[Samba] Can't write to a samba share mounted as an AD user

Rowland Penny rpenny at samba.org
Thu Aug 2 19:02:18 UTC 2018

On Thu, 2 Aug 2018 14:28:30 -0400
pisymbol <pisymbol at gmail.com> wrote:

> On Thu, Aug 2, 2018 at 1:55 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> > On Thu, 2 Aug 2018 13:16:26 -0400
> > pisymbol via samba <samba at lists.samba.org> wrote
> > >
> > > -aps (Alex)
> >
> > You do not have any lines like this in your smb.conf:
> >
> >     winbind nss info = rfc2307
> >     idmap config *:backend = tdb
> >     idmap config *:range = 2000-9999
> >     idmap config SAMDOM : backend = rid
> >     idmap config SAMDOM : schema_mode = rfc2307
> >     idmap config SAMDOM : range = 10000-999999
> >
> I guess I will do some more reading.

Try this for a start:


> > So, unless you are using sssd (and if you are, this is the wrong
> > place to ask for help), you do not anyway to authenticate your AD
> > users on the NAS. Yes, you may be able to read files on the NAS,
> > but you will not be able to write to them, this is because Samba
> > has no idea who your users are and 'guest' access is turned off.
> Unless QNAP has their own utility similar to sssd, I can absolutely
> *mount* a share AND *login* into the NAS device using my AD
> credentials. That is fact.

Yes, but you are using sudo and sudo = 'root' and you have 'username
map = /etc/config/smbusers' in smb.conf and this is probably mapping
Administrator to root.

> The mount command I printed above is the exact line I'm using and I
> specify "user=" and "domain=" options parameters.
> > You also shouldn't have a NAS administrator, you should only have a
> > Domain Administrator.
> >
> Honestly, you should have both IMO. This is even true in the Windows
> world and a lot of filers (NetApp for instance creates it's own
> domain so the administrator account is technically NETAPP/admin or
> something of that ilk).

Yes, you do have a local Administrator and a DOMAIN\Administrator on
Windows, but you only use one at once. You (as I said above) map the
DOMAIN\Administrator to the 'root' user on a Unix domain member.

> > I think what you are trying to say is that, you have purchased this
> > NAS and most of the [global] part of the smb.conf is what it came
> > with, if this is true, then QNAP are you listening, your standard
> > smb.conf is rubbish. It contains deprecated settings (smbpasswd),
> > default lines and lines that do not need to be there, it is as if
> > they just took the output of 'man smbconf', removed most of the
> > text, just leaving the parameters, threw away some of the
> > parameters and set others to defaults or things they shouldn't be
> > set to.
> >
> Well it's a bit more complicated then that. They have an AD wizard
> you go through that joins the NAS device to your domain (that worked
> after a change on my end).

That sort of makes it worse ;-), why complicate something that is so
easy to do from the command line. When I say complicate, I mean adding
all those totally un-required lines and not actually adding really
required lines.
> > I think (and I could be wrong, but I don't think so) it was meant to
> > be a 'standalone server', but you now want it to be a Unix domain
> > member, if so, you need to make a lot of changes to your smb.conf.
> >
> Not according to their extensive doc. These filers are suppose to
> work as bona fide CIFS file servers connected to AD (and are heavy
> users of samba).

Another way to describe a CIFS file server is a standalone server,
another name is 'Windows home'

> Antyway, Rowland, don't get upset at me. I did actually Google A LOT
> before asking all of the above.

No, I am not getting angry at you, I am just getting upset at your QNAP

> So it seems that to get samba to know who is mounting what I need to
> add a few lines to tell it about my domain.

You need to sort at the way over the top smb.conf, for instance, do you
have any Apple machines ? If not, then all the references to fruit can
be removed.


> -aps

More information about the samba mailing list