[Samba] Share authentication problem

Rowland Penny rpenny at samba.org
Thu Apr 19 08:50:47 UTC 2018


On Thu, 19 Apr 2018 10:08:12 +0200
Sascha Wiechmann via samba <samba at lists.samba.org> wrote:

> Hi @ll !
> 
> I am trying to set up a samba fileserver in SuSe 42.3 as domain
> member in a debian based Samba4 AD. The join seems to be ok, as I can
> get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
> I can also list all browsable shares with /smbclient -L \\SambaFS 
> -Uusername/, but when i add -k, I get following errors :
> 
> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed 
> (next[(null)]): NT_STATUS_INVALID_PARAMETER//
> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
> //session setup failed: NT_STATUS_INVALID_PARAMETER/
> 
> /----------------------------------------------------------------------------------------/
> 
> So bought a book  from Stefan Kania for Samba4 in AD that I worked 
> through site to site 

Why ? what is wrong with the Samba wiki ?

https://wiki.samba.org/index.php/Main_Page

>- but I do not get access to shares for the
> domain members except the domain admin. Windows prompts for user
> authentification. The "profiles" share works perfect and is owned to
> the same gid than the other "general" share is. I would like to use
> Windows Rightsmanagement for the shares in future. Some Informations :
> 
> /Samba1:/ # getent passwd mjackson//
> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/
> 
> /Samba1:/ # ls -ln /home/samba
> total 4
> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata
> /
> 

You have a problem, there shouldn't be numbers here, there should be
names

> ---------------------------------------------------------------------------
> 
> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
> WARNING: The "idmap gid" option is deprecated <------- what is the 
> actual way? :)

Try using this smb.conf:

[global]
workgroup = SAMDOM
security = ads
realm = SAMDOM.TEST
netbios name = Samba1
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = yes
winbind use default domain = yes
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 1000000-1999999
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes=yes
hide unreadable=yes

[Admin-Share]
path=/home/samba
comment=AdminShare
browseable=no
read only=no

[profile]
path=/home/profile
comment=User Profile
browseable=no
read only=no

[domData]
path=/home/samba/domdata/
comment=Famous domdataLW
read only=no

Rowland



More information about the samba mailing list