[Samba] Configuration of smb.conf for Active Directory authentication

Michael A Weber mweber.subscriptions01 at gmail.com
Fri Aug 26 16:34:20 UTC 2016 

> On Aug 26, 2016, at 10:51 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> 
> See inline comments.
> 
> On Fri, 26 Aug 2016 15:11:25 +0000
> Kyle Manel via samba <samba at lists.samba.org> wrote:
> 
>> I've completed the configuration specified,
> 
> No you haven't
> 
>> and the command 'wbinfo
>> -g' provides a list of the groups available and 'wbinfo -u' provides
>> a list of all the users on the system, but I cannot access the
>> shares;  When I navigate a file explorer to \\ip.ad.dre.ss I am
>> presented with a login screen, which I cannot log into with my ID;
>> 'The user name or password is incorrect'
>> 
>> I suspect an issue with my idmap configuration:
>> 
>> [global]
>>        netbios name = FILESERVER-001
>>        security = ADS
>>        workgroup = SUBDOMAIN
>>        realm = SUBDOMAIN.DOMAIN.COM
>> 
>>        log file = /var/log/samba/%m.log
>>        log level = 1
>> 
>>        idmap config    CORP:   backend =       ad
>>        idmap config    CORP:   schema_mode =   rfc2307
>>        idmap config    CORP:   range =         1000-9999999999
> 
> I thought you were advised to use the 'rid' backend
> 
>>        idmap uid =                             50-9999999999
>>        idmap gid =                             50-9999999999
> 
> Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines,
> they are not on the domain member wiki page.
> 
>>        winbind nss info =                      rfc2307
> 
> You dont use the above line with the 'rid' backend
> 
>> 
>>       allow dns updates = nonsecure
>> 
>> [public]
>>        path = /srv/samba/share
>>        available =                             yes
>>        read only =                             no
>>        browsable =                             yes
>>        public =                                yes
>>        guest ok =                              yes
>>        writable =                              yes
> 
> the available line is the default
> 'read only = no' and 'writable = yes' are the same way of saying the
> same thing, you do not need both.
> 'browsable = yes' is the default.
> 'public = yes' and 'guest ok = yes' are the same way of saying the
> same thing, you do not need both.
> 
> Rowland
> 
> 
>> 
>> Regards,
>> Kyle
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Rowland—

I’m curious…  if Kyle didn’t set the permissions on the share, and the ID he’s using to attempt to access them did not have permission to access, would the login prompt tell him “access denied,” or would it just present itself saying ‘incorrect id/password?”

I seem to recall trying to access a share on a Mac from a Windows machine and it just telling me my username/pw were wrong rather than telling me I don’t have access.



Kyle—

Are you able to use the Computer Management tool to access your new samba file server and its shares, and set permissions on them?  Also, if you joined it to the domain, you should be able to see it in your AD DNS as well as access it by host name rather than IP address.

https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29 <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29>

Mike

More information about the samba mailing list