[Samba] Users can't mount shares on a domain member file server

Rowland penny rpenny at samba.org
Tue Dec 15 17:29:16 UTC 2020 

On 15/12/2020 16:32, MAS Jean-Louis via samba wrote:
> hi,
>
> We have replaced our old Centos 6 samba4 file server by a brand new
> Centos 7 file server
>
> The new Centos 7 server is a domain member joined by :
>
> net ads join -U administrator
>
> The Centos 6 samba file server was working fine, but on the new server
> nobody can mount windows shares either home or teams shares.
> We used the old Centos 6 smb.conf with some modifications suggested by
> 'testparm'
'testparm' doesn't suggest anything, it just checks your smb.conf
>
> On the Centos 6 server, we didn't use winbind, and now we must use it.
> and winbind cause strange mappings on our fileserver
Well it will possibly give you different ID's but they should be 
consistent.
> # /etc/nsswitch.conf
>
> passwd:     files ldap
Replace 'ldap' with 'winbind
> shadow:     files ldap
Remove 'ldap'
> group:      files ldap
Replace 'ldap' with 'winbind
> hosts:      files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files winbind
Remove 'winbind'
> netgroup:   files winbind ldap
Remove 'winbind' and 'ldap'
> publickey:  nisplus
> automount:  files ldap
> aliases:    files nisplus
>
> # smb.conf (with only one teams share for example)
>
> # Global parameters
> [global]
> 	allow trusted domains = No
> 	disable spoolss = Yes
> 	domain master = No
> 	kerberos method = system keytab
> 	load printers = No
> 	local master = No
> 	log file = /var/log/samba/samba.log
> 	ntlm auth = ntlmv1-permitted
> 	preferred master = No
> 	printcap cache time = 0
> 	printcap name = /dev/null
> 	realm = EXAMPLE.COM
> 	restrict anonymous = 2
> 	security = ADS
> 	server role = member server
> 	server string = Samba Server Version %v
> 	socket options = TCP_NODELAY IPTOS_LOWDELAY
I would remove the 'socket options' line and rely on the kernel knowing 
what it is doing.
> 	winbind nss info = rfc2307
Remove the line above, it has been replaced.
> 	winbind use default domain = Yes
> 	workgroup = EXAMPLE
> 	rpc_daemon:spoolssd = off
> 	smbd:backgroundqueue = no
Where did you get the line above from ?
> 	idmap config example : backend = ads
The 'ads' in the line above should be 'ad'
> 	idmap config example : schema_mode = rfc2307
> 	idmap config example : range = 500-400000
Why start at 500 ? do you have normal users & groups in AD with 
uidNumbers & gidNumbers that start so low ? Not counting the ones that 
start with 'Domain' e.g. 'Domain Users'
> 	idmap config * : schema_mode = rfc2307
That line is not used with the '*' domain
> 	idmap config * : range = 400001-410000
We recommend the range '3000-7999' for the '*' domain
> 	idmap_ldb : use rfc2307 = Yes
The line above is only used on an AD DC
> 	idmap config * : backend = tdb
> 	printing = bsd
> 	use sendfile = Yes
>
>
> [netlogon]
> 	browseable = No
> 	path = /var/lib/samba/sysvol/example.fr/scripts
> 	read only = No
>
>
> [sysvol]
> 	browseable = No
> 	path = /var/lib/samba/sysvol
> 	read only = No
Why are 'sysvol' & 'netlogon' on a Unix domain member, they should be on 
your AD DC.

More information about the samba mailing list