[Samba] Share authentication problem

L.P.H. van Belle belle at bazuin.nl
Thu Apr 19 08:54:40 UTC 2018


Ok, please post of both servers the smb.conf and tell the samba versions. 

You have a misconfiguration in these.

> WARNING: The "idmap gid" option is deprecated
> WARNING: The "idmap uid" option is deprecated
^^^^^^^^^^^^^^^^^^^^^^^^^^^
> "idmap gid"="10000-20000"
> "idmap uid"="10000-20000"
You need something like this example. 
    # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
    ## map id's outside to domain to tdb files.
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !
    idmap config NTDOM : backend = ad
    idmap config NTDOM : schema_mode = rfc2307
    idmap config NTDOM : range = 10000-3999999
    ## these to depend on how u use samba. ( 4.6+) 
    #idmap config NTDOM : unix_nss_info = yes
    #idmap config NTDOM : unix_primary_group = yes


If thats fixed my first guess would be.. 
You use: smbclient -L \\SambaFS -Uusername
You should use :  Smbclient -L \\FQDN -Uusername 
And depending on the samba/smblcient versions add -mSMB1

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Sascha Wiechmann via samba
> Verzonden: donderdag 19 april 2018 10:08
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Share authentication problem
> 
> Hi @ll !
> 
> I am trying to set up a samba fileserver in SuSe 42.3 as 
> domain member 
> in a debian based Samba4 AD. The join seems to be ok, as I can get 
> /wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
> I can also list all browsable shares with /smbclient -L \\SambaFS 
> -Uusername/, but when i add -k, I get following errors :
> 
> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed 
> (next[(null)]): NT_STATUS_INVALID_PARAMETER//
> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
> //session setup failed: NT_STATUS_INVALID_PARAMETER/
> 
> /-------------------------------------------------------------
> ---------------------------/
> 
> So bought a book  from Stefan Kania for Samba4 in AD that I worked 
> through site to site - but I do not get access to shares for 
> the domain 
> members except the domain admin. Windows prompts for user 
> authentification.
> The "profiles" share works perfect and is owned to the same 
> gid than the 
> other "general" share is. I would like to use Windows 
> Rightsmanagement 
> for the shares in future. Some Informations :
> 
> /Samba1:/ # getent passwd mjackson//
> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/
> 
> /Samba1:/ # ls -ln /home/samba
> total 4
> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata
> /
> 
> /Samba1:/ # ls -lh /home/samba
> total 4.0K
> drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/
> 
> and another one for the working profiles share:
> 
> /Samba1:/home # ls -lh
> total 4.0K
> drwxrwx--T  3 root                  domain users   27 Apr 17 
> 10:46 profile
> drwxrwsr-x  3 administrator   domain users   25 Apr 18 10:37 samba
> drwxr-xr-x 19 samba1            users        4.0K Apr 19 08:56 samba1
> /
> 
> /Samba1:/home # ls -ln
> total 4
> drwxrwx--T  3     0         10013   27 Apr 17 10:46 profile
> drwxrwsr-x  3 10003     10013   25 Apr 18 10:37 samba
> drwxr-xr-x 19  1000         100 4096 Apr 19 08:56 samba1/
> 
> --------------------------------------------------------------
> -------------
> 
> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
> WARNING: The "idmap gid" option is deprecated <------- what is the 
> actual way? :)
> WARNING: The "idmap uid" option is deprecated
> lp_load_ex: changing to config backend registry
> WARNING: The "idmap gid" option is deprecated
> WARNING: The "idmap uid" option is deprecated
> Enter SAMDOM\mjackson's password:
> OS=[Windows 6.1] Server=[Samba 
> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64]
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$                    IPC       IPC Service (Samba 
> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64)
> domData Disk      Famous domdata
>          test2                   Disk      tester
> OS=[Windows 6.1] Server=[Samba 
> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64]
> 
>          Server               Comment
>          ---------            -------
> 
>          Workgroup            Master
>          ---------                -------
>          WORKGROUP     SOMEPC
> 
> smb.conf :
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global]
> "idmap gid"="10000-20000"
> "idmap uid"="10000-20000"
> "usershare allow guests"="No"
> "workgroup"="SAMDOM"
> "template homedir"="/home/%D/%U"
> "winbind refresh tickets"="yes"
> "netbios name"="Samba1"
> "wins support"="Yes"
> "winbind enum users"="yes"
> "winbind enum groups"="yes"
> "winbind use default domain"="yes"
> "idmap config * : range"="10000 - 19999"
> "idmap config SAMDOM: backend"="rid"
> "idmap config SAMDOM : range"="1000000 - 1999999"
> "store dos attributes"="yes"
> "vfs objects"="acl_xattr"
> "hide unreadable"="yes"
> "security"="ads"
> "realm"="SAMDOM.TEST"
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\Admin-Share]
> "browseable"="no"
> "read only"="no"
> "path"="/home/samba"
> "comment"="AdminShare"
> "guest ok"="no"
> "inherit acls"="yes"
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\profile]
> "guest ok"="no"
> "browseable"="no"
> "read only"="no"
> "profile acls"="yes"
> "comment"="User Profile"
> "path"="/home/profile"
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\domData]
> "path"="/home/samba/domdata/"
> "comment"="Famous domdataLW"
> "guest ok"="no"
> "read only"="no"
> 
> Any help is much appreciated, thanks in advance!
> 
> br
> 
> Sascha
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list