[Samba] samba share management / connection problem

basti mailinglist at unix-solution.de
Wed Feb 22 14:22:44 UTC 2017 

Hello,
I have setup and ADDC and an file server.
On fileserver i can see domain users with wbinfo and getent passwd.

When I try to manage a share on the fileserver
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs)
I get an error "Computer cannot be managed. Verify that the network path
is correct ...." and after that "you do not have permission to see the
list of shares for windows clients samba"

The I try to connect to the AD member with smbclient I get


root at fileserver:/var/log/samba# smbclient -k -L
fileserver.ad.example.com -d 3 -U admin
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=192.168.122.7 bcast=192.168.122.255
netmask=255.255.255.0
Client started (version 4.2.14-Debian).
Connecting to 192.168.122.7 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/fileserver.ad.example.com at ad.example.com
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
root at fileserver:/var/log/samba#


root at fileserver:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ad.example.com

Valid starting       Expires              Service principal
22.02.2017 14:54:15  23.02.2017 00:54:15
krbtgt/ad.example.com at ad.example.com
	renew until 23.02.2017 14:54:12
22.02.2017 15:05:00  23.02.2017 00:54:15
cifs/kes-fileserver.ad.example.com at ad.example.com

root at fileserver:/var/log/samba# getent passwd someuser
someuser:*:7072:30000:someuser:/home/users/someuser:/bin/bash


[global]
       security = ADS
       workgroup = AD
       realm = AD.EXAMPLE.COM

       log file = /var/log/samba/%m.log
       log level = 3

       # Default ID mapping configuration for local BUILTIN accounts
       # and groups on a domain member. The default (*) domain:
       # - must not overlap with any domain ID mapping configuration!
       # - must use an read-write-enabled back end, such as tdb.
       idmap config * : backend = tdb
       idmap config * : range = 1000-1005

       # idmap config for the AD domain
       # alf has uid 1006
       idmap config AD:backend = ad
       idmap config AD:schema_mode = rfc2307
       idmap config AD:range = 1006-999999

        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/users/%U
        template shell = /bin/bash

        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes

[Demo]
       path = /home/demo/
       read only = no
       valid users = +AD\"Domain Users"
       guest ok = yes

More information about the samba mailing list