[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Edouard Guigné eguigne at pasteur-cayenne.fr
Tue Jun 18 18:45:37 UTC 2019 

You are using the winbind 'ad' backend according to the smb.conf you 
posted earlier, have you given your AD users a uidNumber attribute 
containing a unique number inside the ' 10000-14999' range ? and have 
you also given 'Domain Users' a gidNumber attribute containing a number 
inside the same range ?

For uid and gid, yes there are set for each user and group of the AD

Do you really want to use a different primary group for your Unix users 
over Samba (when they connect to a Samba share) ?

All users  have primary group "Domain Users", so I must remove 'idmap 
config MYDOMAIN : unix_primary_group = yes'

I will test it, thanks


Le 18/06/2019 à 15:34, Rowland penny via samba a écrit :
> On 18/06/2019 19:02, Edouard Guigné via samba wrote:
>> Hello,
>>
>> I mean that i added "winbind refresh tickets = yes" in smb.cnf, but 
>> does not seem to be link with my problem (Kerberos and NTLMv2 
>> authentication).
>>
>> After several test, without changing content of smb.conf (except for 
>> winbind refresh tickets = yes) :
>>
>> 0. nsswitch.conf
>> passwd:     files sss
>> shadow:     files sss
>> group:      files sss
>>
>> That's working (share is accessible from windows 7, permissions and 
>> acls working)
>> But in in log, I see only NTLMv2 Auth
>>
>> 1. nsswitch.conf
>> passwd:     files winbind
>> shadow:     files
>> group:      files winbind
>>
>> That's not working (share is not accessible from windows 7, access 
>> denied)
>>
>> 2. nsswitch.conf
>> passwd:     files sss winbind
>> shadow:     files sss
>> group:      files sss winbind
>>
>> not working (share is accessible but it take time to see permissions 
>> acls from security tab on windows 7)
>>
> You are using the winbind 'ad' backend according to the smb.conf you 
> posted earlier, have you given your AD users a uidNumber attribute 
> containing a unique number inside the ' 10000-14999' range ? and have 
> you also given 'Domain Users' a gidNumber attribute containing a 
> number inside the same range ?
>
> Do you really want to use a different primary group for your Unix 
> users over Samba (when they connect to a Samba share) ?
>
> If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes'
>
> If all the above is correct, it should work.
>
> Rowland
>
>
>

More information about the samba mailing list