[Samba] Error : You dont have permission to save at this location.
Krish Kay
tomnaugh at gmail.com
Fri Jun 4 16:59:30 UTC 2021
Thanks for the information, specifically reg. ver > 4.8.0.
We are not using sssd, and are not running winbind with samba 4.7.8 on
RHEL6.
(1)Since we are using AD, we are not making changes to our existing
/etc/krb5.conf
Is that okay?
The current /etc/krb5.conf is:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
(2)We tested winbind for samba 4.10.16-5 on RHEL7.
Basic checks look good.
#wbinfo --ping-dc
checking the NETLOGON for domain[ENT] dc connection to "<hostname>.com"
succeeded
However, when smb is restarted after winbind, we are unable to map the
samba drive in Windows.
This error msg pop's up in windows : You do not have permission to access
\\<samba-server>\<share> Contact your network admin.
Since we use NIS, what should be updated content in /etc/nsswitch.conf.
Does winbind come before or after nis.
passwd: files nis
group: files nis
(3)We do use shares. Example:
[<share-name>]
comment = <comment>
create mask = 0775
force directory mode = 0775
force group = <unix group name>
path = <unix path to share>
public = no
valid users = <username1> <username2>
writeable = yes
(4)Below is the updated smb.conf
[global]
workgroup = <WORKGROUP NAME>
netbios name = <NETBIOS NAME>
server string = Samba %v on (%L)
security = ADS
encrypt passwords = Yes
passdb backend = tdbsam:<path to db>/passdb.tdb
use sendfile = yes
invalid users = @samba_restricted_users
local master = no
preferred master = no
domain master = no
realm = <DOMAIN>.COM
template shell = /bin/bash
msdfs root = yes
log level = 3
log file = <unix path to logfile>/samba.log.%m
max log size = 4096
name resolve order = wins host
deadtime = 5
keepalive = 900
wins support = no
wins server = <IP 1>, <IP 2>
dns proxy = yes
preserve case = yes
short preserve case = yes
allow trusted domains = yes
client min protocol = SMB2
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind separator = +
winbind cache time = 6000
idmap config * : range = 100-60000
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
client ldap sasl wrapping = sign
client NTLMv2 auth = yes
username map = <unix path>/map.txt
allow insecure wide links = yes
follow symlinks = yes
wide links = no
dont descend = .snapshot
hide files = /.snapshot/._*/
veto files = /*.one/*Notebook.onetoc2/.parentlock/
browseable = No
guest ok = No
blocking locks = no
kernel share modes = no
client signing = disabled
vfs objects = full_audit
full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
full_audit:success = connect chdir opendir mkdir rmdir open read
write unlink
full_audit:failure = connect chdir opendir mkdir rmdir open read
write unlink
full_audit:facility = local6
full_audit:priority = NOTICE
include = <unix path>/config/general_smb.conf
On Thu, Jun 3, 2021 at 1:49 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 03/06/2021 19:23, Krish Kay wrote:
> >
> > Rowland,
> >
> > Thanks for responding.
> > We DO NOT run winbind daemon on RHEL7 at this time, since it is not
> > running on RHEL6
> >
> > Below is the smb.conf that we are testing on ver 4.10.16-5 on RHEL7.4,
> > the contents in < > are redacted.
> >
> > [global]
> > workgroup = <WORKGROUP NAME>
> > netbios name = <NETBIOS NAME>
> > server string = Samba %v on (%L)
> > security = ADS
> > encrypt passwords = Yes
> >
> > passdb backend = tdbsam:<path to db>
> >
> > use sendfile = yes
> > invalid users = @samba_restricted_users
> > local master = no
> > preferred master = no
> > domain master = no
> > realm = <DOMAIN>.COM
> > template shell = /bin/bash
> > msdfs root = yes
> > log level = 3
> > log file = <path to logfile>/samba.log.%m
> > max log size = 4096
> > name resolve order = wins host
> > deadtime = 5
> > keepalive = 900
> > wins support = no
> > wins server = <IP 1>, <IP 2>
> > dns proxy = yes
> > preserve case = yes
> > short preserve case = yes
> > allow trusted domains = yes
> > client min protocol = SMB2
> > winbind use default domain = yes
> > winbind enum users = no
> > winbind enum groups = no
> > winbind nested groups = yes
> > winbind separator = +
> > winbind cache time = 6000
> > idmap config * : range = 100-60000
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> > client ldap sasl wrapping = sign
> > client NTLMv2 auth = yes
> > username map = <path to>/map.txt
> > allow insecure wide links = yes
> > follow symlinks = yes
> > wide links = no
> >
> > dont descend = .snapshot
> > hide files = /.snapshot/._*/
> > veto files = /*.one/*Notebook.onetoc2/.parentlock/
> > browseable = No
> > guest ok = No
> > blocking locks = no
> > kernel share modes = no
> > client signing = disabled
> > vfs objects = full_audit
> >
> > full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
> > full_audit:success = connect chdir opendir mkdir rmdir open
> > read write unlink
> > full_audit:failure = connect chdir opendir mkdir rmdir open
> > read write unlink
> > full_audit:facility = local6
> > full_audit:priority = NOTICE
> >
> >
>
> OK, do you plan to use shares ? You haven't shown any.
>
> If you are planning to use shares with Samba, then remove sssd, install
> winbind and setup your smb.conf, see here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> If you just want authentication, then remove Samba and use sssd.
>
> If you continue to use Samba >= 4.8.0 with 'security = ADS' , you must
> run winbind, this will require the removal of sssd.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list