[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder

Bruno Sousa bruno.guimaraes at mpba.mp.br
Tue Mar 27 19:42:00 UTC 2018 

I joined my Debian 9 server into a Active Directory Structure as a domain member. Not as a DC. Then when I try to share a folder on this server and the client PC can't correctly authenticate and use the folder. It keeps saying "Access Denied" on Windows client PC. There is no error in log files (/var/log/samba/). If I allow anonymous users, it works fine. I used to use the same configuration on Debian 7 and it worked.

What is wrong?

/etc/samba/smb.conf:

[global]
   workgroup = MP
   realm = INTRANET.OBFUSCATEDDOMAIN
   server string = %h server
   wins server = intranet.obfuscateddomain
   dns proxy = no
interfaces = ens32 lo

   log file = /var/log/samba/log.%m
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
load printers = no

idmap config MP : schema_mode = rfc2307
idmap config MP : range = 10000000-29999999
idmap config MP : default = yes
idmap config MP : backend = ad
idmap config * : range = 20000-29999
idmap config *:backend = rid
   winbind enum groups = yes
   winbind enum users = yes
    local master = no
    domain master = no
    preferred master = no
    winbind uid = 10000-20000
    winbind gid = 10000-20000
    winbind use default domain = yes
    invalid users = root
    template homedir = /home/%D/%U
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes

[GR-UITEC]
    comment       = Pasta para GR-UITEC
    path = /home/apache/desenvolvimento
    readonly  = no

    valid users = MP\bruno.guimaraes
    admin users = MP\bruno.guimaraes
    force user   = www-data
    force group = www-data



/etc/nsswitch.conf:

passwd: compat winbind

group:          compat winbind

shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

netgroup:       nis



/etc/krb5.conf

[libdefaults]
 default_realm = INTRANET.OBFUSCATEDDOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
    INTRANET.OBFUSCATEDDOMAIN = {
        kdc = INTRANET.OBFUSCATEDDOMAIN:88
        admin_server = INTRANET.OBFUSCATEDDOMAIN
    }
[domain_realm]
    .intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
    intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN


[cid:part1.4D015579.7A457904 at mpba.mp.br]


att,

--
Bruno Guimarães Sousa

Missão do MPBA: Defender a sociedade e o regime democrático para garantia da cidadania plena.

More information about the samba mailing list