[Samba] Share authentication problem
Rowland Penny
rpenny at samba.org
Thu Apr 19 08:50:47 UTC 2018
On Thu, 19 Apr 2018 10:08:12 +0200
Sascha Wiechmann via samba <samba at lists.samba.org> wrote:
> Hi @ll !
>
> I am trying to set up a samba fileserver in SuSe 42.3 as domain
> member in a debian based Samba4 AD. The join seems to be ok, as I can
> get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
> I can also list all browsable shares with /smbclient -L \\SambaFS
> -Uusername/, but when i add -k, I get following errors :
>
> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed
> (next[(null)]): NT_STATUS_INVALID_PARAMETER//
> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
> //session setup failed: NT_STATUS_INVALID_PARAMETER/
>
> /----------------------------------------------------------------------------------------/
>
> So bought a book from Stefan Kania for Samba4 in AD that I worked
> through site to site
Why ? what is wrong with the Samba wiki ?
https://wiki.samba.org/index.php/Main_Page
>- but I do not get access to shares for the
> domain members except the domain admin. Windows prompts for user
> authentification. The "profiles" share works perfect and is owned to
> the same gid than the other "general" share is. I would like to use
> Windows Rightsmanagement for the shares in future. Some Informations :
>
> /Samba1:/ # getent passwd mjackson//
> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/
>
> /Samba1:/ # ls -ln /home/samba
> total 4
> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata
> /
>
You have a problem, there shouldn't be numbers here, there should be
names
> ---------------------------------------------------------------------------
>
> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
> WARNING: The "idmap gid" option is deprecated <------- what is the
> actual way? :)
Try using this smb.conf:
[global]
workgroup = SAMDOM
security = ads
realm = SAMDOM.TEST
netbios name = Samba1
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
winbind use default domain = yes
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 1000000-1999999
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes=yes
hide unreadable=yes
[Admin-Share]
path=/home/samba
comment=AdminShare
browseable=no
read only=no
[profile]
path=/home/profile
comment=User Profile
browseable=no
read only=no
[domData]
path=/home/samba/domdata/
comment=Famous domdataLW
read only=no
Rowland
More information about the samba
mailing list