[Samba] samba4 file server 4.3.0 authenticating against Samba4 4.1.7 AD DC

Rowland penny rpenny at samba.org
Wed Feb 17 22:11:45 UTC 2016 

On 17/02/16 21:47, Dania Ramirez Moya wrote:
> Hello list:
> I recently installed and configured samba4 file server.I add it to domain
> succesfully ,then configuring shares with  but I couldnĀ“t acces to shares.
> I provisionesd samba AD DC without rfc2307.

Why didn't you provision with rfc2307 ?

Go here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD

Setup your Samba AD DC with rfc2307.


>   This log.samba say:
>
> [2016/02/17 16:09:04.653139,  0]
>
> ../source4/auth/unix_token.c:107(security_token_to_unix_token)
>
>    *Unable to convert SID (S-1-5-32-554) at index 7 in user token to a GID. *
>
> *Conversion was returned as type 0, full token:*
>
> [2016/02/17 16:09:04.653236,  0]
>
> ../libcli/security/security_token.c:63(security_token_debug)
>
>    Security token SIDs (9):
>
>      SID[  0]: S-1-5-21-1345859412-382380422-3804354134-1115
>
>      SID[  1]: S-1-5-21-1345859412-382380422-3804354134-513
>
>      SID[  2]: S-1-5-21-1345859412-382380422-3804354134-512
>
>      SID[  3]: S-1-5-21-1345859412-382380422-3804354134-572
>
>      SID[  4]: S-1-1-0
>
>      SID[  5]: S-1-5-2
>
>      SID[  6]: S-1-5-11
>
>      SID[  7]: S-1-5-32-554
>
>      SID[  8]: S-1-5-32-545
>
>     Privileges (0x          800000):
>
>      Privilege[  0]: SeChangeNotifyPrivilege
>
>     Rights (0x             400):
>
>      Right[  0]: SeRemoteInteractiveLogonRight
>
> [2016/02/17 16:09:05.023896,  3]
>
> ../source4/smb_server/tcon.c:106(smbsrv_tcon_destructor)
>
>    ipv4:192.168.17.3:50088 closed connection to service IPC$
>
> this is mi smb.conf
>
> samba4 dc# Global parameters
>
> [global]
>
>          security = ADS
>
>          workgroup = MYDOMAIN
>
>          realm = MYDOMAIN.TEST
>
>          netbios name = COPERNICO
>
>          server services = +smb
>
>          password server = atlantis.mydomain.test
>
>
>
>          encrypt passwords = yes
>
>          idmap config *:backend = tdb
>
>          idmap config *:range = 70001-80000
>
>          #dmap config MYDOMAIN:backend = ad
>
>          idmap config  MYDOMAIN = 3000000-4000000
>
>
>
>
>
>          winbind use default domain = yes
>
>          winbind enum users = yes
>
>          winbind enum groups = yes
>
>
>          log level = 3
>
>          domain logons = yes
>
>
>
>          vfs objects = acl_xattr
>
>          map acl inherit = yes
>
>          store dos attributes = yes
>
> ####################shares###################################################
>
>
>
> [usuarios]
>
>
>
>          path = /home/salvas/usuarios
>
>          read only  = no
>
>          browseable = yes
>
>          valid users = "@MYDOMAIN\domain admins"
>


Is the above smb.conf from a DC or a domain member, either way it is 
wrong, if it is from a domain member, go here:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Read the page and follow the links and set up the domain member correctly.

If the above smb.conf is from a DC, I would suggest you start again, but 
this time use rfc2307, see here for DC instructions:

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Rowland

More information about the samba mailing list