[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
Bruno Sousa
bruno.guimaraes at mpba.mp.br
Tue Mar 27 19:42:00 UTC 2018
I joined my Debian 9 server into a Active Directory Structure as a domain member. Not as a DC. Then when I try to share a folder on this server and the client PC can't correctly authenticate and use the folder. It keeps saying "Access Denied" on Windows client PC. There is no error in log files (/var/log/samba/). If I allow anonymous users, it works fine. I used to use the same configuration on Debian 7 and it worked.
What is wrong?
/etc/samba/smb.conf:
[global]
workgroup = MP
realm = INTRANET.OBFUSCATEDDOMAIN
server string = %h server
wins server = intranet.obfuscateddomain
dns proxy = no
interfaces = ens32 lo
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
load printers = no
idmap config MP : schema_mode = rfc2307
idmap config MP : range = 10000000-29999999
idmap config MP : default = yes
idmap config MP : backend = ad
idmap config * : range = 20000-29999
idmap config *:backend = rid
winbind enum groups = yes
winbind enum users = yes
local master = no
domain master = no
preferred master = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
invalid users = root
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
[GR-UITEC]
comment = Pasta para GR-UITEC
path = /home/apache/desenvolvimento
readonly = no
valid users = MP\bruno.guimaraes
admin users = MP\bruno.guimaraes
force user = www-data
force group = www-data
/etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/krb5.conf
[libdefaults]
default_realm = INTRANET.OBFUSCATEDDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
INTRANET.OBFUSCATEDDOMAIN = {
kdc = INTRANET.OBFUSCATEDDOMAIN:88
admin_server = INTRANET.OBFUSCATEDDOMAIN
}
[domain_realm]
.intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
[cid:part1.4D015579.7A457904 at mpba.mp.br]
att,
--
Bruno Guimarães Sousa
Missão do MPBA: Defender a sociedade e o regime democrático para garantia da cidadania plena.
More information about the samba
mailing list