[Samba] samba 4 ad member - idmap = ad for machine accounts

tomict samba at iucn.nl
Mon Nov 20 14:59:14 UTC 2017

Hi all,

I have exactly the same problem as the OP and tried the solution below, but
I still  get the error:
'Username IUCNNL\PC050$ is invalid on this system'. Should I map
useraccount, enable Guest account, chang eunix directory permissions or
things like that?

My Windows 10 computers' machine accounts cannot acces shares on a domain
member (samba 4.6 ,  id map = ad, centos 7).

more detailed:
Startup script in windows 10 runs under the system account and accesses
shares on the network with the machine account. My samba domain member
(fileserver FS1) is not happy with the useraccount of the machine. The log
file says: "Username SAMDOM\PC050$ is invalid on this system". However, the
machine is joined to the domain. Normal user accounts can access shares
without problems, machine accounts cannot.

Samba - General mailing list wrote
> Ps. 
> To overcome this problem is very simple ( AD or RID ) 
> 1) setup the SHARE where you need user NT Authority\SYSTEM with
> acl_xattr:ignore system acls = yes
> 2) setup you share with Everyone full access.. ( If you dont like
> everyone, you need domain users/computers/guest and maybe even more ) 
> 	1! You must do this from within windows. ( message access denies when
> connection, you forgot something, see 2!) 
> 	2! Check your SePrivileges setup. (script: 
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
> ) 
> 3) setup the FOLDER security.
> 	Make sure you add "Creator Owner/Creator Group" one or both, you setup is
> your guide. I cant tell that. 
> 	Verified Users, Read 
> 	System Full Controll
> 	Any other group you want, but at least "Domain Admins" FULL control. 
> 4) Try to avoid chmod/chown use getfacl setfacl in scripts. 
> Give it a try, this works fine here. (as of Debian jessie and up, with
> samba 4.4+ up to 4.6.7 tested/in production) 
> Greetz, 
> Louis

Below is relevant info (I think) for my case

What I did/tried: 
-With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix attributes of
users, groups, and also to computers (is the latter nesecary?)
-I test the connection to the shares as system user on the win10  machine by
using "psexec.exe -s cmd.exe", and then "dir \\fs1\datasys" (see smb.conf
below) or any other share name. Access is denied. The startup script has the
same problem.
-I can get AD groups and users on FS1 with getent group and getent passwd.
-The windows 10 machine account can succesfully access the the sysvol share
on the domain controller DC ("dir \\dc1\sysvol")
-The three shares in the conf file below are inaccessible to the machine
account. The third share is the one I am testing with. I tried the suggesion
above to add "acl_xattr:ignore system acls = yes" to the share. This did not
solve the problem, so I probably missed something.
-I do not want to make an other fileserver with backend = rid if I can avoid
-If i map the PC050$ name to root i can access the shares, but i don not
want that permanently (security). I think I could add another user and map
computers to that name but that still seems awkward to me.

Configuration info: 
-The DC and the fileserver (FS1, the domain member) run centos 7, samba

smb.conf on FS1:
       security = ADS
       workgroup = SAMDOM
       realm = AD.EXAMPLE.NL 
	ntlm auth = yes
#       log file = /var/log/samba/%m.log
#       log level = 2
	log level = 3 passdb:5 auth:5

       	idmap config * : backend = tdb
       	idmap config * : range = 3000-9999
	idmap config SAMDOM : backend = ad
	idmap config SAMDOM : schema_mode = rfc2307
	idmap config SAMDOM : range = 10000-999999
	idmap config SAMDOM : default = yes
	winbind nss info = template
	template shell = /bin/bash
	template homedir = /data/home/%U
	winbind use default domain = yes
	allow dns updates = nonsecure
	username map = /etc/samba/user.map
	spoolss: architecture = Windows x64
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	winbind refresh tickets = Yes

	# shares
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes
     		path = /data/datatest
    		read only = no

	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes
     		path = /data/datasys
    		read only = no

	# testfolder
	vfs objects = acl_xattr
	acl_xattr:ignore system acls = yes
		# I used: mkdir /data/testfolder ; chmod 0770 /data/testfolder ; chown
root."domain admins" /data/testfolder
     		path = /data/testfolder
    		read only = no

smb.conf on DC1
	workgroup = SAMDOM
	realm = AD.EXAMPLE.NL
	netbios name = DC1
	server role = active directory domain controller
	dns forwarder =
	idmap_ldb:use rfc2307 = yes
	allow dns updates = nonsecure
	winbind enum users = yes
	winbind enum groups = yes
	ldap server require strong auth = no
        username map = /etc/samba/user.map
	log level = 3 

	path = /var/lib/samba/sysvol/ad.example.nl/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html

More information about the samba mailing list