[Samba] user cannot access shares on new ad-dc

Klaus Hartnegg hartnegg at gmx.de
Fri Sep 29 11:19:44 UTC 2017 

> On 29.09.2017 11:44 Rowland Penny wrote:
> Have you set up the libnss_winbind links, PAM and /etc/nsswitch.conf ?

Yes, I had modified two lines in /etc/nsswitch.conf:
 passwd:         files winbind
 group:          files winbind

No, I had not seen a pointer to libnss, but now did
 ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
 ln -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
 ldconfig

The wiki page Authenticating_Domain_Users_Using_PAM tell to
NOT configure PAM on a DC.

I tried "net cache flush"

These tests succeed:
 wbinfo --ping-dc
 getent passwd COMPANY\\user
 getent group "COMPANY\\Domain Users"


The output of “getfacl sysvol” looks strange:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

I tried "samba-tool ntacl sysvolreset".
This added a few lines to the output of getfacl:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Users still cannot see the contents of any share.

What else could be missing?

Klaus

More information about the samba mailing list