should not be in /etc/passwd, they should only be in AD (as
should your groups)
>> If you are not running sssd, can I suggest having a look here:
>> You will probably want to use the 'rid' backend
> OK I will look at that in detail later, but it mentions putting winbind
> in nsswitch.conf which I don't think we want to do.
Oh you do, you really do, If not, either run 'sssd' (which will do what
running winbind does) and replace 'ldap' in /etc/nsswitch.conf with
'sss', or turn Samba off.
> I'm not entirely sure what the idmap backend thing does although my
> impression is that it's for when you are using winbind to provide
> services to NSS, which we're not doing here.
No, if you use winbind with the 'rid' backend, this will allocate UIDs &
GIDs as required, this makes your windows users Unix users i.e. they
only need to exist in one place, AD
> I have previously tried adding "backend = nss" but it didn't seem to
> have any effect.
Use 'backend = rid'
> Ian Collier.
More information about the samba