[Samba] Samba AD - Scanner permission issues

lingpanda101 lingpanda101 at gmail.com
Mon Nov 21 13:29:52 UTC 2016 

On 11/21/2016 8:21 AM, Viktor Trojanovic via samba wrote:
> Hi all,
>
> I'm running a small Samba based AD, consisting of one Samba DC and one
> Samba Fileserver (AD member).
>
> I use rfc2307 and manually give the users their UID (there aren't many).
>
> This setup used to work well at the beginning but with every Samba update
> (I run a rolling release), I seem to stumble upon new issues. I hope
> someone can help me with the latest one.
>
> I have a folder on the fileserver, let's call it \\FILESERVER\SHARE, that I
> wish to use for scanner output. I checked and checked again, both share
> permissions (everyone=full control) as well as NTFS permissions seem
> correct, and yet I can't get my network scanner to connect to it. It keeps
> complaining about unsuccessful authentication.
>
> I checked user access with smbclient, it works. If I hook up another laptop
> to the network and just browse the network and open the folder, the
> credentials work too. However, I can do the same type of browsing with the
> scanner but the exact same credentials don't work. Just as one more test, I
> used VLC on my Android phone to browse the network and I also cannot get
> into the folders although I'm using the correct credentials.
>
> Does anyone know what my problem could be? I don't think it will help but
> just in case attaching my smb.conf (from the member).
>
> [global]
>
>    netbios name = FILESERVER
>    workgroup = WORKGROUP
>    security = ADS
>    realm = WORKGROUP.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    username map = /etc/samba/samba_usermap
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config WORKGROUP:backend = ad
>    idmap config WORKGROUP:schema_mode = rfc2307
>    idmap config WORKGROUP:range = 10000-99999
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>
> [share]
>    path = /srv/samba/share
>    comment = "Common Files"
>    guest ok = no
>    writeable = yes
>    acl_xattr:ignore system acls = yes


You most likely need to add 'ntlm auth = yes' in your global config 
section of smb.conf.

-- 
- James

More information about the samba mailing list