[Samba] Samba AD - Scanner permission issues
lingpanda101 at gmail.com
Mon Nov 21 15:39:41 UTC 2016
On 11/21/2016 10:26 AM, Viktor Trojanovic wrote:
> Thanks for the hint, James.
> In that case, I assume the man page for smb.conf is outdated.
> According to the manual, "ntlm auth = yes" is the default. Running
> testparm -sv reveals, however, that it is set to "no" by default.
> Having said that, changing it to yes didn't bring me further, yet,
> the scanner still can't connect.
> This is now the output of testparm -sv | grep auth
> Server role: ROLE_DOMAIN_MEMBER
> ldap server require strong auth = Yes
> allow dcerpc auth level connect = No
> auth methods =
> client lanman auth = No
> client NTLMv2 auth = Yes
> client plaintext auth = No
> lanman auth = No
> ntlm auth = Yes
> raw NTLMv2 auth = No
> Any other ideas?
> On Mon, Nov 21, 2016 at 2:29 PM, lingpanda101 <lingpanda101 at gmail.com
> <mailto:lingpanda101 at gmail.com>> wrote:
> On 11/21/2016 8:21 AM, Viktor Trojanovic via samba wrote:
> Hi all,
> I'm running a small Samba based AD, consisting of one Samba DC
> and one
> Samba Fileserver (AD member).
> I use rfc2307 and manually give the users their UID (there
> aren't many).
> This setup used to work well at the beginning but with every
> Samba update
> (I run a rolling release), I seem to stumble upon new issues.
> I hope
> someone can help me with the latest one.
> I have a folder on the fileserver, let's call it
> \\FILESERVER\SHARE, that I
> wish to use for scanner output. I checked and checked again,
> both share
> permissions (everyone=full control) as well as NTFS
> permissions seem
> correct, and yet I can't get my network scanner to connect to
> it. It keeps
> complaining about unsuccessful authentication.
> I checked user access with smbclient, it works. If I hook up
> another laptop
> to the network and just browse the network and open the
> folder, the
> credentials work too. However, I can do the same type of
> browsing with the
> scanner but the exact same credentials don't work. Just as one
> more test, I
> used VLC on my Android phone to browse the network and I also
> cannot get
> into the folders although I'm using the correct credentials.
> Does anyone know what my problem could be? I don't think it
> will help but
> just in case attaching my smb.conf (from the member).
> netbios name = FILESERVER
> workgroup = WORKGROUP
> security = ADS
> realm = WORKGROUP.EXAMPLE.COM <http://WORKGROUP.EXAMPLE.COM>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> username map = /etc/samba/samba_usermap
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config WORKGROUP:backend = ad
> idmap config WORKGROUP:schema_mode = rfc2307
> idmap config WORKGROUP:range = 10000-99999
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
> path = /srv/samba/share
> comment = "Common Files"
> guest ok = no
> writeable = yes
> acl_xattr:ignore system acls = yes
> You most likely need to add 'ntlm auth = yes' in your global
> config section of smb.conf.
> - James
The only thing I have different is 'ldap server require strong auth =
No'. The default was changed from 'No' to 'Yes' as of Samba 4.4 I believe?
More information about the samba