[Samba] user cannot access shares on new ad-dc
Rowland Penny
rpenny at samba.org
Fri Sep 29 12:32:42 UTC 2017
On Fri, 29 Sep 2017 13:19:44 +0200
Klaus Hartnegg via samba <samba at lists.samba.org> wrote:
>
> > On 29.09.2017 11:44 Rowland Penny wrote:
> > Have you set up the libnss_winbind links, PAM
> > and /etc/nsswitch.conf ?
>
> Yes, I had modified two lines in /etc/nsswitch.conf:
> passwd: files winbind
> group: files winbind
>
> No, I had not seen a pointer to libnss, but now did
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/i386-linux-gnu/
> ln
> -s /lib/i386-linux-gnu/libnss_winbind.so.2 /lib/i386-linux-gnu/libnss_winbind.so
> ldconfig
>
> The wiki page Authenticating_Domain_Users_Using_PAM tell to
> NOT configure PAM on a DC.
I have just checked the page again:
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM
I cannot see where it says not to use on a DC
> I tried "net cache flush"
>
> These tests succeed:
> wbinfo --ping-dc
> getent passwd COMPANY\\user
> getent group "COMPANY\\Domain Users"
>
>
> The output of “getfacl sysvol” looks strange:
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> I tried "samba-tool ntacl sysvolreset".
> This added a few lines to the output of getfacl:
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
By 'strange', I take it you are referring to the numbers instead of
names, don't worry, this perfectly normal on a DC. The numbers are the
'xidNumbers' you will find in idmap.ldb
> Users still cannot see the contents of any share.
What does 'getent passwd username' actually produce ?
>
> What else could be missing?
Not sure, if PAM isn't set up, then set it up by installing the
required packages and try again
Rowland
More information about the samba
mailing list