[Samba] R: cannot list/access samba share from Windows client
Andrea Rossetti
andy.ros at gmail.com
Mon Jan 8 17:27:44 UTC 2018
Thanks for the rapid reply!
I think the problem was in the server role options I’ve modified it in “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member.
But now
1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs.
Please see MY inline comments, and at the end of this message I pasted my modified config files:
Inviato da Posta per Windows 10
Da: Rowland Penny
Inviato: lunedì 8 gennaio 2018 15:15
A: samba at lists.samba.org
Cc: Andrea Rossetti
Oggetto: Re: [Samba] cannot list/access samba share from Windows client
>>The Linux samba server is an Ubuntu server
>> 16.04 and I successfully added this samba server to a awindows active
>> directory domain (Windows server 2012 R2). I login to the domain
>> server machine as a domain admins user but II’m not able to
>> list/access to the share when I digit in Windows Explorer
>> \\servername I have the access denied with the request to insert the
>> credential of a user enabled to it. Only the user mapped
>> in /etc/samba/user.map can manage the server via the ADUC interface
>> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
>> admin Group
>The only mapping in the user.map should be Administrator to root.
I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator
For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below)
>> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
>> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>> COM_SPOLETO\Domain Admins
>> BUILTIN\Administrators
>> -----------------------------------------------------------------------------
>> My /etc/samba/user.map
>> !root = COM_SPOLETO\Adminserver
>It is Administrator not Adminserver
As just explained the adminserver is for us the enterprise domain admin.
----------------------------------------------
My modified /etc/samba/smb.conf
# Global parameters
[global]
workgroup = COM_SPOLETO
realm = COMUNE.SPOLETO.LOCAL
server string = %h server (Samba, Ubuntu)
interfaces = lo ens32
bind interfaces only = Yes
server role = member server
security = ADS
map to guest = Bad User
username map = /etc/samba/user.map
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
client signing = if_required
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[share]
comment = Progetti QGIS per Lizmap
path = /home/data/share
read only = No
-------------------------------------------------------------------------------
My modified /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat sss
group: compat sss
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
--------------------------------------------------------------------------------
My modified /etc/krb5.conf
[libdefaults]
default_realm = COMUNE.SPOLETO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
More information about the samba
mailing list