[Samba] get access denied on samba AD share
Christian Naumer
cn at brain-biotech.de
Thu Sep 21 12:36:49 UTC 2017
From:
https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7#head-281c090cc4fbc6bb5c7d4cd82a266fce807e
ee7c
"samba share with sssd authentication is broken. This is being worked on upstream. A
workaround is to downgrade the samba packages to an earlier version."
Am Donnerstag, den 21.09.2017, 09:22 +0000 schrieb Qiao Xu via samba:
> Hello Sambaers, i can not access my samba shares after upgrade my centos to 7.4,samba
> version was upgraded to 4.6.2
>
> i joined centos to windows domain by realm command,domain user(format as username at doaminname
> ) could login to centos
>
> could get kerberos ticket by kinit with domain user
>
>
> execute net view command at domain windows server get access denied
>
>
> C:\>net view \\ark-centos-smb4.qa.arkivio.com
> System error 5 has occurred.
>
> Access is denied.
>
>
> C:\>net view \\192.168.32.26
> System error 5 has occurred.
>
> Access is denied.
>
>
> collected following log while get access denied error with samba server ip, i complains can
> not find the user,and run getent passwd domainuser at domainname could finish successfully
>
>
> [2017/09/21 00:36:03.319546, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
> init_oplocks: initializing messages.
> [2017/09/21 00:36:03.319707, 3] ../source3/smbd/process.c:1957(process_smb)
> Transaction 0 of length 159 (0 toread)
> [2017/09/21 00:36:03.319744, 3] ../source3/smbd/process.c:1538(switch_message)
> switch message SMBnegprot (pid 23703) conn 0x0
> [2017/09/21 00:36:03.319767, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.320414, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2017/09/21 00:36:03.320441, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2017/09/21 00:36:03.320454, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2017/09/21 00:36:03.320466, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [LM1.2X002]
> [2017/09/21 00:36:03.320482, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2017/09/21 00:36:03.320497, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2017/09/21 00:36:03.320509, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [SMB 2.002]
> [2017/09/21 00:36:03.320538, 3] ../source3/smbd/negprot.c:603(reply_negprot)
> Requested protocol [SMB 2.???]
> [2017/09/21 00:36:03.320638, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.320722, 3]
> ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF
> [2017/09/21 00:36:03.321314, 2]
> ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
> ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
> [2017/09/21 00:36:03.321344, 3]
> ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
> ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem keytab from secrets!
> [2017/09/21 00:36:03.322377, 3] ../source3/smbd/negprot.c:730(reply_negprot)
> Selected protocol SMB 2.???
> [2017/09/21 00:36:03.323207, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.323262, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.323300, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.323326, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.325145, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.325187, 3]
> ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2017/09/21 00:36:03.325448, 2]
> ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
> ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
> [2017/09/21 00:36:03.325466, 3]
> ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
> ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem keytab from secrets!
> [2017/09/21 00:36:03.327171, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327477, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327498, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327509, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327562, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327754, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088297
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_NEGOTIATE_OEM
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_LM_KEY
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP_NEGOTIATE_56
> [2017/09/21 00:36:03.327897, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327919, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327930, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327951, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328313, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328360, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.328376, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328387, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.328403, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328478, 3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
> Got user=[arkadmin] domain=[QA] workstation=[NWT-VM-ARK8118] len1=24 len2=350
> [2017/09/21 00:36:03.328573, 3] ../source3/param/loadparm.c:3823(lp_load_ex)
> lp_load_ex: refreshing parameters
> [2017/09/21 00:36:03.328664, 3] ../source3/param/loadparm.c:542(init_globals)
> Initialising global parameters
> [2017/09/21 00:36:03.328773, 3] ../source3/param/loadparm.c:2752(lp_do_section)
> Processing section "[global]"
> doing parameter netbios name = ARK-CENTOS-SMB4
> doing parameter security = ADS
> doing parameter workgroup = QA.ARKIVIO.COM
> doing parameter kerberos method = secrets and keytab
> doing parameter realm = QA.ARKIVIO.COM
> doing parameter log file = /var/log/samba/%m.log
> doing parameter log level = 4
> doing parameter local master = no
> doing parameter domain master = no
> doing parameter server string = Samba Server Version %v
> doing parameter max log size = 5000
> doing parameter load printers = No
> doing parameter wins support = no
> doing parameter wins proxy = no
> doing parameter dns proxy = yes
> doing parameter name resolve order = host lmhosts wins bcast
> [2017/09/21 00:36:03.328953, 2] ../source3/param/loadparm.c:2769(lp_do_section)
> Processing section "[arkc1]"
> doing parameter comment = centos samba4 share1
> doing parameter path = /rocket/cifs/cifs1
> doing parameter writable = yes
> doing parameter guest ok = yes
> doing parameter valid users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIV
> IO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM
> doing parameter admin users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin@
> QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329055, 2] ../source3/param/loadparm.c:2769(lp_do_section)
> Processing section "[arkc2]"
> doing parameter comment = centos samba4 share2
> doing parameter path = /rocket/cifs/cifs2
> doing parameter writable = yes
> doing parameter admin users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin@
> QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> doing parameter valid users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIV
> IO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329149, 4] ../source3/param/loadparm.c:3864(lp_load_ex)
> pm_process() returned Yes
> [2017/09/21 00:36:03.329186, 3] ../source3/param/loadparm.c:1592(lp_add_ipc)
> adding IPC service
