[Samba] Unable to contact active directory or verify claim types

Gaeseric Vandal gaiseric.vandal at gmail.com
Wed Jul 25 02:20:01 UTC 2018


I am running several Solaris 11 file servers with samba 4.7.6.     This is
an AD domain but the domain controllers are Win 2008 R2 and Windows 2012 R2.
All users and groups in AD have unix uidNumbers and gidNumbers assigned.  

 

On one file server, I am having problems where some users can not access
files , via windows, to which they should have access as the group member.


 

For example,  G:\ITDepartment\Project1 directory is owned by me , with the
project group of "IT."  The file permissions are generally set in Unix for
user and group to have rwx access.     Some of the users cannot get into the
Project1 subdirectory even though I think they can get into the
G:\ITDepartment directory.      So I don't think it is a problem with samba
ignoring group privileges.   

 

 

The "wbinfo -n" and "wbinfo -s" are able to resolve user names and group
names to SID's and back to names.   The "getent passwd" command is showing
all users.     The "getent passwd myname" and "getent passwd
MYDOMAIN\myname" both show the same unix UserIDNumber and GroupIDNumber so
no 

 

 

I am keeping permissions really simple -  one owner, one group.    I am
typically working from a Windows 7 Pro client but sometimes I will RDP into
one of several Win 2012 R2 servers (either as myself or an administrator.) 

 

If I right click a network folder in Windows 7 (logged in as myself) , then
select properties -> security -> advanced.   the permissions in windows look
AOK.   I can select an access entry and click "change permissions.)

 

If I right click a folder in Win 2012  (logged in as myself or an admin ) ,
then select properties -> security -> advanced.   the permissions in windows
look AOK.   However if I select an access entry and click edit, I get the
warning "Unable to contact active directory or verify claim types."    I do
NOT see this error message on when looking at folder properties on other
samba servers.     It seems to be something unique to this one.

 

I tried querying group lists with "net" which pointed to the max server
protocol being a possible factor.

 

 

root at weirdserver:~# net groupmember  list IT -U Administrator

Enter Administrator's password:

smb1cli_req_writev_submit: called for dialect[SMB3_11] server[127.0.0.1]

 

 

 

root at weirdserver:~#         testparm -v 

.

server max protocol = SMB3

                .

 

 

root at okserver:~# net groupmember list IT -U Administrator

Enter Administrator's password:

smb1cli_req_writev_submit: called for dialect[SMB2_10] server[127.0.0.1]

 

root at okserver:~#         testparm -v 

.

server max protocol = SMB2

                .

 

 

 

 

I ran into issues in the past with SMB3 , specifically between Windows 10
and Samba so I had switched back to SMB2 as the max.  But few months ago
switched back to SMB3 on this particular server.  I don't know if this is
related.

 

Appreciate any feedback.

 

 

 

 



More information about the samba mailing list