[Samba] get access denied on samba AD share
Rowland Penny
rpenny at samba.org
Thu Sep 21 11:26:49 UTC 2017
On Thu, 21 Sep 2017 09:22:33 +0000
Qiao Xu via samba <samba at lists.samba.org> wrote:
> Hello Sambaers, i can not access my samba shares after upgrade my
> centos to 7.4,samba version was upgraded to 4.6.2
>
> i joined centos to windows domain by realm command,domain user(format
> as username at doaminname) could login to centos
>
> could get kerberos ticket by kinit with domain user
>
>
> execute net view command at domain windows server get access denied
>
>
> C:\>net view \\ark-centos-smb4.qa.arkivio.com
> System error 5 has occurred.
>
> Access is denied.
>
>
> C:\>net view \\192.168.32.26
> System error 5 has occurred.
>
> Access is denied.
>
>
> collected following log while get access denied error with samba
> server ip, i complains can not find the user,and run getent passwd
> domainuser at domainname could finish successfully
>
>
> [2017/09/21 00:36:03.319546,
> 3] ../source3/smbd/oplock.c:1322(init_oplocks) init_oplocks:
> initializing messages. [2017/09/21 00:36:03.319707,
> 3] ../source3/smbd/process.c:1957(process_smb) Transaction 0 of
> length 159 (0 toread) [2017/09/21 00:36:03.319744,
> 3] ../source3/smbd/process.c:1538(switch_message) switch message
> SMBnegprot (pid 23703) conn 0x0 [2017/09/21 00:36:03.319767,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.320414,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [PC NETWORK PROGRAM 1.0] [2017/09/21 00:36:03.320441,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LANMAN1.0] [2017/09/21 00:36:03.320454,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [Windows for Workgroups 3.1a] [2017/09/21 00:36:03.320466,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LM1.2X002] [2017/09/21 00:36:03.320482,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LANMAN2.1] [2017/09/21 00:36:03.320497,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [NT LM 0.12] [2017/09/21 00:36:03.320509,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [SMB 2.002] [2017/09/21 00:36:03.320538,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [SMB 2.???] [2017/09/21 00:36:03.320638,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.320722,
> 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF [2017/09/21 00:36:03.321314,
> 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) ../source3/librpc/crypto/gse_krb5.c:229:
> failed to fetch machine password [2017/09/21 00:36:03.321344,
> 3] ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:587:
> Warning! Unable to set mem keytab from secrets! [2017/09/21
> 00:36:03.322377, 3] ../source3/smbd/negprot.c:730(reply_negprot)
> Selected protocol SMB 2.??? [2017/09/21 00:36:03.323207,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.323262,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.323300,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.323326,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.325145,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.325187,
> 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10 [2017/09/21 00:36:03.325448,
> 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) ../source3/librpc/crypto/gse_krb5.c:229:
> failed to fetch machine password [2017/09/21 00:36:03.325466,
> 3] ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab) ../source3/librpc/crypto/gse_krb5.c:587:
> Warning! Unable to set mem keytab from secrets! [2017/09/21
> 00:36:03.327171,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327477,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327498,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327509,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327562,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327754,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0xe2088297 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_OEM
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_LM_KEY
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP_NEGOTIATE_56
> [2017/09/21 00:36:03.327897,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327919,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327930,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327951,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328313,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328360,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.328376,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328387,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.328403,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328478,
> 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got
> user=[arkadmin] domain=[QA] workstation=[NWT-VM-ARK8118] len1=24
> len2=350 [2017/09/21 00:36:03.328573,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2017/09/21 00:36:03.328664,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2017/09/21 00:36:03.328773,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" doing parameter netbios name = ARK-CENTOS-SMB4 doing
> parameter security = ADS doing parameter workgroup = QA.ARKIVIO.COM
> doing parameter kerberos method = secrets and keytab
> doing parameter realm = QA.ARKIVIO.COM
> doing parameter log file = /var/log/samba/%m.log
> doing parameter log level = 4
> doing parameter local master = no
> doing parameter domain master = no
> doing parameter server string = Samba Server Version %v
> doing parameter max log size = 5000
> doing parameter load printers = No
> doing parameter wins support = no
> doing parameter wins proxy = no
> doing parameter dns proxy = yes
> doing parameter name resolve order = host lmhosts wins bcast
> [2017/09/21 00:36:03.328953,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[arkc1]" doing parameter comment = centos samba4 share1
> doing parameter path = /rocket/cifs/cifs1
> doing parameter writable = yes
> doing parameter guest ok = yes
> doing parameter valid users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM
> doing parameter admin users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329055,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[arkc2]" doing parameter comment = centos samba4 share2 doing
> parameter path = /rocket/cifs/cifs2 doing parameter writable = yes
> doing parameter admin users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> doing parameter valid users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329149,
> 4] ../source3/param/loadparm.c:3864(lp_load_ex) pm_process() returned
> Yes [2017/09/21 00:36:03.329186,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2017/09/21 00:36:03.329981,
> 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name) ads_dc_name:
> domain=QA.ARKIVIO.COM [2017/09/21 00:36:03.331294,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.332043,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.333572,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.333594, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.231:389 192.168.32.230:389
