[Samba] user cannot access shares on new ad-dc

L.P.H. van Belle belle at bazuin.nl
Tue Oct 10 10:31:55 UTC 2017

Samba version? 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Klaus Hartnegg via samba
> Verzonden: dinsdag 10 oktober 2017 12:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] user cannot access shares on new ad-dc
> Hello,
> Is it normal that "Computer Management" cannot configure 
> shared directories of a Samba4 AD-DC? Is this only possible 
> on member servers? 
No, did you set the SePrivileges. 

> It can connect to the DC, but when I click on shares it tells 
> that either the server does not support "virtual disk 
> service" (translated from German), or a firewall blocks the 
> connection. There is no firewall between these machines in my 
> test environment. I started Computer Management as 
> domain-admin on domain-joined Win7.
Go shares, configure there.

> Is it normal that non-admin users (on Win7) get permission 
> denied if they want to look inside of \\dc.ad.domain\sysvol 
> or netlogon? They can look inside these directories on 
> Windows servers, but not on my newly provisioned AD-DC test server.
Yes/No, the non-admin users, its a domain users then No, not normal. 
Not a domain users, yes thats normal. 

When prompted for a username user DOM\user or username at REALM

> They cannot even access a test-share when I make them owner 
> of it with chown.
> The wiki page
>     Configuring_Winbindd_on_a_Samba_AD_DC
> instructs to append "winbind" behind "files" in the lines 
> "passwd" and "group". But my nsswitch.conf (ubuntu 14) had 
> "compat" there, not "files". Should I replace "compat" with 
> "files", or append "winbind" 
> behind "compat"?
No compat winbind is correct. ( dont set winbind compat )
( debian/ubuntu use compat ) 

> The command "pam-auth-update" does not produce any output. 
> How can I check if it has done anything?
> I can do
>    chown "domain\\user" file
I suggest use getfacl and setfacl 
Since only want windows acces, dont use posix acl, stay with windows ACL. 

> and then that domain-user is shown in
>    ls -la file
> Does that mean that everything works?
Yes, that looks good. 

> I get the impression that winbindd and PAM are needed mostly 
> (only?) if users want to log on to the DC with ssh.
Yes, correct. 

> The page 
> about winbindd describes howto set up templates for shell and 
> homedir. The page about PAM talks about "SSH authentication". 
> I just want to access shares! 
> Reading the wiki I cannot determine what precisely are the 
> required steps to access shares on a DC.

Start at the top. Tested on debian strech, but i dont see 
for ubuntu 14.04 and 16.04 any problems, the steps are almost the same. 
( you might need to change some package name ) 
If you notice a different, make a comment and i'll adapt it. 

Review the file : stretch-base-2.0-samba-minimal-ad.txt
That setup resulted for me in to be able to access a share ( as domain admin ) 


Or same as normal (domain) user and when promted i enter a regular domain\username or username at REALM 
And im also able to access the server. 

So review you setup base on this one.



More information about the samba mailing list