[Samba] Share authentication problem

Sascha Wiechmann swiechmann at escoor.de
Thu Apr 19 08:08:12 UTC 2018

Hi @ll !

I am trying to set up a samba fileserver in SuSe 42.3 as domain member 
in a debian based Samba4 AD. The join seems to be ok, as I can get 
/wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
I can also list all browsable shares with /smbclient -L \\SambaFS 
-Uusername/, but when i add -k, I get following errors :

/SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed 
//SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
//session setup failed: NT_STATUS_INVALID_PARAMETER/


So bought a book  from Stefan Kania for Samba4 in AD that I worked 
through site to site - but I do not get access to shares for the domain 
members except the domain admin. Windows prompts for user authentification.
The "profiles" share works perfect and is owned to the same gid than the 
other "general" share is. I would like to use Windows Rightsmanagement 
for the shares in future. Some Informations :

/Samba1:/ # getent passwd mjackson//

/Samba1:/ # ls -ln /home/samba
total 4
drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata

/Samba1:/ # ls -lh /home/samba
total 4.0K
drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/

and another one for the working profiles share:

/Samba1:/home # ls -lh
total 4.0K
drwxrwx--T  3 root                  domain users   27 Apr 17 10:46 profile
drwxrwsr-x  3 administrator   domain users   25 Apr 18 10:37 samba
drwxr-xr-x 19 samba1            users        4.0K Apr 19 08:56 samba1

/Samba1:/home # ls -ln
total 4
drwxrwx--T  3     0         10013   27 Apr 17 10:46 profile
drwxrwsr-x  3 10003     10013   25 Apr 18 10:37 samba
drwxr-xr-x 19  1000         100 4096 Apr 19 08:56 samba1/


S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
WARNING: The "idmap gid" option is deprecated <------- what is the 
actual way? :)
WARNING: The "idmap uid" option is deprecated
lp_load_ex: changing to config backend registry
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated
Enter SAMDOM\mjackson's password:
OS=[Windows 6.1] Server=[Samba 

         Sharename       Type      Comment
         ---------       ----      -------
         IPC$                    IPC       IPC Service (Samba 
domData Disk      Famous domdata
         test2                   Disk      tester
OS=[Windows 6.1] Server=[Samba 

         Server               Comment
         ---------            -------

         Workgroup            Master
         ---------                -------

smb.conf :

"idmap gid"="10000-20000"
"idmap uid"="10000-20000"
"usershare allow guests"="No"
"template homedir"="/home/%D/%U"
"winbind refresh tickets"="yes"
"netbios name"="Samba1"
"wins support"="Yes"
"winbind enum users"="yes"
"winbind enum groups"="yes"
"winbind use default domain"="yes"
"idmap config * : range"="10000 - 19999"
"idmap config SAMDOM: backend"="rid"
"idmap config SAMDOM : range"="1000000 - 1999999"
"store dos attributes"="yes"
"vfs objects"="acl_xattr"
"hide unreadable"="yes"

"read only"="no"
"guest ok"="no"
"inherit acls"="yes"

"guest ok"="no"
"read only"="no"
"profile acls"="yes"
"comment"="User Profile"

"comment"="Famous domdataLW"
"guest ok"="no"
"read only"="no"

Any help is much appreciated, thanks in advance!



More information about the samba mailing list