[Samba] user cannot access shares on new ad-dc
Klaus Hartnegg
hartnegg at gmx.de
Fri Sep 29 11:19:44 UTC 2017
> On 29.09.2017 11:44 Rowland Penny wrote:
> Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?
Yes, I had modified two lines in /etc/nsswitch.conf:
passwd: files winbind
group: files winbind
No, I had not seen a pointer to libnss, but now did
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
ldconfig
The wiki page Authenticating_Domain_Users_Using_PAM tell to
NOT configure PAM on a DC.
I tried "net cache flush"
These tests succeed:
wbinfo --ping-dc
getent passwd COMPANY\\user
getent group "COMPANY\\Domain Users"
The output of “getfacl sysvol” looks strange:
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
I tried "samba-tool ntacl sysvolreset".
This added a few lines to the output of getfacl:
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
Users still cannot see the contents of any share.
What else could be missing?
Klaus
More information about the samba
mailing list