[Samba] Users can't mount shares on a domain member file server
MAS Jean-Louis
jean-louis.mas at imag.fr
Tue Dec 15 16:32:53 UTC 2020
hi,
We have replaced our old Centos 6 samba4 file server by a brand new
Centos 7 file server
The new Centos 7 server is a domain member joined by :
net ads join -U administrator
The Centos 6 samba file server was working fine, but on the new server
nobody can mount windows shares either home or teams shares.
We used the old Centos 6 smb.conf with some modifications suggested by
'testparm'
On the Centos 6 server, we didn't use winbind, and now we must use it.
and winbind cause strange mappings on our fileserver
On our Centos 7 file server we've got, for example
$ getent passwd jlmas
jlmas:x:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash
$ wbinfo -i jlmas
jlmas:*:400002:400005:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false
None of this configuration above come from our AD, it's totally foreign.
same command run on our samba4 AD-DC
$ wbinfo -i jlmas
EXAMPLE\jlmas:*:20025:513::/home/%ACCOUNTNAME%:/bin/bash
Of course, I can't mount my share with an "access denied"
We only have one domain, and we want to use unix uid and gid for our
users as previously.
Some conf files on our new Centos 7 file server.
It's also a linux nfs server and it's also acceded with ssh/sftp by
Linux users. The Linux side credentials come from our Samba4 AD-DC
$ rpm -q samba
samba-4.10.16-7.el7_9.x86_64
# /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files winbind
netgroup: files winbind ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
# smb.conf (with only one teams share for example)
# Global parameters
[global]
allow trusted domains = No
disable spoolss = Yes
domain master = No
kerberos method = system keytab
load printers = No
local master = No
log file = /var/log/samba/samba.log
ntlm auth = ntlmv1-permitted
preferred master = No
printcap cache time = 0
printcap name = /dev/null
realm = EXAMPLE.COM
restrict anonymous = 2
security = ADS
server role = member server
server string = Samba Server Version %v
socket options = TCP_NODELAY IPTOS_LOWDELAY
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = EXAMPLE
rpc_daemon:spoolssd = off
smbd:backgroundqueue = no
idmap config example : backend = ads
idmap config example : schema_mode = rfc2307
idmap config example : range = 500-400000
idmap config * : schema_mode = rfc2307
idmap config * : range = 400001-410000
idmap_ldb : use rfc2307 = Yes
idmap config * : backend = tdb
printing = bsd
use sendfile = Yes
[netlogon]
browseable = No
path = /var/lib/samba/sysvol/example.fr/scripts
read only = No
[sysvol]
browseable = No
path = /var/lib/samba/sysvol
read only = No
[profiles]
browseable = No
path = /var/lib/samba/profiles
read only = No
[homes]
browseable = No
comment = Home Directory
read only = No
[team1]
comment = Equipe TEAM1
force group = +team1
path = /home/team1
read only = No
valid users = +team1
Nothing is written in the logs as nobody can access the share
iptables are OK, we can telnet to our fileserver on port tcp 445 from
any workstations
jlmas at my-workstation:~$ telnet fileserver.example.com 445
Trying 2001:660:5301:xx::x...
Connected to fileserver.example.com.
Escape character is '^]'.
selinux is disabled
Any help would be appreciated
Thanks
--
Jean Louis Mas
More information about the samba
mailing list