> [2017/09/21 00:36:03.329981, 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name)
> ads_dc_name: domain=QA.ARKIVIO.COM
> [2017/09/21 00:36:03.331294, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
> get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.332043, 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.333572, 4] ../source3/libsmb/namequery.c:3305(get_dc_list)
> get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.333594, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.231:389 192.168.32.230:389 2001:21:21:32:743e:17d2:61a4:fdb8:389
> [2017/09/21 00:36:03.334552, 3] ../source3/libads/ldap.c:618(ads_connect)
> Successfully contacted LDAP server 192.168.32.231
> [2017/09/21 00:36:03.334622, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
> get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.334961, 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335007, 4] ../source3/libsmb/namequery.c:3305(get_dc_list)
> get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.335023, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88 2001:21:21:32:743e:17d2:61a4:fdb8:88
> [2017/09/21 00:36:03.335042, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
> get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.335419, 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335463, 4] ../source3/libsmb/namequery.c:3305(get_dc_list)
> get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.335478, 4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88 2001:21:21:32:743e:17d2:61a4:fdb8:88
> [2017/09/21 00:36:03.336391, 4] ../source3/libsmb/namequery_dc.c:151(ads_dc_name)
> ads_dc_name: using server='ARK-QA-DC2.QA.ARKIVIO.COM' IP=192.168.32.231
> [2017/09/21 00:36:03.336496, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 192.168.32.231 at port 445
> [2017/09/21 00:36:03.337733, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2017/09/21 00:36:03.338945, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2017/09/21 00:36:03.338973, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339060, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2017/09/21 00:36:03.339076, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339112, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2017/09/21 00:36:03.339123, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339972, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2017/09/21 00:36:03.340000, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.344582, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user [QA]\[arkadmin]@[NWT-VM-ARK8118]
> with the new password interface
> [2017/09/21 00:36:03.344615, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [ARK-CENTOS-SMB4]\[arkadmin]@[NWT-VM-ARK8118]
> [2017/09/21 00:36:03.344650, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344698, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344714, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344768, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344785, 3] ../source3/auth/check_samsec.c:399(check_sam_security)
> check_sam_security: Couldn't find user 'arkadmin' in passdb.
> [2017/09/21 00:36:03.344808, 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain [ARK-CENTOS-SMB4] was for this
> SAM.
> [2017/09/21 00:36:03.344835, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [arkadmin] -> [arkadmin] FAILED with error
> NT_STATUS_NO_SUCH_USER
> [2017/09/21 00:36:03.344858, 2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2017/09/21 00:36:03.344879, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344891, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344901, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344919, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344949, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
> [2017/09/21 00:36:03.345308, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345337, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345351, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345365, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345535, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
>
> here is my smb.conf content
>
>
> #working since 2017-8-1 with sssd?+ad
> [global]
> netbios name = ARK-CENTOS-SMB4
> security = ADS
> #workgroup = QA
> workgroup = QA.ARKIVIO.COM
> kerberos method = secrets and keytab
> realm = QA.ARKIVIO.COM
> log file = /var/log/samba/%m.log
> log level = 4
> #password server = *
> #passdb backend = tdbsam
> #template shell = /bin/bash
> #template homedir = /home/%u
> #winbind separator = +
> local master = no
> domain master = no
> #auth methods = guest sam_ignoredomain winbind
> #guest ok = no
> server string = Samba Server Version %v
> max log size = 5000
> load printers = No
> #idmap config * : backend = tdb
> #preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> #name resolve order = wins bcast host lmhosts
> name resolve order = host lmhosts wins bcast
>
> # Winbind idmap RID settings
> # winbind use default domain = yes
> # allow trusted domains = yes
> # winbind enum users = yes
> # winbind enum groups = yes
> # winbind nested groups = yes
> # idmap config QA : backend = rid
> # idmap config QA : default = yes
> # idmap config QA : range = 100-33554431
> # idmap config * : range = 33554432-67108862
> # idmap config * : backend = tdb
> # printing = bsd
> # load printers = no
> # disable spoolss = yes
> # printcap name = /dev/null
> # log level = 10
> # log file = /var/log/samba/samba.log.%m
> # max log size = 5000
> # debug timestamp = yes
> # oplocks = 1
> # unix extensions = yes
> # clustering = 0
> # smb ports = 445, 139
> # mangled names = yes
> # default case = lower
> # case sensitive = auto
> # preserve case = yes
> # short preserve case = yes
> # bind interfaces only = yes
> # interfaces = lo bond0:2 eth0:1 eth0:2 eth2 eth3
> # dos filetimes = 1
> # create mask = 777
> # admin users = administrator
>
> [arkc1]
> comment = centos samba4 share1
> path = /rocket/cifs/cifs1
> #public = no
> #read only = no
> writable = yes
> #guest ok = yes
> #inherit permissions = 1
> #inherit acls = 1
> #map acl inherit = 1
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = 1
>
> #valid users = @"autostoradmins at qa.arkivio.com"
> #valid users = administrator,auto-stor,arkadmin,Domain Admins,autostoradmins
> valid users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdm
> ins",arkadmin at QA.ARKIVIO.COM
> #admin users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> admin users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\
> arkadmin,QA.ARKIVIO.COM\arkadmin
>
> [arkc2]
> comment = centos samba4 share2
> path = /rocket/cifs/cifs2
> #public = no
> #read only = no
> writable = yes
> #guest ok = no
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = yes
>
> admin users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\
> arkadmin,QA.ARKIVIO.COM\arkadmin
> valid users = administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdm
> ins",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
>
>
> please give some advice,thanks
>
>
>
>
--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller
More information about the samba
mailing list