[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.

Stephen stephen at ogdenradar.com
Fri Mar 29 17:21:54 UTC 2019 

Hi Rowland!

On 29/03/2019 16:33, Rowland Penny via samba wrote
> Roll on 'Buster' ;-) 4.5.x is well EOL.

Its not ideal I know! ;) Unfortunately I (and every other Raspberry Pi 
user) is stuck with this for now since this is the default Samba package 
that Raspbian currently uses unfortunately. I did check to see if it 
could be upgraded using apt to something a little more recent but 
apparently not :(

> dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!)
>
> You might as well 'obliterate' totally, it is only used on a DC.

Duly noted, thanks for the tip.

> So, stephenellwood is an AD user, but is it also a Unix user?

Aha! That's probably why my setup is not working! My passwd file on fs1 
below suggests there is no stephenellwood unix user account

pi at fs1:~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System 
(admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time 
Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network 
Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd 
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
pi:x:1000:1000:,,,:/home/pi:/bin/bash
messagebus:x:105:109::/var/run/dbus:/bin/false
statd:x:106:65534::/var/lib/nfs:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
avahi:x:108:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

There is obviously a major gap in my understanding here. Have I 
understood you correctly Rowland? You appear to be suggesting that there 
must be separate individual linux user account on EVERY samba file 
server, one new unix user account corresponding to every  active 
directory account? So what's the point in using a centralised 
authentication service like active directory then - I don't understand - 
what does AD actually achieve in Windows networking?

I used the following Samba tutorials to setup my fileserver fs1 but 
unfortunately these do not mention the need to create user accounts to 
complement those that active directory creates.

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

How do I rectify this? Can you point me at a suitable tutorial?

> Have you added RFC2307 attributes to AD ?

I don't know what this means, can you please clarify? All I could find 
on google was this link 
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and I believe 
I have already followed the instructions there.

> Have you installed these packages: libpam-winbind libnss-winbind
> libpam-krb5
Yes I definitely installed those packages.
> Have you added 'winbind' to the 'passwd' & 'group' lines
> in /etc/nsswitch.conf ?
Yes, please see my nsswitch.conf below:

pi at fs1:~ $ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Ser
# If you have the `glibc-doc-reference'
# `info libc "Name Service Switch"' for

passwd:         files winbind
group:          files winbind
shadow:         compat
gshadow:        files

hosts:          files mdns4_minimal [NO
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:          files winbind


Thanks
Stephen

More information about the samba mailing list