[Samba] New AD user cannot access file share from member server
Rowland Penny
rpenny at samba.org
Mon Jun 19 10:59:28 UTC 2017
On Mon, 19 Jun 2017 12:38:09 +0200
Viktor Trojanovic <viktor at troja.ch> wrote:
> Here is the DC's smb.conf:
>
>
> [global]
> workgroup = SAMDOM
> realm = SAMDOM.EXAMPLE.COM
> netbios name = DC
> interfaces = lo br-lxc
> bind interfaces only = Yes
> server role = active directory domain controller
> dns forwarder = 192.168.1.2
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
Nothing wrong there
>
> I'm not sure what you mean by showing you the user's AD object, can
> you elaborate?
OK, install ldb-tools if not installed, then run this:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
'cn=users,dc=samdom,dc=example,dc=com' -s sub
"(&(objectclass=person)(samaccountname=rowland))"
Just in case it has got split up over multiple lines, the above should
just one line.
Replace:
/usr/local/samba/private/sam.ldb with the path to your sam.ldb
dc=samdom,dc=example,dc=com with your dns/realm names
rowland with your users name
You should get something like this back:
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
CN: Rowland Penny
sn: Penny
description: A Unix user
givenName: Rowland
instanceType: 4
whenCreated: 20151109093821.0Z
displayName: Rowland Penny
uSNCreated: 3365
name: Rowland Penny
objectGUID: 28103293-9fc9-4681-b19c-ae1150fe2b72
userAccountControl: 66048
codePage: 0
countryCode: 0
homeDrive: H:
pwdLastSet: 130915355010000000
primaryGroupID: 513
objectSid: S-1-5-21-1768301897-3342589593-1064908849-1107
accountExpires: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
om
unixUserPassword: ABCD!efgh12345$67890
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: samdom
uidNumber: 10000
gecos: Rowland Penny
unixHomeDirectory: /home/rowland
loginShell: /bin/bash
memberOf: CN=DnsAdmins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=TestGroup,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Unix Admins,CN=Users,DC=samdom,DC=example,DC=com
memberOf: CN=Group12,CN=Users,DC=samdom,DC=example,DC=com
homeDirectory: \\MEMBER1\home\rowland
objectClass: top
objectClass: securityPrincipal
objectClass: person
objectClass: organizationalPerson
objectClass: user
gidNumber: 10000
lastLogonTimestamp: 131418520439158520
whenChanged: 20170613182723.0Z
uSNChanged: 121030
lastLogon: 131423412865104840
logonCount: 633
distinguishedName: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
# returned 1 records
# 1 entries
# 0 referrals
Please post that, though you can sanitise it if you like, but if you
do, use the same changes through out.
>
> Samba is running on (Arch) Linux with Kernel 4.11. Clients are
> Windows 10 with all the latest updates, I'm running the RSAT from
> there.
>
In which case you will not have 'Unix Attributes' tab in ADUC.
Rowland
More information about the samba
mailing list