[Samba] New AD user cannot access file share from member server
Rowland Penny
rpenny at samba.org
Mon Jun 19 06:19:21 UTC 2017
On Mon, 19 Jun 2017 02:24:50 +0200
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
> I run a very small Samba AD, consisting of a Samba AD DC and a Samba
> AD Member Server, acting as file server.
>
> Today, I added a new user to the AD but I simply can't manage to get
> access to the file server - only for this user, all others are
> working fine.
>
> My AD is rfc2307 based, so I manually have to add UID's. I did so for
> the new user, the ID is within range and not in use. I double checked
> and compared all other attributes with those of an existing user, no
> difference, all matches.
>
> As it's working from the other user profiles, it can be deducted that
> there is no network issue. But I did check DNS, just to be safe.
>
> Running wbinfo -U and getent passwd show the correct information, the
> new user is there. Using kinit I can request a Kerberos ticket for
> him.
>
> I'm not sure if it matters but if I run wbinfo -U on the DC, it will
> put the realm in front of the username, i.e. SAMDOM\user. On the
> member server, the realm is not shown.
>
> Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server
> works fine. But if I run the same command without the -N switch, I get
>
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I really don't know where else to look. I rebooted the two servers,
> updated Samba to its latest version (4.6.5), ran sysvolreset.. all to
> no avail.
>
> Probably I'm missing some step here. Hope someone can help me see it.
>
> /etc/samba/smb.conf
>
> [global]
>
> netbios name = MEMBERSERVER
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> username map = /etc/samba/samba_usermap
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config MEILEN:backend = ad
> idmap config MEILEN:schema_mode = rfc2307
> idmap config MEILEN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
OK, it should work, I can see just one problem now that you are
using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap
config SAMDOM : unix_nss_info = yes'
Try this and report back.
Rowland
More information about the samba
mailing list