[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 00:24:50 UTC 2017 

I run a very small Samba AD, consisting of a Samba AD DC and a Samba AD
Member Server, acting as file server.

Today, I added a new user to the AD but I simply can't manage to get access
to the file server - only for this user, all others are working fine.

My AD is rfc2307 based, so I manually have to add UID's. I did so for the
new user, the ID is within range and not in use. I double checked and
compared all other attributes with those of an existing user, no
difference, all matches.

As it's working from the other user profiles, it can be deducted that there
is no network issue. But I did check DNS, just to be safe.

Running wbinfo -U and getent passwd show the correct information, the new
user is there. Using kinit I can request a Kerberos ticket for him.

I'm not sure if it matters but if I run wbinfo -U on the DC, it will put
the realm in front of the username, i.e. SAMDOM\user. On the member server,
the realm is not shown.

Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server works
fine. But if I run the same command without the -N switch, I get

session setup failed: NT_STATUS_ACCESS_DENIED

I really don't know where else to look. I rebooted the two servers, updated
Samba to its latest version (4.6.5), ran sysvolreset.. all to no avail.

Probably I'm missing some step here. Hope someone can help me see it.

/etc/samba/smb.conf

[global]

  netbios name = MEMBERSERVER
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  username map = /etc/samba/samba_usermap

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config MEILEN:backend = ad
  idmap config MEILEN:schema_mode = rfc2307
  idmap config MEILEN:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

More information about the samba mailing list