[Samba] Winbind problems
Marcio Demetrio Bacci
marciobacci at gmail.com
Tue Feb 4 17:36:23 UTC 2020
Hi,
>> To "Domain User" group no, I haven't.
>I would give 'Domain Users' a gidNumber.
Now I assign a gidNumber.
I'm following this article:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
But in "Setting Share Permissions and ACLs", the acces is denied, as the
log messages:
[2020/02/04 15:13:38.266457, 3] ../../lib/util/access.c:371(allow_access)
Allowed connection from 192.168.0.11 (192.168.0.11)
[2020/02/04 15:13:38.266685, 3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
string_to_sid: SID +EMPRESA\Domain Users is not in a valid format
[2020/02/04 15:13:38.268610, 1]
../../source3/smbd/service.c:359(create_connection_session_info)
create_connection_session_info: user 'marcio' (from session setup) not
permitted to access this share (Arquivos)
[2020/02/04 15:13:38.268822, 1]
../../source3/smbd/service.c:531(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2020/02/04 15:13:38.269014, 3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142
[2020/02/04 15:13:49.379329, 3]
../../source3/smbd/service.c:1131(close_cnum)
192.168.0.11 (ipv4:192.168.0.11:61504) closed connection to service IPC$
[2020/02/04 15:13:49.380788, 3]
../../source3/smbd/server_exit.c:244(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
There are some problem with the domain user account format.
Here is my smb.conf:
cat /usr/local/samba/etc/smb.conf
[global]
netbios name = FILESERVER
workgroup = EMPRESA
security = ADS
realm = EMPRESA.COM.BR
encrypt passwords = yes
username map = /usr/local/samba/etc/user.map
log file = /var/log/samba/%m.log
#log level = 1
log level = 3 passdb:5 auth:5
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EMPRESA:backend = ad
idmap config EMPRESA:schema_mode = rfc2307
idmap config EMPRESA:range = 10000-999999
idmap config EMPRESA:unix_nss_info = yes
idmap config EMPRESA:unix_primary_group = yes
#winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
template shell = /bin/bash
template homedir = /home/%U
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[Arquivos]
comment = Compartilhamentos do Dominio
path = /home/Arquivos
valid users = +EMPRESA\"Domain Users"
admin users = +EMPRESA\"Domain Admins"
#valid users = @"EMPRESA\Domain Users"
#admin users = @"EMPRESA\Domain Admins"
guest ok = no
writable = yes
read only = no
browsable = yes
create mask = 0777
directory mask = 0777
I have already tried to change "valid users" parameter in several ways.
Would anyone have any ideas to solve this problem?
Regards,
Márcio Bacci
Em seg., 3 de fev. de 2020 às 18:18, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 03/02/2020 19:06, Marcio Demetrio Bacci wrote:
> > Hi Rowland
> >
> > >And does 'getent group Domain\ Admins' produce output ?
> > No output.
>
> Then your fileserver does not know who 'Domain Admins' is, which
> actually is a good thing, see here:
>
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> >
> > >Have you given 'Domain Users' a gidNumber attribute containing a
> > number inside '10000-999999'
> > To "Domain User" group no, I haven't.
> I would give 'Domain Users' a gidNumber.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list