[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Edouard Guigné
eguigne at pasteur-cayenne.fr
Tue Jun 18 18:45:37 UTC 2019
You are using the winbind 'ad' backend according to the smb.conf you
posted earlier, have you given your AD users a uidNumber attribute
containing a unique number inside the ' 10000-14999' range ? and have
you also given 'Domain Users' a gidNumber attribute containing a number
inside the same range ?
For uid and gid, yes there are set for each user and group of the AD
Do you really want to use a different primary group for your Unix users
over Samba (when they connect to a Samba share) ?
All users have primary group "Domain Users", so I must remove 'idmap
config MYDOMAIN : unix_primary_group = yes'
I will test it, thanks
Le 18/06/2019 à 15:34, Rowland penny via samba a écrit :
> On 18/06/2019 19:02, Edouard Guigné via samba wrote:
>> Hello,
>>
>> I mean that i added "winbind refresh tickets = yes" in smb.cnf, but
>> does not seem to be link with my problem (Kerberos and NTLMv2
>> authentication).
>>
>> After several test, without changing content of smb.conf (except for
>> winbind refresh tickets = yes) :
>>
>> 0. nsswitch.conf
>> passwd: files sss
>> shadow: files sss
>> group: files sss
>>
>> That's working (share is accessible from windows 7, permissions and
>> acls working)
>> But in in log, I see only NTLMv2 Auth
>>
>> 1. nsswitch.conf
>> passwd: files winbind
>> shadow: files
>> group: files winbind
>>
>> That's not working (share is not accessible from windows 7, access
>> denied)
>>
>> 2. nsswitch.conf
>> passwd: files sss winbind
>> shadow: files sss
>> group: files sss winbind
>>
>> not working (share is accessible but it take time to see permissions
>> acls from security tab on windows 7)
>>
> You are using the winbind 'ad' backend according to the smb.conf you
> posted earlier, have you given your AD users a uidNumber attribute
> containing a unique number inside the ' 10000-14999' range ? and have
> you also given 'Domain Users' a gidNumber attribute containing a
> number inside the same range ?
>
> Do you really want to use a different primary group for your Unix
> users over Samba (when they connect to a Samba share) ?
>
> If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes'
>
> If all the above is correct, it should work.
>
> Rowland
>
>
>
More information about the samba
mailing list