[Samba] cant login to fileserver
Rowland penny
rpenny at samba.org
Wed Oct 16 15:09:21 UTC 2019
On 16/10/2019 15:44, basti via samba wrote:
> [global]
>
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will part of
>
> security = ADS
> workgroup = NET
> realm = relam.fqdn
> log file = /var/log/samba/%m.log
> log level = 3
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 1000-1000
Interesting range, you are allowing exactly one user & group ID for all
the Well known SIDs
Change 1000-1000 to 1000000-1001000
>
> # idmap config for the NET domain
> idmap config NET:backend = ad
> idmap config NET:schema_mode = rfc2307
> idmap config NET:range = 1001-999999
> idmap uid = 1001-999999
> idmap gid = 1001-999999
Remove the 'idmap uid' & 'idmap gid' lines
You might want to read these:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_ad
>
>
> winbind enum users = yes
> winbind enum groups = yes
Remove the 'winbind enum' lines, they are not required.
>
> winbind use default domain = yes
>
> # fix dfs error's in log ?
> host msdfs = no
>
> # fix connection lost ?
> client min protocol = SMB2
> client max protocol = SMB2
>
> # master for doamin
> local master = yes
> os level = 255
> preferred master = yes
>
> # This will prevent nmbd to search for NetBIOS names through DNS.
> dns proxy = no
You can remove all lines from '# master for doamin' to here , they are
useless, you are not using netbios.
>
> map to guest = bad user
>
> admin users = root, Administrator, @Domain Admins
Remove the line above, you are in AD now.
>
> ... shares
> [tmp]
> path = /tmp
> guest ok = yes
> browsable = yes
> read only = no
>
> tmp is working connect via ip to server. (guest mapping)
Not sure why you are allowing guest access, this is a Domain member.
> and yes the userid's start at 1001
Yes they probably are, this is one of the major problems of upgrading an
NT4-style domain
Rowland
More information about the samba
mailing list