> 2001:21:21:32:743e:17d2:61a4:fdb8:389 [2017/09/21 00:36:03.334552,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 192.168.32.231 [2017/09/21 00:36:03.334622,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.334961,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335007,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.335023, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88
> 2001:21:21:32:743e:17d2:61a4:fdb8:88 [2017/09/21 00:36:03.335042,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.335419,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335463,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.335478, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88
> 2001:21:21:32:743e:17d2:61a4:fdb8:88 [2017/09/21 00:36:03.336391,
> 4] ../source3/libsmb/namequery_dc.c:151(ads_dc_name) ads_dc_name:
> using server='ARK-QA-DC2.QA.ARKIVIO.COM' IP=192.168.32.231
> [2017/09/21 00:36:03.336496,
> 3] ../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to
> 192.168.32.231 at port 445 [2017/09/21 00:36:03.337733,
> 3] ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2
> [2017/09/21 00:36:03.338945,
> 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) Got
> challenge flags: [2017/09/21 00:36:03.338973,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2017/09/21
> 00:36:03.339060,
> 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags: [2017/09/21 00:36:03.339076,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2017/09/21
> 00:36:03.339112,
> 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP
> Sign/Seal - Initialising with flags: [2017/09/21 00:36:03.339123,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339972,
> 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP
> Sign/Seal - Initialising with flags: [2017/09/21 00:36:03.340000,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.344582,
> 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [QA]\[arkadmin]@[NWT-VM-ARK8118] with the new password interface
> [2017/09/21 00:36:03.344615,
> 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is:
> [ARK-CENTOS-SMB4]\[arkadmin]@[NWT-VM-ARK8118] [2017/09/21
> 00:36:03.344650, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/09/21
> 00:36:03.344698, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/09/21
> 00:36:03.344714,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.344768,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.344785,
> 3] ../source3/auth/check_samsec.c:399(check_sam_security)
> check_sam_security: Couldn't find user 'arkadmin' in passdb.
> [2017/09/21 00:36:03.344808,
> 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain
> [ARK-CENTOS-SMB4] was for this SAM. [2017/09/21 00:36:03.344835,
> 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [arkadmin] ->
> [arkadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2017/09/21
> 00:36:03.344858,
> 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2017/09/21
> 00:36:03.344879, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/09/21
> 00:36:03.344891, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/09/21
> 00:36:03.344901,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.344919,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.344949,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] ||
> at ../source3/smbd/smb2_sesssetup.c:134 [2017/09/21 00:36:03.345308,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345337,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345351,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345365,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345535,
> 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit
> (NT_STATUS_CONNECTION_RESET)
>
>
> here is my smb.conf content
>
>
> #working since 2017-8-1 with sssd?+ad
> [global]
> netbios name = ARK-CENTOS-SMB4
> security = ADS
> #workgroup = QA
> workgroup = QA.ARKIVIO.COM
> kerberos method = secrets and keytab
> realm = QA.ARKIVIO.COM
> log file = /var/log/samba/%m.log
> log level = 4
> #password server = *
> #passdb backend = tdbsam
> #template shell = /bin/bash
> #template homedir = /home/%u
> #winbind separator = +
> local master = no
> domain master = no
> #auth methods = guest sam_ignoredomain winbind
> #guest ok = no
> server string = Samba Server Version %v
> max log size = 5000
> load printers = No
> #idmap config * : backend = tdb
> #preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> #name resolve order = wins bcast host lmhosts
> name resolve order = host lmhosts wins bcast
>
> # Winbind idmap RID settings
> # winbind use default domain = yes
> # allow trusted domains = yes
> # winbind enum users = yes
> # winbind enum groups = yes
> # winbind nested groups = yes
> # idmap config QA : backend = rid
> # idmap config QA : default = yes
> # idmap config QA : range = 100-33554431
> # idmap config * : range = 33554432-67108862
> # idmap config * : backend = tdb
> # printing = bsd
> # load printers = no
> # disable spoolss = yes
> # printcap name = /dev/null
> # log level = 10
> # log file = /var/log/samba/samba.log.%m
> # max log size = 5000
> # debug timestamp = yes
> # oplocks = 1
> # unix extensions = yes
> # clustering = 0
> # smb ports = 445, 139
> # mangled names = yes
> # default case = lower
> # case sensitive = auto
> # preserve case = yes
> # short preserve case = yes
> # bind interfaces only = yes
> # interfaces = lo bond0:2 eth0:1 eth0:2 eth2 eth3
> # dos filetimes = 1
> # create mask = 777
> # admin users = administrator
>
> [arkc1]
> comment = centos samba4 share1
> path = /rocket/cifs/cifs1
> #public = no
> #read only = no
> writable = yes
> #guest ok = yes
> #inherit permissions = 1
> #inherit acls = 1
> #map acl inherit = 1
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = 1
>
> #valid users = @"autostoradmins at qa.arkivio.com"
> #valid users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins valid users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM
> #admin users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins,QA\arkadmin,QA.ARKIVIO.COM\arkadmin admin users
> =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
>
> [arkc2]
> comment = centos samba4 share2
> path = /rocket/cifs/cifs2
> #public = no
> #read only = no
> writable = yes
> #guest ok = no
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = yes
>
> admin users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> valid users =
> administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
>
>
> please give some advice,thanks
>
>
>
>
Okay, seeing as you are using sssd and winbind is not doing the
authentication, I suggest you go and ask on the sssd-users mailing list.
Rowland
More information about the samba
mailing list