[Samba] samba 4 ad member - idmap = ad for machine accounts
tomict
samba at iucn.nl
Mon Nov 20 14:59:14 UTC 2017
Hi all,
I have exactly the same problem as the OP and tried the solution below, but
I still get the error:
'Username IUCNNL\PC050$ is invalid on this system'. Should I map
useraccount, enable Guest account, chang eunix directory permissions or
things like that?
Problem:
My Windows 10 computers' machine accounts cannot acces shares on a domain
member (samba 4.6 , id map = ad, centos 7).
more detailed:
Startup script in windows 10 runs under the system account and accesses
shares on the network with the machine account. My samba domain member
(fileserver FS1) is not happy with the useraccount of the machine. The log
file says: "Username SAMDOM\PC050$ is invalid on this system". However, the
machine is joined to the domain. Normal user accounts can access shares
without problems, machine accounts cannot.
Samba - General mailing list wrote
> Ps.
>
> To overcome this problem is very simple ( AD or RID )
>
> 1) setup the SHARE where you need user NT Authority\SYSTEM with
> acl_xattr:ignore system acls = yes
>
> 2) setup you share with Everyone full access.. ( If you dont like
> everyone, you need domain users/computers/guest and maybe even more )
> 1! You must do this from within windows. ( message access denies when
> connection, you forgot something, see 2!)
> 2! Check your SePrivileges setup. (script:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh
> )
>
> 3) setup the FOLDER security.
> Make sure you add "Creator Owner/Creator Group" one or both, you setup is
> your guide. I cant tell that.
> Verified Users, Read
> System Full Controll
> Any other group you want, but at least "Domain Admins" FULL control.
>
> 4) Try to avoid chmod/chown use getfacl setfacl in scripts.
>
>
> Give it a try, this works fine here. (as of Debian jessie and up, with
> samba 4.4+ up to 4.6.7 tested/in production)
>
>
> Greetz,
>
> Louis
Below is relevant info (I think) for my case
What I did/tried:
-With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix attributes of
users, groups, and also to computers (is the latter nesecary?)
-I test the connection to the shares as system user on the win10 machine by
using "psexec.exe -s cmd.exe", and then "dir \\fs1\datasys" (see smb.conf
below) or any other share name. Access is denied. The startup script has the
same problem.
-I can get AD groups and users on FS1 with getent group and getent passwd.
-The windows 10 machine account can succesfully access the the sysvol share
on the domain controller DC ("dir \\dc1\sysvol")
-The three shares in the conf file below are inaccessible to the machine
account. The third share is the one I am testing with. I tried the suggesion
above to add "acl_xattr:ignore system acls = yes" to the share. This did not
solve the problem, so I probably missed something.
-I do not want to make an other fileserver with backend = rid if I can avoid
it.
-If i map the PC050$ name to root i can access the shares, but i don not
want that permanently (security). I think I could add another user and map
computers to that name but that still seems awkward to me.
Configuration info:
-The DC and the fileserver (FS1, the domain member) run centos 7, samba
4.6.10.
smb.conf on FS1:
[global]
security = ADS
workgroup = SAMDOM
realm = AD.EXAMPLE.NL
ntlm auth = yes
# log file = /var/log/samba/%m.log
# log level = 2
log level = 3 passdb:5 auth:5
idmap config * : backend = tdb
idmap config * : range = 3000-9999
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
idmap config SAMDOM : default = yes
winbind nss info = template
template shell = /bin/bash
template homedir = /data/home/%U
winbind use default domain = yes
allow dns updates = nonsecure
username map = /etc/samba/user.map
spoolss: architecture = Windows x64
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
# shares
[datatest]
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
path = /data/datatest
read only = no
[datasys]
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
path = /data/datasys
read only = no
# testfolder
[testfolfder]
vfs objects = acl_xattr
acl_xattr:ignore system acls = yes
# I used: mkdir /data/testfolder ; chmod 0770 /data/testfolder ; chown
root."domain admins" /data/testfolder
path = /data/testfolder
read only = no
smb.conf on DC1
[global]
workgroup = SAMDOM
realm = AD.EXAMPLE.NL
netbios name = DC1
server role = active directory domain controller
dns forwarder = 192.168.3.2
idmap_ldb:use rfc2307 = yes
allow dns updates = nonsecure
winbind enum users = yes
winbind enum groups = yes
ldap server require strong auth = no
username map = /etc/samba/user.map
log level = 3
[netlogon]
path = /var/lib/samba/sysvol/ad.example.nl/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
More information about the samba
mailing list