[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Stephen
stephen at ogdenradar.com
Fri Mar 29 17:21:54 UTC 2019
Hi Rowland!
On 29/03/2019 16:33, Rowland Penny via samba wrote
> Roll on 'Buster' ;-) 4.5.x is well EOL.
Its not ideal I know! ;) Unfortunately I (and every other Raspberry Pi
user) is stuck with this for now since this is the default Samba package
that Raspbian currently uses unfortunately. I did check to see if it
could be upgraded using apt to something a little more recent but
apparently not :(
> dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
>
> You might as well 'obliterate' totally, it is only used on a DC.
Duly noted, thanks for the tip.
> So, stephenellwood is an AD user, but is it also a Unix user?
Aha! That's probably why my setup is not working! My passwd file on fs1
below suggests there is no stephenellwood unix user account
pi at fs1:~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
pi:x:1000:1000:,,,:/home/pi:/bin/bash
messagebus:x:105:109::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
avahi:x:108:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
There is obviously a major gap in my understanding here. Have I
understood you correctly Rowland? You appear to be suggesting that there
must be separate individual linux user account on EVERY samba file
server, one new unix user account corresponding to every active
directory account? So what's the point in using a centralised
authentication service like active directory then - I don't understand -
what does AD actually achieve in Windows networking?
I used the following Samba tutorials to setup my fileserver fs1 but
unfortunately these do not mention the need to create user accounts to
complement those that active directory creates.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
How do I rectify this? Can you point me at a suitable tutorial?
> Have you added RFC2307 attributes to AD ?
I don't know what this means, can you please clarify? All I could find
on google was this link
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and I believe
I have already followed the instructions there.
> Have you installed these packages: libpam-winbind libnss-winbind
> libpam-krb5
Yes I definitely installed those packages.
> Have you added 'winbind' to the 'passwd' & 'group' lines
> in /etc/nsswitch.conf ?
Yes, please see my nsswitch.conf below:
pi at fs1:~ $ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Ser
# If you have the `glibc-doc-reference'
# `info libc "Name Service Switch"' for
passwd: files winbind
group: files winbind
shadow: compat
gshadow: files
hosts: files mdns4_minimal [NO
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: files winbind
Thanks
Stephen
More information about the samba
mailing list