[Samba] Can't write to a samba share mounted as an AD user

pisymbol pisymbol at gmail.com
Thu Aug 2 18:28:30 UTC 2018 

On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Thu, 2 Aug 2018 13:16:26 -0400
> pisymbol via samba <samba at lists.samba.org> wrote
> >
> > -aps (Alex)
>
> You do not have any lines like this in your smb.conf:
>
>     winbind nss info = rfc2307
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config SAMDOM : backend = rid
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
>


I guess I will do some more reading.


> So, unless you are using sssd (and if you are, this is the wrong place
> to ask for help), you do not anyway to authenticate your AD users on
> the NAS. Yes, you may be able to read files on the NAS, but you will not
> be able to write to them, this is because Samba has no idea who your
> users are and 'guest' access is turned off.


Unless QNAP has their own utility similar to sssd, I can absolutely *mount*
a share AND *login* into the NAS device using my AD credentials. That is
fact.

The mount command I printed above is the exact line I'm using and I specify
"user=" and "domain=" options parameters.


> You also shouldn't have a NAS administrator, you should only have a
> Domain Administrator.
>

Honestly, you should have both IMO. This is even true in the Windows world
and a lot of filers (NetApp for instance creates it's own domain so the
administrator account is technically NETAPP/admin or something of that ilk).


> I think what you are trying to say is that, you have purchased this NAS
> and most of the [global] part of the smb.conf is what it came with, if
> this is true, then QNAP are you listening, your standard smb.conf is
> rubbish. It contains deprecated settings (smbpasswd), default lines and
> lines that do not need to be there, it is as if they just took the
> output of 'man smbconf', removed most of the text, just leaving the
> parameters, threw away some of the parameters and set others to
> defaults or things they shouldn't be set to.
>

Well it's a bit more complicated then that. They have an AD wizard you go
through that joins the NAS device to your domain (that worked after a
change on my end).


> I think (and I could be wrong, but I don't think so) it was meant to
> be a 'standalone server', but you now want it to be a Unix domain
> member, if so, you need to make a lot of changes to your smb.conf.
>

Not according to their extensive doc. These filers are suppose to work as
bona fide CIFS file servers connected to AD (and are heavy users of samba).

Antyway, Rowland, don't get upset at me. I did actually Google A LOT before
asking all of the above.

So it seems that to get samba to know who is mounting what I need to add a
few lines to tell it about my domain.

-aps

More information about the samba mailing list