[Samba] Winbind problems

Rowland penny rpenny at samba.org
Tue Feb 4 19:29:27 UTC 2020


On 04/02/2020 17:36, Marcio Demetrio Bacci wrote:
> Hi,
>
> >> To "Domain User" group no, I haven't.
> >I would give 'Domain Users' a gidNumber.
> Now I assign a gidNumber.
>
> I'm following this article: 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> But in "Setting Share Permissions and ACLs", the acces is denied, as 
> the log messages:
>
> [2020/02/04 15:13:38.266457,  3] ../../lib/util/access.c:371(allow_access)
>   Allowed connection from 192.168.0.11 (192.168.0.11)
> [2020/02/04 15:13:38.266685,  3] 
> ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
>   string_to_sid: SID +EMPRESA\Domain Users is not in a valid format
> [2020/02/04 15:13:38.268610,  1] 
> ../../source3/smbd/service.c:359(create_connection_session_info)
>   create_connection_session_info: user 'marcio' (from session setup) 
> not permitted to access this share (Arquivos)
> [2020/02/04 15:13:38.268822,  1] 
> ../../source3/smbd/service.c:531(make_connection_snum)
>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2020/02/04 15:13:38.269014,  3] 
> ../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] 
> status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142
> [2020/02/04 15:13:49.379329,  3] 
> ../../source3/smbd/service.c:1131(close_cnum)
>   192.168.0.11 (ipv4:192.168.0.11:61504 <http://192.168.0.11:61504>) 
> closed connection to service IPC$
> [2020/02/04 15:13:49.380788,  3] 
> ../../source3/smbd/server_exit.c:244(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
>
> There are some problem with the domain user account format.
>
> Here is my smb.conf:
>
> cat /usr/local/samba/etc/smb.conf
> [global]
>     netbios name = FILESERVER
>     workgroup = EMPRESA
>     security = ADS
>     realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
>     encrypt passwords = yes
>     username map = /usr/local/samba/etc/user.map
>     log file = /var/log/samba/%m.log
>     #log level = 1
>     log level = 3 passdb:5 auth:5
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config EMPRESA:backend = ad
>     idmap config EMPRESA:schema_mode = rfc2307
>     idmap config EMPRESA:range = 10000-999999
>     idmap config EMPRESA:unix_nss_info = yes
>     idmap config EMPRESA:unix_primary_group = yes
>     #winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind separator = +
>     winbind use default domain = yes
>     winbind enum users = yes
>     winbind enum groups = yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>     template shell = /bin/bash
>     template homedir = /home/%U
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
>     [Arquivos]
>     comment = Compartilhamentos do Dominio
>     path =  /home/Arquivos
>     valid users = +EMPRESA\"Domain Users"
>     admin users = +EMPRESA\"Domain Admins"
>     #valid users = @"EMPRESA\Domain Users"
>     #admin users = @"EMPRESA\Domain Admins"
>     guest ok = no
>     writable = yes
>     read only = no
>     browsable = yes
>     create mask = 0777
>     directory mask = 0777
>
> I have already tried to change "valid users" parameter in several ways.
> Would anyone have any ideas to solve this problem?

How about totally removing 'valid users' ?

I have altered that wiki page, hopefully know it says this in an orange 
warning box:

||||||Do not set ANY additional share parameters, such as force user or 
valid users. Adding them to the share definition can prevent you from 
configuring or using the share.

It might be more understandable.

Just make the share look like this:

[Arquivos]
     comment = Compartilhamentos do Dominio
     path =  /home/Arquivos
     read only = no

Ensure that you have created a group (Unix Admins for example), given it 
a gidNumber and added the group to Domain Admins.

Then follow the wiki page again ;-)

Rowland







More information about the samba mailing list