[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder

Rowland Penny rpenny at samba.org
Tue Mar 27 20:25:12 UTC 2018


On Tue, 27 Mar 2018 16:42:00 -0300
Bruno Sousa via samba <samba at lists.samba.org> wrote:

> I joined my Debian 9 server into a Active Directory Structure as a
> domain member. Not as a DC. Then when I try to share a folder on this
> server and the client PC can't correctly authenticate and use the
> folder. It keeps saying "Access Denied" on Windows client PC. There
> is no error in log files (/var/log/samba/). If I allow anonymous
> users, it works fine. I used to use the same configuration on Debian
> 7 and it worked.
> 
> What is wrong?
> 
> /etc/samba/smb.conf:
> 
> [global]
>    workgroup = MP
>    realm = INTRANET.OBFUSCATEDDOMAIN
>    server string = %h server
>    wins server = intranet.obfuscateddomain

You should remove the above line, you should be using DNS to find the DC

>    dns proxy = no
> interfaces = ens32 lo
> 
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
> security = ads
>    encrypt passwords = true
>    passdb backend = tdbsam
>    obey pam restrictions = yes
>    unix password sync = yes

Do you have users in /etc/passwd that are also in AD ?
If you do, you should remove them from /etc/passwd'.
You should remove the unix password sync line.

>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes map to guest = bad user
> load printers = no
> 
> idmap config MP : schema_mode = rfc2307
> idmap config MP : range = 10000000-29999999
> idmap config MP : default = yes
> idmap config MP : backend = ad
> idmap config * : range = 20000-29999
> idmap config *:backend = rid

Some of the above lines are wrong, the backend for the BUILTIN
domain (the '*' domain) should be 'tdb'
You do not need the 'default = yes' line
Do your users & groups have uidNumber & gidNumber attributes containing
numbers inside the '10000000-29999999' range ?

>    winbind enum groups = yes
>    winbind enum users = yes
>     local master = no
>     domain master = no
>     preferred master = no
>     winbind uid = 10000-20000
>     winbind gid = 10000-20000

The above two lines are replaced by the 'idmap config' lines and should
be removed.

>     winbind use default domain = yes
>     invalid users = root
>     template homedir = /home/%D/%U
>     template shell = /bin/bash
>     winbind offline logon = yes
>     winbind refresh tickets = yes
> 
> [GR-UITEC]
>     comment       = Pasta para GR-UITEC
>     path = /home/apache/desenvolvimento
>     readonly  = no
> 
>     valid users = MP\bruno.guimaraes
>     admin users = MP\bruno.guimaraes
>     force user   = www-data
>     force group = www-data
> 
> 
> 
> /etc/nsswitch.conf:
> 
> passwd: compat winbind
> 
> group:          compat winbind
> 
> shadow:         compat winbind

You shouldn't have 'winbind' on the 'shadow line

> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> 
> services:       db files
> 
> ethers:         db files
> 
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> 
> /etc/krb5.conf
> 
> [libdefaults]
>  default_realm = INTRANET.OBFUSCATEDDOMAIN
>  dns_lookup_realm = false
>  dns_lookup_kdc = false

You only need the above lines in /etc/krb5.conf and the
'dns_lookup_kdc' should be set to true, you can safely remove the rest
of the lines.

Rowland




More information about the samba mailing list