[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Fri Mar 29 16:33:54 UTC 2019

On Fri, 29 Mar 2019 16:14:20 +0000
Stephen via samba <samba at lists.samba.org> wrote:

> Hi there, I wonder if anyone can help me?
> 
> I recently created an active directory setup with a primary domain 
> controller ad1 and secondary domain controller ad2 for a domain
> SAMDOM.

Nope, you have two AD DC's, one called 'ad1' and one called 'ad2'
Apart from the FSMO roles, all DC's are equal.

> In-line with what I understand to be Samba best practices I
> then setup a separate file-server fs1 on which I created a file
> share, /fsrv/shares/OgdenFiles/. This has all been done using Samba
> version 4.5.16-Debian, on Raspbian.

Roll on 'Buster' ;-) 4.5.x is well EOL.

> 
> The domain and fileshare do appear to work, and I have confirmed that
> I can logon as SAMDOM/Administrator and apparently read and write to
> the share without issue in Windows 10 without issue. Creation of new
> text files on the share works as normal.
> 
> The problem I am having is that although I am able to log onto the 
> domain as SAMDOM/stephene I am not able to use this regular 
> *unprivileged* account to access the OgdenFiles share in Windows. I
> keep on getting "Access Denied" messages in Windows, and a large grey
> box appears asking me to re-enter my username and password to access
> the share FS1.
> 
> Below is my smb.conf for my fileserver FS1:
> 
> pi at fs1:~ $ cat /etc/samba/smb.conf
> [global]
>          workgroup = samdom
>          realm = samdom.example.com
>          netbios name = fs1
>          security = ADS
>          dns forwarder = XXX XXX XXX (obliterated here for privacy
> reasons!)

You might as well 'obliterate' totally, it is only used on a DC.

> idmap config * : backend = tdb
> idmap config *:range = 3000-7999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-999999
>     template homedir = /home/%D/%U
>     template shell = /bin/bash
>     winbind use default domain = true
>     winbind offline logon = false
>     winbind nss info = rfc2307
>     winbind enum users = yes
>     winbind enum groups = yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
> [OgdenFiles]
>         path = /fsrv/shares/OgdenFiles
>         read only = no
> 
> 
> When I enter wbinfo on the fileserver I can see the user account 
> stephene that I wish to use to access the share, but it doesn't seem
> to work in Windows.
> 
> pi at fs1:~ $ wbinfo -u
> stephenellwood
> administrator
> krbtgt
> guest

So, stephenellwood is an AD user, but is it also a Unix user?
Have you added RFC2307 attributes to AD ?
Have you installed these packages: libpam-winbind libnss-winbind
libpam-krb5
Have you added 'winbind' to the 'passwd' & 'group' lines
in /etc/nsswitch.conf ?

Rowland