[Samba] R: cannot list/access samba share from Windows client

Andrea Rossetti andy.ros at gmail.com
Mon Jan 8 17:27:44 UTC 2018 

Thanks for the rapid reply!

I think the problem was in the server role options I’ve modified it in  “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member.
But now
1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares”  right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs.

Please see MY inline comments, and at the end of this message I pasted my modified config files:

Inviato da Posta per Windows 10

Da: Rowland Penny
Inviato: lunedì 8 gennaio 2018 15:15
A: samba at lists.samba.org
Cc: Andrea Rossetti
Oggetto: Re: [Samba] cannot list/access samba share from Windows client



>>The Linux samba server is an Ubuntu server
>> 16.04 and I successfully added this samba server to a awindows active
>> directory domain (Windows server 2012 R2). I login to the domain
>> server machine as a domain admins user but II’m not able to
>> list/access to the share when I digit in Windows Explorer
>> \\servername I have the access denied with the request to insert the
>> credential of a user enabled to it. Only the user mapped
>> in  /etc/samba/user.map can manage the server via the ADUC interface
>> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
>> admin Group

>The only mapping in the user.map should be Administrator to root.

I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator
For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below)

>>  root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
>> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>>   COM_SPOLETO\Domain Admins
>>   BUILTIN\Administrators

>> -----------------------------------------------------------------------------
>> My /etc/samba/user.map
>> !root = COM_SPOLETO\Adminserver

>It is Administrator not Adminserver

As just explained the adminserver is for us the enterprise domain admin.

----------------------------------------------
My modified /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
-------------------------------------------------------------------------------

My modified /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss
--------------------------------------------------------------------------------

My modified /etc/krb5.conf

[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

More information about the samba mailing list