[Samba] cannot list/access samba share from Windows client
Andrea Rossetti
andy.ros at gmail.com
Mon Jan 8 13:41:01 UTC 2018
Hi,
I have a problem to list/access share from Windows client to share hosted on samba domain member server.
I followed the instruction from
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
step by step but I used sssd instead of winbind for the authentication method.
The Linux samba server is an Ubuntu server 16.04 and I successfully added this samba server to a awindows active directory domain (Windows server 2012 R2).
I login to the domain server machine as a domain admins user but II’m not able to list/access to the share when I digit in Windows Explorer \\servername I have the access denied with the request to insert the credential of a user enabled to it. Only the user mapped in /etc/samba/user.map can manage the server via the ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain admin Group
root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
COM_SPOLETO\Domain Admins
BUILTIN\Administrators
Is there anyone can help me?
Below my configuration files.
----------------------------------------------------------------------
My /etc/samba/smb.conf
# Global parameters
[global]
workgroup = COM_SPOLETO
realm = COMUNE.SPOLETO.LOCAL
server string = %h server (Samba, Ubuntu)
interfaces = lo ens32
bind interfaces only = Yes
server role = standalone server
security = ADS
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
username map = /etc/samba/user.map
unix password sync = Yes
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
client signing = if_required
dns proxy = No
panic action = /usr/share/samba/panic-action %d
winbind refresh tickets = Yes
idmap config comune.spoleto.local : range = 10000-29999
idmap config comune.spoleto.local : backend = rig
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[share]
comment = Progetti QGIS per Lizmap
path = /home/data/share
read only = No
inherit acls = Yes
-----------------------------------------------------------------------------
My /etc/samba/user.map
!root = COM_SPOLETO\Adminserver
----------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss winbind
group: compat sss winbind
shadow: compat sss
gshadow: files
hosts: files dns winbind
networks: files
protocols: db files
services: db files sss winbind
ethers: db files
rpc: db files
netgroup: nis sss winbind
sudoers: files sss winbind
---------------------------------------------------------------------------------------------------------------------
My /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = COMUNE.SPOLETO.LOCAL
[domain/COMUNE.SPOLETO.LOCAL]
id_provider = ad
access_provider = ad
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /home/%d/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = SRVLNXINTRA01.comune.spoleto.local
# Uncomment if DNS SRV resolution is not working
# ad_server = SRVW3KDC01.comune.spoleto.local
# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = COMUNE.SPOLETO.LOCAL
# Enumeration is discouraged for performance reasons.
# enumerate = true
-------------------------------------------------------------------------------------------
My /etc/krb5.conf
[libdefaults]
default_realm = COMUNE.SPOLETO.LOCAL
ticket_lifetime = 24h #
renew_lifetime = 7d
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
COMUNE.SPOLETO.LOCAL = {
kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
default_domain = COMUNE.SPOLETO.LOCAL
}
[domain_realm]
.comune.spoleto.local = COMUNE.SPOLETO.LOCAL
comune.spoleto.local = COMUNE.SPOLETO.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
-------------------------------------------------------------------------------------------
Inviato da Posta per Windows 10
More information about the samba
mailing list