[Samba] Users can't mount shares on a domain member file server

Rowland penny rpenny at samba.org
Fri Dec 18 14:49:59 UTC 2020 

On 18/12/2020 14:15, MAS Jean-Louis via samba wrote:
> Le 16/12/2020 à 18:25, Rowland penny via samba a écrit :
>
>> I think I might know what is the problem, but first, you do not need 
>> these:
>>
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>
> Those objectclass provides a lot of attributes we currently use, 
> mostly for our Linux users.
> If I delete them, I guess our users will not be able to connect to 
> Linux servers, which are not part of our Samba domain but use our AD 
> for authentication (with nslcd mappings)

Well, you would guess wrong 😁

posixAccount and shadowAccount are auxiliaryClasses of the 'user' 
objectclass and inetOrgPerson is a subclass of 'user' , so you don't 
need them to get the attributes.

>
>> You have changed the primaryGroupID, why ?
>
> Old accounts, such as mine as been created like that, most of them has 
> been changed to 'Domain users' times ago. Now my primaryGroupID is 
> correct
>
> # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com 
> sAMAccountName=jlmas | grep primaryGroupID
>
> primaryGroupID: 513
>
> I checked our AD, and all our users have the right primaryGroupID
>
>> Windows expects that every users primary group is Domain Users and 
>> now it is whatever '2906' is, this is what I think your problem is. 
>> Samba also requires Domain Users, though to be honest I am unsure 
>> whether it requires the name or the numeric ID, but it looks like 
>> which ever it is that winbind does not like this.
>
> I have flushed the winbind cache
>
> Now uid and gid are OK, but unixHomeDirectory and loginShell are not
>
> $ getent passwd jlmas
>  jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false

You have a line missing from your smb.conf:

idmap config EXAMPLE : unix_nss_info = yes

> The only wrong point came from 'net ads testjoin'
>
> # net ads testjoin
>
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
> An invalid parameter was passed to a service or function.
> kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
> ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
> An invalid parameter was passed to a service or function.
> Join to domain is not valid: An invalid parameter was passed to a 
> service or function.
Did you run the command as root, if not try again using root or sudo

Rowland

More information about the samba mailing list