[Samba] New AD user cannot access file share from member server

Viktor Trojanovic viktor at troja.ch
Mon Jun 19 09:15:02 UTC 2017


Thanks for the quick reply, Rowland.

I changed the respective line in my member server's smb.conf, and restarted
smbd, winbindd, and nmbd.

The issue persists. I can access the share with all users except this one.

On 19 June 2017 at 08:19, Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Mon, 19 Jun 2017 02:24:50 +0200
> Viktor Trojanovic via samba <samba at lists.samba.org> wrote:
>
> > I run a very small Samba AD, consisting of a Samba AD DC and a Samba
> > AD Member Server, acting as file server.
> >
> > Today, I added a new user to the AD but I simply can't manage to get
> > access to the file server - only for this user, all others are
> > working fine.
> >
> > My AD is rfc2307 based, so I manually have to add UID's. I did so for
> > the new user, the ID is within range and not in use. I double checked
> > and compared all other attributes with those of an existing user, no
> > difference, all matches.
> >
> > As it's working from the other user profiles, it can be deducted that
> > there is no network issue. But I did check DNS, just to be safe.
> >
> > Running wbinfo -U and getent passwd show the correct information, the
> > new user is there. Using kinit I can request a Kerberos ticket for
> > him.
> >
> > I'm not sure if it matters but if I run wbinfo -U on the DC, it will
> > put the realm in front of the username, i.e. SAMDOM\user. On the
> > member server, the realm is not shown.
> >
> > Running smbclient -L \\MEMBERSERVER -Unewuser -N on the member server
> > works fine. But if I run the same command without the -N switch, I get
> >
> > session setup failed: NT_STATUS_ACCESS_DENIED
> >
> > I really don't know where else to look. I rebooted the two servers,
> > updated Samba to its latest version (4.6.5), ran sysvolreset.. all to
> > no avail.
> >
> > Probably I'm missing some step here. Hope someone can help me see it.
> >
> > /etc/samba/smb.conf
> >
> > [global]
> >
> >   netbios name = MEMBERSERVER
> >   workgroup = SAMDOM
> >   security = ADS
> >   realm = SAMDOM.EXAMPLE.COM
> >   dedicated keytab file = /etc/krb5.keytab
> >   kerberos method = secrets and keytab
> >
> >   username map = /etc/samba/samba_usermap
> >
> >   idmap config *:backend = tdb
> >   idmap config *:range = 2000-9999
> >   idmap config MEILEN:backend = ad
> >   idmap config MEILEN:schema_mode = rfc2307
> >   idmap config MEILEN:range = 10000-99999
> >
> >   winbind nss info = rfc2307
> >   winbind trusted domains only = no
> >   winbind use default domain = yes
> >   winbind enum users  = yes
> >   winbind enum groups = yes
> >   winbind refresh tickets = Yes
> >
> >   vfs objects = acl_xattr
> >   map acl inherit = Yes
> >   store dos attributes = Yes
>
> OK, it should work, I can see just one problem now that you are
> using 4.6.5, 'winbind nss info = rfc2307' has been replaced by 'idmap
> config SAMDOM : unix_nss_info = yes'
>
> Try this and report back.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list