[Samba] cant login to fileserver

Rowland penny rpenny at samba.org
Wed Oct 16 15:09:21 UTC 2019


On 16/10/2019 15:44, basti via samba wrote:
> [global]
>
> ## Browsing/Identification ###
>
> # Change this to the workgroup/NT-domain name your Samba server will part of
>
>      security = ADS
>      workgroup = NET
>      realm = relam.fqdn
>      log file = /var/log/samba/%m.log
>      log level = 3
>
>      # Default ID mapping configuration for local BUILTIN accounts
>      # and groups on a domain member. The default (*) domain:
>      # - must not overlap with any domain ID mapping configuration!
>      # - must use an read-write-enabled back end, such as tdb.
>      idmap config * : backend = tdb
>      idmap config * : range = 1000-1000

Interesting range, you are allowing exactly one user & group ID for all 
the Well known SIDs

Change 1000-1000 to 1000000-1001000

>
>      # idmap config for the NET domain
>      idmap config NET:backend = ad
>      idmap config NET:schema_mode = rfc2307
>      idmap config NET:range = 1001-999999
>      idmap uid = 1001-999999
>      idmap gid = 1001-999999

Remove the 'idmap uid' & 'idmap gid' lines

You might want to read these:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

https://wiki.samba.org/index.php/Idmap_config_ad

>
>
>          winbind enum users = yes
>      winbind enum groups = yes
Remove the 'winbind enum' lines, they are not required.
>
>     winbind use default domain = yes
>
>      # fix dfs error's in log ?
>      host msdfs = no
>
>      # fix connection lost ?
>      client min protocol = SMB2
>      client max protocol = SMB2
>
>      # master for doamin
>      local master = yes
>      os level = 255
>      preferred master = yes
>
> # This will prevent nmbd to search for NetBIOS names through DNS.
>     dns proxy = no
You can remove all lines from '# master for doamin' to here , they are 
useless, you are not using netbios.
>
>     map to guest = bad user
>
> admin users = root, Administrator, @Domain Admins
Remove the line above, you are in AD now.
>
> ... shares
> [tmp]
>      path = /tmp
>      guest ok = yes
>      browsable = yes
>      read only = no
>
> tmp is working connect via ip to server. (guest mapping)
Not sure why you are allowing guest access, this is a Domain member.
> and yes the userid's start at 1001

Yes they probably are, this is one of the major problems of upgrading an 
NT4-style domain

Rowland





More information about the samba mailing list