[Samba] R: cannot list/access samba share from Windows client
Rowland Penny
rpenny at samba.org
Mon Jan 8 17:47:31 UTC 2018
On Mon, 8 Jan 2018 18:27:44 +0100
Andrea Rossetti <andy.ros at gmail.com> wrote:
> Thanks for the rapid reply!
>
> I think the problem was in the server role options I’ve modified it
> in “server member” and now I’m able to list the shares under
> \\linuxserver from any domain user authenticated in a Windows pc AD
> member. But now 1. Execute computer management from a Windows domain
> member client as a domain admin user (run as
> com_spoleto\rossetti.admin that is a “domain admins” member 2. Right
> click on computer management -> connect to another computer ->
> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools”
> -> I expand “Shared Folders” -> click on “Shares” right click on
> “share” -> Click Properties -> click on tab “Security”. In this tab I
> have the message “You musr have Read permission to view the
> properties of this object” even if I have granted
> SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If
> I execute “Computer Management” as “com_spoleto\adminserver” user (I
> explained below the reason I used this user) I can view/modify the
> ACLs.
>
> Please see MY inline comments, and at the end of this message I
> pasted my modified config files:
>
> Inviato da Posta per Windows 10
>
> Da: Rowland Penny
> Inviato: lunedì 8 gennaio 2018 15:15
> A: samba at lists.samba.org
> Cc: Andrea Rossetti
> Oggetto: Re: [Samba] cannot list/access samba share from Windows
> client
>
>
>
> >>The Linux samba server is an Ubuntu server
> >> 16.04 and I successfully added this samba server to a awindows
> >> active directory domain (Windows server 2012 R2). I login to the
> >> domain server machine as a domain admins user but II’m not able to
> >> list/access to the share when I digit in Windows Explorer
> >> \\servername I have the access denied with the request to insert
> >> the credential of a user enabled to it. Only the user mapped
> >> in /etc/samba/user.map can manage the server via the ADUC
> >> interface and list, but I’ve assigned the SeDiskOperatorPrivilege
> >> to all domain admin Group
>
> >The only mapping in the user.map should be Administrator to root.
>
> I’ve mapped the user COM_SPOLETO\adminserver because it is an
> enterprise admin as the COM_SPOLETO\Administrator For security
> reasons we have disabled the Administrator user account. In fact I
> used adminserver to grant SeDiskOperatoPrivilege do
> “com_spoleto\domain admins” group (see lines below)
>
> >> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
> >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
> >> COM_SPOLETO\Domain Admins
> >> BUILTIN\Administrators
>
> >> -----------------------------------------------------------------------------
> >> My /etc/samba/user.map
> >> !root = COM_SPOLETO\Adminserver
>
> >It is Administrator not Adminserver
>
> As just explained the adminserver is for us the enterprise domain
> admin.
>
> ----------------------------------------------
> My modified /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = COM_SPOLETO
> realm = COMUNE.SPOLETO.LOCAL
> server string = %h server (Samba, Ubuntu)
> interfaces = lo ens32
> bind interfaces only = Yes
> server role = member server
> security = ADS
> map to guest = Bad User
> username map = /etc/samba/user.map
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> max log size = 1000
> client signing = if_required
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> create mask = 0700
> printable = Yes
> browseable = No
>
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
>
> [share]
> comment = Progetti QGIS per Lizmap
> path = /home/data/share
> read only = No
> -------------------------------------------------------------------------------
>
> My modified /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> passwd: compat sss
> group: compat sss
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis sss
> sudoers: files sss
> --------------------------------------------------------------------------------
>
> My modified /etc/krb5.conf
>
> [libdefaults]
> default_realm = COMUNE.SPOLETO.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
You are now solely using sssd for the authentication, you need to ask
on the sssd-users mailing list, either that or purge sssd and set up
winbind correctly.
I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
help any further.
Rowland
More information about the samba
mailing list