[Samba] user cannot access shares on new ad-dc
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 10 10:31:55 UTC 2017
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Klaus Hartnegg via samba
> Verzonden: dinsdag 10 oktober 2017 12:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> Is it normal that "Computer Management" cannot configure
> shared directories of a Samba4 AD-DC? Is this only possible
> on member servers?
No, did you set the SePrivileges.
> It can connect to the DC, but when I click on shares it tells
> that either the server does not support "virtual disk
> service" (translated from German), or a firewall blocks the
> connection. There is no firewall between these machines in my
> test environment. I started Computer Management as
> domain-admin on domain-joined Win7.
Go shares, configure there.
> Is it normal that non-admin users (on Win7) get permission
> denied if they want to look inside of \\dc.ad.domain\sysvol
> or netlogon? They can look inside these directories on
> Windows servers, but not on my newly provisioned AD-DC test server.
Yes/No, the non-admin users, its a domain users then No, not normal.
Not a domain users, yes thats normal.
When prompted for a username user DOM\user or username at REALM
> They cannot even access a test-share when I make them owner
> of it with chown.
> The wiki page
> instructs to append "winbind" behind "files" in the lines
> "passwd" and "group". But my nsswitch.conf (ubuntu 14) had
> "compat" there, not "files". Should I replace "compat" with
> "files", or append "winbind"
> behind "compat"?
No compat winbind is correct. ( dont set winbind compat )
( debian/ubuntu use compat )
> The command "pam-auth-update" does not produce any output.
> How can I check if it has done anything?
> I can do
> chown "domain\\user" file
I suggest use getfacl and setfacl
Since only want windows acces, dont use posix acl, stay with windows ACL.
> and then that domain-user is shown in
> ls -la file
> Does that mean that everything works?
Yes, that looks good.
> I get the impression that winbindd and PAM are needed mostly
> (only?) if users want to log on to the DC with ssh.
> The page
> about winbindd describes howto set up templates for shell and
> homedir. The page about PAM talks about "SSH authentication".
> I just want to access shares!
> Reading the wiki I cannot determine what precisely are the
> required steps to access shares on a DC.
Start at the top. Tested on debian strech, but i dont see
for ubuntu 14.04 and 16.04 any problems, the steps are almost the same.
( you might need to change some package name )
If you notice a different, make a comment and i'll adapt it.
Review the file : stretch-base-2.0-samba-minimal-ad.txt
That setup resulted for me in to be able to access a share ( as domain admin )
Or same as normal (domain) user and when promted i enter a regular domain\username or username at REALM
And im also able to access the server.
So review you setup base on this one.
More information about the samba