[Samba] Share authentication problem

Sascha Wiechmann swiechmann at escoor.de
Fri Apr 20 07:09:53 UTC 2018 

Hi Rowland,

Thank you very much for your help! The main problem was fixed today - 
and i have to apologize for bothering sambalist because it was an 
error40 (40cm in front of the PC). In my test enviroment, there was 
still an old, non-existing SID on the domdata share, however - after 
deleting the access permissions in Windows and adding new, everything 
goes fine now. I answered your additional questions below :)

Am 19.04.2018 um 10:50 schrieb Rowland Penny:
> On Thu, 19 Apr 2018 10:08:12 +0200
> Sascha Wiechmann via samba <samba at lists.samba.org> wrote:
>
>> Hi @ll !
>>
>> I am trying to set up a samba fileserver in SuSe 42.3 as domain
>> member in a debian based Samba4 AD. The join seems to be ok, as I can
>> get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/.
>> I can also list all browsable shares with /smbclient -L \\SambaFS
>> -Uusername/, but when i add -k, I get following errors :
>>
>> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed
>> (next[(null)]): NT_STATUS_INVALID_PARAMETER//
>> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT//
>> //session setup failed: NT_STATUS_INVALID_PARAMETER/
>>
>> /----------------------------------------------------------------------------------------/
>>
>> So bought a book  from Stefan Kania for Samba4 in AD that I worked
>> through site to site
> Why ? what is wrong with the Samba wiki ?
>
> https://wiki.samba.org/index.php/Main_Page
The samba wiki was my first try but i got stuck at the same problem - 
then I thought a book might help me out what I did wrong :)

>> - but I do not get access to shares for the
>> domain members except the domain admin. Windows prompts for user
>> authentification. The "profiles" share works perfect and is owned to
>> the same gid than the other "general" share is. I would like to use
>> Windows Rightsmanagement for the shares in future. Some Informations :
>>
>> /Samba1:/ # getent passwd mjackson//
>> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/
>>
>> /Samba1:/ # ls -ln /home/samba
>> total 4
>> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata
>> /
>>
> You have a problem, there shouldn't be numbers here, there should be
> names
Are you sure there is a problem? ls -ln shows UID and GID, ls -lh the 
names ?

/Samba1:/ #*ls -ln*  /home/samba
drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata

/Samba1:/ #*ls -lh*  /home/samba
drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/


>
>> ---------------------------------------------------------------------------
>>
>> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/
>> WARNING: The "idmap gid" option is deprecated <------- what is the
>> actual way? :)
> Try using this smb.conf:
>
> [global]
> workgroup = SAMDOM
> security = ads
> realm = SAMDOM.TEST
> netbios name = Samba1
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> winbind refresh tickets = yes
> winbind use default domain = yes
> idmap config * : range = 3000-7999
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 1000000-1999999
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes=yes
> hide unreadable=yes
>
> [Admin-Share]
> path=/home/samba
> comment=AdminShare
> browseable=no
> read only=no
>
> [profile]
> path=/home/profile
> comment=User Profile
> browseable=no
> read only=no
>
> [domData]
> path=/home/samba/domdata/
> comment=Famous domdataLW
> read only=no
>
> Rowland
>
>
I will try it, thanks

More information about the samba mailing list