[Samba] Samba and AD based home shares are visible but not accessible
Rowland Penny
rpenny at samba.org
Wed Jul 12 17:00:40 UTC 2017
On Wed, 12 Jul 2017 16:11:56 +0000
"Cybulski, Adam M" <acybulski at albany.edu> wrote:
> Ok, Here are all the steps I took today, I am still receiving the
> same issue after following the wiki. Any time I have sanitized
> something I have put it in <carrots> and tried to maintain the
> capitalization as it appeared. Everything else is exactly as written
> or displayed.
>
> Kerberos:
> Krb5.conf:
Change it to:
[libdefaults]
default_realm = UNIV.<SCHOOL>.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
> Configure Samba:
>
> Made new smb.conf with following information:
>
> [global]
> security = ADS
> workgroup = <DOMAINALIAS>
> realm = UNIV.<SCHOOL>.EDU
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> idmap config * : backend = ad
> idmap config * : range = 3000-7999
Sorry, but that is wrong ;-)
I would expect something like:
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config <DOMAINALIAS> : backend = ad
idmap config <DOMAINALIAS> : schema_mode = rfc2307
idmap config <DOMAINALIAS> : range = 10000-99999
Or (from 4.6.0):
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config <DOMAINALIAS> : backend = ad
idmap config <DOMAINALIAS> : unix_nss_info = yes
idmap config <DOMAINALIAS> : range = 10000-99999
> username map = /usr/local/samba/etc/smbuser.map
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> MAPPING DOMAIN ADMIN ACCOUNT: (I think this is where I may have been
> going wrong. I was using a domain account, that is supposed to have
> admin permissions on this system, but does not have “Domain Join”
> privileges in our domain. This may cause issues, as there are not
> supposed to be any accounts that have both admin privileges on this
> box, and have domain admin privileges. I have changed this to an
> account with domain join privlidges.)
>
> Smbusers.map
> # Unix_name = SMB_Name1 SMB_Name2 ...
> ! root = <DOMAINALIAS>\<Domainadmin> <DOMAINALIAS>\<domainadmin>
> <Domainadmin> <domainadmin> nobody = guest smbguest pcguest
'root' is normally mapped to 'Administrator', not sure your way is
going to work.
>
> Join the domain:
>
> #net ads join -U <domainadmin>
> Enter <domainadmin>'s password:
> Using short domain name -- <DOMAINALIAS>
> Joined '<HOSTNAME>' to dns domain 'univ.<school>.edu'
> DNS Update for <hostname>.univ.<school>.edu failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
This is normally because of permission problems.
>
> The wiki advises I test if dynamic DNS updates are working. I cannot
> run any commands on the DC, I’m in one department at a university,
> this is handles at the University IT level. 10,000 other systems are
> working fine though.
What is your DC and does it run a dns server ?
>
> Configuring NSS:
> Nsswitch.conf:
> passwd: files sss winbind
> shadow: files sss
> group: files sss winbind
> hosts: files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files sss
> netgroup: files sss
> publickey: nisplus
> automount: files sss
> aliases: files nisplus
Can I suggest you remove sssd and this should remove all mention of
'sss', otherwise, move 'sss' to after 'winbind'
>
> Starting services:
>
> # systemctl start winbind
> # systemctl start smbd
> Failed to start smbd.service: Unit not found.
> # systemctl start smb
> # systemctl start nmb
>
> Testing: <-------WIKI OUT OF DATE? ----->
> #wbinfo --ping-dc
> bash: wbinfo: command not found...
Er, no:
wbinfo --ping-dc
checking the NETLOGON for domain[SAMDOM] dc connection to
"dc1.samdom.example.com" succeeded
It cannot find wbinfo, I think you need to install
'samba4-winbind-clients'
>
> Setting up a share:
>
> I have ACL support, and it is in the smb.conf
Again, er, no you haven't
Rowland
More information about the samba
mailing list