[Samba] Share access problem

Sebastien.Boulianne at cpu.ca Sebastien.Boulianne at cpu.ca
Fri Aug 25 19:11:26 UTC 2017 

Hi Rowland,



My authentification seem to work (Thanks) but I can see the files inside the FTPFiles shares.



I checked:

# ntlm_auth --username="sebastien boulianne" --domain=domain.qc.ca

Password:

NT_STATUS_OK: Success (0x0)

drwsrwxrwx 11 root domain users 4.0K Aug 11 16:46 site



[FTPFiles]

        comment = Files

        path = /glftpd/site

        create mask = 0777

        directory mask = 0777

        valid users = %S



When I try to access the share, the error say I do not have the permissions to access it.

Can you give me some tips how to debug it ?



Thanks you very much again!



Sébastien



-----Message d'origine-----

De : samba [mailto:samba-bounces at lists.samba.org] De la part de Rowland Penny via samba Envoyé : 23 août 2017 12:02 À : samba at lists.samba.org<mailto:samba at lists.samba.org> Objet : Re: [Samba] Share access problem



On Wed, 23 Aug 2017 11:23:09 -0400

<Sebastien.Boulianne at cpu.ca<mailto:Sebastien.Boulianne at cpu.ca>> wrote:



> Hi Rowland,

> I tried that but it didn't work.

>

> I can list all users using wbinfo -u but it didn't work if I do getent

> passwd <samaccountname>.

>

> Do you have any clues ?

>



wbinfo talks directly to winbind which gets its info directly from AD, so 'wbinfo -u' just shows that winbind is connected to AD.



To get Unix to know who your AD users are, you need to get winbind to map your users to an ID number and then pass this to nsswitch.



When a user is created in AD, the users cn is set to the users 'givenName' and 'sn' e.g. mine is 'CN: Rowland Penny'



My 'sAMAccountName' is 'rowland' i.e. 'givenName' in lowercase.



This means, as long as smb.conf is created correctly, the libnss_winbind links are created correctly and PAM is set to use winbind, it should work for all users. If it only works for some users but not others, then either you are not using the correct username, they don't have a uidNumber attribute (if using the 'ad' backend) or the 'DOMAIN' range isn't correct.



A quick way to test the later, add a '0' to the 'DOMAIN' high range in smb.conf.



After that, you need to investigate the users object in AD, you can use ldapsearch to do this from Unix (provided you have the required permissions, rights and passwords), failing that get the windows sysadmins to dump it for you.



Rowland



--

To unsubscribe from this list go to the following URL and read the

instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list