[Samba] Users can't mount shares on a domain member file server
Rowland penny
rpenny at samba.org
Tue Dec 15 17:29:16 UTC 2020
On 15/12/2020 16:32, MAS Jean-Louis via samba wrote:
> hi,
>
> We have replaced our old Centos 6 samba4 file server by a brand new
> Centos 7 file server
>
> The new Centos 7 server is a domain member joined by :
>
> net ads join -U administrator
>
> The Centos 6 samba file server was working fine, but on the new server
> nobody can mount windows shares either home or teams shares.
> We used the old Centos 6 smb.conf with some modifications suggested by
> 'testparm'
'testparm' doesn't suggest anything, it just checks your smb.conf
>
> On the Centos 6 server, we didn't use winbind, and now we must use it.
> and winbind cause strange mappings on our fileserver
Well it will possibly give you different ID's but they should be
consistent.
> # /etc/nsswitch.conf
>
> passwd: files ldap
Replace 'ldap' with 'winbind
> shadow: files ldap
Remove 'ldap'
> group: files ldap
Replace 'ldap' with 'winbind
> hosts: files dns myhostname
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files winbind
Remove 'winbind'
> netgroup: files winbind ldap
Remove 'winbind' and 'ldap'
> publickey: nisplus
> automount: files ldap
> aliases: files nisplus
>
> # smb.conf (with only one teams share for example)
>
> # Global parameters
> [global]
> allow trusted domains = No
> disable spoolss = Yes
> domain master = No
> kerberos method = system keytab
> load printers = No
> local master = No
> log file = /var/log/samba/samba.log
> ntlm auth = ntlmv1-permitted
> preferred master = No
> printcap cache time = 0
> printcap name = /dev/null
> realm = EXAMPLE.COM
> restrict anonymous = 2
> security = ADS
> server role = member server
> server string = Samba Server Version %v
> socket options = TCP_NODELAY IPTOS_LOWDELAY
I would remove the 'socket options' line and rely on the kernel knowing
what it is doing.
> winbind nss info = rfc2307
Remove the line above, it has been replaced.
> winbind use default domain = Yes
> workgroup = EXAMPLE
> rpc_daemon:spoolssd = off
> smbd:backgroundqueue = no
Where did you get the line above from ?
> idmap config example : backend = ads
The 'ads' in the line above should be 'ad'
> idmap config example : schema_mode = rfc2307
> idmap config example : range = 500-400000
Why start at 500 ? do you have normal users & groups in AD with
uidNumbers & gidNumbers that start so low ? Not counting the ones that
start with 'Domain' e.g. 'Domain Users'
> idmap config * : schema_mode = rfc2307
That line is not used with the '*' domain
> idmap config * : range = 400001-410000
We recommend the range '3000-7999' for the '*' domain
> idmap_ldb : use rfc2307 = Yes
The line above is only used on an AD DC
> idmap config * : backend = tdb
> printing = bsd
> use sendfile = Yes
>
>
> [netlogon]
> browseable = No
> path = /var/lib/samba/sysvol/example.fr/scripts
> read only = No
>
>
> [sysvol]
> browseable = No
> path = /var/lib/samba/sysvol
> read only = No
Why are 'sysvol' & 'netlogon' on a Unix domain member, they should be on
your AD DC.
More information about the samba
mailing list