[Samba] Winbind problems

Marcio Demetrio Bacci marciobacci at gmail.com
Sat Feb 8 12:57:36 UTC 2020 

Hi,

>||||||Do not set ANY additional share parameters, such as force user or
>valid users. Adding them to the share definition can prevent you from
>configuring or using the share.

OK, sorry.

Now is working properly.

I'm copying the Windows files to Samba4 and I'm not able to copy the NTFS
security information. In the logs it states that the destination is not an
NTFS system.

How could I solve this problem?

Regards,

Márcio Bacci

Em ter., 4 de fev. de 2020 às 16:30, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 04/02/2020 17:36, Marcio Demetrio Bacci wrote:
> > Hi,
> >
> > >> To "Domain User" group no, I haven't.
> > >I would give 'Domain Users' a gidNumber.
> > Now I assign a gidNumber.
> >
> > I'm following this article:
> > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> > But in "Setting Share Permissions and ACLs", the acces is denied, as
> > the log messages:
> >
> > [2020/02/04 15:13:38.266457,  3]
> ../../lib/util/access.c:371(allow_access)
> >   Allowed connection from 192.168.0.11 (192.168.0.11)
> > [2020/02/04 15:13:38.266685,  3]
> > ../../libcli/security/dom_sid.c:215(dom_sid_parse_endp)
> >   string_to_sid: SID +EMPRESA\Domain Users is not in a valid format
> > [2020/02/04 15:13:38.268610,  1]
> > ../../source3/smbd/service.c:359(create_connection_session_info)
> >   create_connection_session_info: user 'marcio' (from session setup)
> > not permitted to access this share (Arquivos)
> > [2020/02/04 15:13:38.268822,  1]
> > ../../source3/smbd/service.c:531(make_connection_snum)
> >   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> > [2020/02/04 15:13:38.269014,  3]
> > ../../source3/smbd/smb2_server.c:3256(smbd_smb2_request_error_ex)
> >   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:142
> > [2020/02/04 15:13:49.379329,  3]
> > ../../source3/smbd/service.c:1131(close_cnum)
> >   192.168.0.11 (ipv4:192.168.0.11:61504 <http://192.168.0.11:61504>)
> > closed connection to service IPC$
> > [2020/02/04 15:13:49.380788,  3]
> > ../../source3/smbd/server_exit.c:244(exit_server_common)
> >   Server exit (NT_STATUS_CONNECTION_RESET)
> >
> > There are some problem with the domain user account format.
> >
> > Here is my smb.conf:
> >
> > cat /usr/local/samba/etc/smb.conf
> > [global]
> >     netbios name = FILESERVER
> >     workgroup = EMPRESA
> >     security = ADS
> >     realm = EMPRESA.COM.BR <http://EMPRESA.COM.BR>
> >     encrypt passwords = yes
> >     username map = /usr/local/samba/etc/user.map
> >     log file = /var/log/samba/%m.log
> >     #log level = 1
> >     log level = 3 passdb:5 auth:5
> >     idmap config * : backend = tdb
> >     idmap config * : range = 3000-7999
> >     idmap config EMPRESA:backend = ad
> >     idmap config EMPRESA:schema_mode = rfc2307
> >     idmap config EMPRESA:range = 10000-999999
> >     idmap config EMPRESA:unix_nss_info = yes
> >     idmap config EMPRESA:unix_primary_group = yes
> >     #winbind nss info = rfc2307
> >     winbind refresh tickets = Yes
> >     winbind separator = +
> >     winbind use default domain = yes
> >     winbind enum users = yes
> >     winbind enum groups = yes
> >     vfs objects = acl_xattr
> >     map acl inherit = Yes
> >     store dos attributes = Yes
> >     template shell = /bin/bash
> >     template homedir = /home/%U
> >     dedicated keytab file = /etc/krb5.keytab
> >     kerberos method = secrets and keytab
> >     load printers = no
> >     printing = bsd
> >     printcap name = /dev/null
> >     disable spoolss = yes
> >
> >     [Arquivos]
> >     comment = Compartilhamentos do Dominio
> >     path =  /home/Arquivos
> >     valid users = +EMPRESA\"Domain Users"
> >     admin users = +EMPRESA\"Domain Admins"
> >     #valid users = @"EMPRESA\Domain Users"
> >     #admin users = @"EMPRESA\Domain Admins"
> >     guest ok = no
> >     writable = yes
> >     read only = no
> >     browsable = yes
> >     create mask = 0777
> >     directory mask = 0777
> >
> > I have already tried to change "valid users" parameter in several ways.
> > Would anyone have any ideas to solve this problem?
>
> How about totally removing 'valid users' ?
>
> I have altered that wiki page, hopefully know it says this in an orange
> warning box:
>
> ||||||Do not set ANY additional share parameters, such as force user or
> valid users. Adding them to the share definition can prevent you from
> configuring or using the share.
>
> It might be more understandable.
>
> Just make the share look like this:
>
> [Arquivos]
>      comment = Compartilhamentos do Dominio
>      path =  /home/Arquivos
>      read only = no
>
> Ensure that you have created a group (Unix Admins for example), given it
> a gidNumber and added the group to Domain Admins.
>
> Then follow the wiki page again ;-)
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list