[Samba] Error : You dont have permission to save at this location.

Fri Jun 4 18:19:16 UTC 2021

On 04/06/2021 17:59, Krish Kay wrote:
>
>
> Thanks for the information, specifically reg. ver > 4.8.0.
> We are not using sssd, and are not running winbind with samba 4.7.8 on 
> RHEL6.
>
>
> (1)Since we are using AD, we are not making changes to our existing 
> /etc/krb5.conf
> Is that okay?

Your /etc/krb5.conf only needs this:

[libdefaults]
     default_realm = SAMDOM.EXAMPLE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

Replace 'SAMDOM.EXAMPLE.COM' with your realm.

>
>
>
> (2)We tested winbind for samba 4.10.16-5 on RHEL7.
> Basic checks look good.
> #wbinfo --ping-dc
> checking the NETLOGON for domain[ENT] dc connection to 
> "<hostname>.com" succeeded
>
> However, when smb is restarted after winbind, we are unable to map the 
> samba drive in Windows.
> This error msg pop's up in windows : You do not have permission to 
> access \\<samba-server>\<share> Contact your network admin.
>
> Since we use NIS, what should be updated content in /etc/nsswitch.conf.

What do mean by 'we use NIS' ?

> Does winbind come before or after nis.

Instead of

>
> (3)We do use shares. Example:
> [<share-name>]
>          comment = <comment>
>          create mask = 0775
>          force directory mode = 0775
>          force group = <unix group name>
>          path = <unix path to share>
>          public = no
>          valid users = <username1> <username2>
>          writeable = yes

Instead of using all those lines, I would read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Then set up the share permissions from Windows, or at the very least by 
using setfacl.

>
> (4)Below is the updated smb.conf
>

This is my take on your smb.conf, without default lines etc:

[global]
         workgroup = <WORKGROUP NAME>
         realm = <DOMAIN>.COM
         server string = Samba %v on (%L)
         security = ADS

         use sendfile = yes
         local master = no
         preferred master = no
         domain master = no
         msdfs root = yes
         log level = 3
         log file = <unix path to logfile>/samba.log.%m
         max log size = 4096
         deadtime = 5
         keepalive = 900

         client min protocol = SMB2
         server min protocol = SMB2
         winbind use default domain = yes
         winbind separator = +
         winbind cache time = 6000
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config <WORKGROUP NAME> : backend = rid
         idmap config <WORKGROUP NAME> : range = 10000-9999999
         # If you have rfc2307 attributes in ADD, read this
         # https://wiki.samba.org/index.php/Idmap_config_ad

         template shell = /bin/bash
         vfs objects = acl_xattr full_audit
         map acl inherit = Yes

         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         username map = <unix path>/map.txt

         dont descend = .snapshot
         hide files = /.snapshot/._*/
         veto files = /*.one/*Notebook.onetoc2/.parentlock/
         blocking locks = no
         kernel share modes = no
         client signing = disabled

         full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
         full_audit:success = connect chdir opendir mkdir rmdir open 
read write unlink
         full_audit:failure = connect chdir opendir mkdir rmdir open 
read write unlink
         full_audit:facility = local6
         full_audit:priority = NOTICE
         include = <unix path>/config/general_smb.conf

Just two questions, what is in your 'username map' and what is in the 
'include' file ?

Rowland