[Samba] cannot list/access samba share from Windows client

Andrea Rossetti andy.ros at gmail.com
Mon Jan 8 13:41:01 UTC 2018

I have a problem to list/access share from Windows client to share hosted on samba domain member server.
I followed the instruction from
step by step but I used sssd instead of winbind for the authentication method.
The Linux samba server is an Ubuntu server 16.04 and I successfully added this samba server to a awindows active directory domain (Windows server 2012 R2).
I login to the domain server machine as a domain admins user but II’m not able to list/access to the share when I digit in Windows Explorer \\servername I have the access denied with the request to insert the credential of a user enabled to it. Only the user mapped in  /etc/samba/user.map can manage the server via the ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain admin Group

 root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
  COM_SPOLETO\Domain Admins

Is there anyone can help me?

Below my configuration files.
My /etc/samba/smb.conf
# Global parameters
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = standalone server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        username map = /etc/samba/user.map
        unix password sync = Yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config comune.spoleto.local : range = 10000-29999
        idmap config comune.spoleto.local : backend = rig
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No

        comment = Printer Drivers
        path = /var/lib/samba/printers

        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
My /etc/samba/user.map
!root = COM_SPOLETO\Adminserver
My /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss winbind
group:          compat sss winbind
shadow:         compat sss
gshadow:        files

hosts:          files dns winbind
networks:       files

protocols:      db files
services:       db files sss winbind
ethers:         db files
rpc:            db files

netgroup:       nis sss winbind
sudoers:        files sss winbind
My /etc/sssd/sssd.conf
services = nss, pam
config_file_version = 2

id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
# ad_hostname = SRVLNXINTRA01.comune.spoleto.local

# Uncomment if DNS SRV resolution is not working
# ad_server = SRVW3KDC01.comune.spoleto.local

# Uncomment if the AD domain is named differently than the Samba domain

# Enumeration is discouraged for performance reasons.
# enumerate = true
My /etc/krb5.conf
        default_realm = COMUNE.SPOLETO.LOCAL
        ticket_lifetime = 24h #
        renew_lifetime = 7d

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_realm = false
        dns_lookup_kdc = true

        master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        default_domain = COMUNE.SPOLETO.LOCAL

        .comune.spoleto.local = COMUNE.SPOLETO.LOCAL
        comune.spoleto.local = COMUNE.SPOLETO.LOCAL

        krb4_convert = true
        krb4_get_tickets = false

Inviato da Posta per Windows 10

More information about the samba mailing list