[Samba] Winbind problems

Marcio Demetrio Bacci marciobacci at gmail.com
Tue Feb 4 17:36:23 UTC 2020


Hi,

>> To "Domain User" group no, I haven't.
>I would give 'Domain Users' a gidNumber.
Now I assign a gidNumber.

I'm following this article:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

But in "Setting Share Permissions and ACLs", the acces is denied, as the
log messages:

[2020/02/04 15:13:38.266457,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.0.11 (192.168.0.11)
[2020/02/04 15:13:38.266685,  3]
../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
  string_to_sid: SID +EMPRESA\Domain Users is not in a valid format
[2020/02/04 15:13:38.268610,  1]
../../source3/smbd/service.c:359(create_connection_session_info)
  create_connection_session_info: user 'marcio' (from session setup) not
permitted to access this share (Arquivos)
[2020/02/04 15:13:38.268822,  1]
../../source3/smbd/service.c:531(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2020/02/04 15:13:38.269014,  3]
../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142
[2020/02/04 15:13:49.379329,  3]
../../source3/smbd/service.c:1131(close_cnum)
  192.168.0.11 (ipv4:192.168.0.11:61504) closed connection to service IPC$
[2020/02/04 15:13:49.380788,  3]
../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

There are some problem with the domain user account format.

Here is my smb.conf:

cat /usr/local/samba/etc/smb.conf
[global]
    netbios name = FILESERVER
    workgroup = EMPRESA
    security = ADS
    realm = EMPRESA.COM.BR
    encrypt passwords = yes
    username map = /usr/local/samba/etc/user.map
    log file = /var/log/samba/%m.log
    #log level = 1
    log level = 3 passdb:5 auth:5
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config EMPRESA:backend = ad
    idmap config EMPRESA:schema_mode = rfc2307
    idmap config EMPRESA:range = 10000-999999
    idmap config EMPRESA:unix_nss_info = yes
    idmap config EMPRESA:unix_primary_group = yes
    #winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind separator = +
    winbind use default domain = yes
    winbind enum users = yes
    winbind enum groups = yes
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes
    template shell = /bin/bash
    template homedir = /home/%U
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    [Arquivos]
    comment = Compartilhamentos do Dominio
    path =  /home/Arquivos
    valid users = +EMPRESA\"Domain Users"
    admin users = +EMPRESA\"Domain Admins"
    #valid users = @"EMPRESA\Domain Users"
    #admin users = @"EMPRESA\Domain Admins"
    guest ok = no
    writable = yes
    read only = no
    browsable = yes
    create mask = 0777
    directory mask = 0777

I have already tried to change "valid users" parameter in several ways.
Would anyone have any ideas to solve this problem?

Regards,

Márcio Bacci

Em seg., 3 de fev. de 2020 às 18:18, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 03/02/2020 19:06, Marcio Demetrio Bacci wrote:
> > Hi Rowland
> >
> > >And does 'getent group Domain\ Admins' produce output ?
> > No output.
>
> Then your fileserver does not know who 'Domain Admins' is, which
> actually is a good thing, see here:
>
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
>
> >
> > >Have you given 'Domain Users' a gidNumber attribute containing a
> > number inside '10000-999999'
> > To "Domain User" group no, I haven't.
> I would give 'Domain Users' a gidNumber.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list