[Samba] Users can't mount shares on a domain member file server

MAS Jean-Louis jean-louis.mas at imag.fr
Tue Dec 15 16:32:53 UTC 2020


We have replaced our old Centos 6 samba4 file server by a brand new
Centos 7 file server

The new Centos 7 server is a domain member joined by :

net ads join -U administrator

The Centos 6 samba file server was working fine, but on the new server
nobody can mount windows shares either home or teams shares.
We used the old Centos 6 smb.conf with some modifications suggested by

On the Centos 6 server, we didn't use winbind, and now we must use it.
and winbind cause strange mappings on our fileserver

On our Centos 7 file server we've got, for example

$ getent passwd jlmas
jlmas:x:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash

$ wbinfo -i jlmas
jlmas:*:400002:400005:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false

None of this configuration above come from our AD, it's totally foreign.
same command run on our samba4 AD-DC

$ wbinfo -i jlmas

Of course, I can't mount my share with an "access denied"

We only have one domain, and we want to use unix uid and gid for our
users as previously.

Some conf files on our new Centos 7 file server.
It's also a linux nfs server and it's also acceded with ssh/sftp by
Linux users. The Linux side credentials come from our Samba4 AD-DC

$ rpm -q samba

# /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files winbind
netgroup:   files winbind ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus

# smb.conf (with only one teams share for example)

# Global parameters
	allow trusted domains = No
	disable spoolss = Yes
	domain master = No
	kerberos method = system keytab
	load printers = No
	local master = No
	log file = /var/log/samba/samba.log
	ntlm auth = ntlmv1-permitted
	preferred master = No
	printcap cache time = 0
	printcap name = /dev/null
	realm = EXAMPLE.COM
	restrict anonymous = 2
	security = ADS
	server role = member server
	server string = Samba Server Version %v
	winbind nss info = rfc2307
	winbind use default domain = Yes
	workgroup = EXAMPLE
	rpc_daemon:spoolssd = off
	smbd:backgroundqueue = no
	idmap config example : backend = ads
	idmap config example : schema_mode = rfc2307
	idmap config example : range = 500-400000
	idmap config * : schema_mode = rfc2307
	idmap config * : range = 400001-410000
	idmap_ldb : use rfc2307 = Yes
	idmap config * : backend = tdb
	printing = bsd
	use sendfile = Yes

	browseable = No
	path = /var/lib/samba/sysvol/example.fr/scripts
	read only = No

	browseable = No
	path = /var/lib/samba/sysvol
	read only = No

	browseable = No
	path = /var/lib/samba/profiles
	read only = No

	browseable = No
	comment = Home Directory
	read only = No

	comment = Equipe TEAM1
	force group = +team1
	path = /home/team1
	read only = No
	valid users = +team1

Nothing is written in the logs as nobody can access the share

iptables are OK, we can telnet to our fileserver on port tcp 445 from
any workstations

jlmas at my-workstation:~$ telnet fileserver.example.com 445
Trying 2001:660:5301:xx::x...
Connected to fileserver.example.com.
Escape character is '^]'.

selinux is disabled

Any help would be appreciated


Jean Louis Mas

More information about the samba mailing list