[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
Rowland Penny
rpenny at samba.org
Tue Mar 27 20:25:12 UTC 2018
On Tue, 27 Mar 2018 16:42:00 -0300
Bruno Sousa via samba <samba at lists.samba.org> wrote:
> I joined my Debian 9 server into a Active Directory Structure as a
> domain member. Not as a DC. Then when I try to share a folder on this
> server and the client PC can't correctly authenticate and use the
> folder. It keeps saying "Access Denied" on Windows client PC. There
> is no error in log files (/var/log/samba/). If I allow anonymous
> users, it works fine. I used to use the same configuration on Debian
> 7 and it worked.
>
> What is wrong?
>
> /etc/samba/smb.conf:
>
> [global]
> workgroup = MP
> realm = INTRANET.OBFUSCATEDDOMAIN
> server string = %h server
> wins server = intranet.obfuscateddomain
You should remove the above line, you should be using DNS to find the DC
> dns proxy = no
> interfaces = ens32 lo
>
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> security = ads
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
Do you have users in /etc/passwd that are also in AD ?
If you do, you should remove them from /etc/passwd'.
You should remove the unix password sync line.
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes map to guest = bad user
> load printers = no
>
> idmap config MP : schema_mode = rfc2307
> idmap config MP : range = 10000000-29999999
> idmap config MP : default = yes
> idmap config MP : backend = ad
> idmap config * : range = 20000-29999
> idmap config *:backend = rid
Some of the above lines are wrong, the backend for the BUILTIN
domain (the '*' domain) should be 'tdb'
You do not need the 'default = yes' line
Do your users & groups have uidNumber & gidNumber attributes containing
numbers inside the '10000000-29999999' range ?
> winbind enum groups = yes
> winbind enum users = yes
> local master = no
> domain master = no
> preferred master = no
> winbind uid = 10000-20000
> winbind gid = 10000-20000
The above two lines are replaced by the 'idmap config' lines and should
be removed.
> winbind use default domain = yes
> invalid users = root
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
>
> [GR-UITEC]
> comment = Pasta para GR-UITEC
> path = /home/apache/desenvolvimento
> readonly = no
>
> valid users = MP\bruno.guimaraes
> admin users = MP\bruno.guimaraes
> force user = www-data
> force group = www-data
>
>
>
> /etc/nsswitch.conf:
>
> passwd: compat winbind
>
> group: compat winbind
>
> shadow: compat winbind
You shouldn't have 'winbind' on the 'shadow line
>
> hosts: files dns
> networks: files
>
> protocols: db files
>
> services: db files
>
> ethers: db files
>
> rpc: db files
>
> netgroup: nis
>
>
>
> /etc/krb5.conf
>
> [libdefaults]
> default_realm = INTRANET.OBFUSCATEDDOMAIN
> dns_lookup_realm = false
> dns_lookup_kdc = false
You only need the above lines in /etc/krb5.conf and the
'dns_lookup_kdc' should be set to true, you can safely remove the rest
of the lines.
Rowland
More information about the samba
mailing list