[Samba] Error : You dont have permission to save at this location.
Rowland penny
rpenny at samba.org
Fri Jun 4 18:19:16 UTC 2021
On 04/06/2021 17:59, Krish Kay wrote:
>
>
> Thanks for the information, specifically reg. ver > 4.8.0.
> We are not using sssd, and are not running winbind with samba 4.7.8 on
> RHEL6.
>
>
> (1)Since we are using AD, we are not making changes to our existing
> /etc/krb5.conf
> Is that okay?
Your /etc/krb5.conf only needs this:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
Replace 'SAMDOM.EXAMPLE.COM' with your realm.
>
>
>
> (2)We tested winbind for samba 4.10.16-5 on RHEL7.
> Basic checks look good.
> #wbinfo --ping-dc
> checking the NETLOGON for domain[ENT] dc connection to
> "<hostname>.com" succeeded
>
> However, when smb is restarted after winbind, we are unable to map the
> samba drive in Windows.
> This error msg pop's up in windows : You do not have permission to
> access \\<samba-server>\<share> Contact your network admin.
>
> Since we use NIS, what should be updated content in /etc/nsswitch.conf.
What do mean by 'we use NIS' ?
> Does winbind come before or after nis.
Instead of
>
> (3)We do use shares. Example:
> [<share-name>]
> comment = <comment>
> create mask = 0775
> force directory mode = 0775
> force group = <unix group name>
> path = <unix path to share>
> public = no
> valid users = <username1> <username2>
> writeable = yes
Instead of using all those lines, I would read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Then set up the share permissions from Windows, or at the very least by
using setfacl.
>
> (4)Below is the updated smb.conf
>
This is my take on your smb.conf, without default lines etc:
[global]
workgroup = <WORKGROUP NAME>
realm = <DOMAIN>.COM
server string = Samba %v on (%L)
security = ADS
use sendfile = yes
local master = no
preferred master = no
domain master = no
msdfs root = yes
log level = 3
log file = <unix path to logfile>/samba.log.%m
max log size = 4096
deadtime = 5
keepalive = 900
client min protocol = SMB2
server min protocol = SMB2
winbind use default domain = yes
winbind separator = +
winbind cache time = 6000
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config <WORKGROUP NAME> : backend = rid
idmap config <WORKGROUP NAME> : range = 10000-9999999
# If you have rfc2307 attributes in ADD, read this
# https://wiki.samba.org/index.php/Idmap_config_ad
template shell = /bin/bash
vfs objects = acl_xattr full_audit
map acl inherit = Yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
username map = <unix path>/map.txt
dont descend = .snapshot
hide files = /.snapshot/._*/
veto files = /*.one/*Notebook.onetoc2/.parentlock/
blocking locks = no
kernel share modes = no
client signing = disabled
full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
full_audit:success = connect chdir opendir mkdir rmdir open
read write unlink
full_audit:failure = connect chdir opendir mkdir rmdir open
read write unlink
full_audit:facility = local6
full_audit:priority = NOTICE
include = <unix path>/config/general_smb.conf
Just two questions, what is in your 'username map' and what is in the
'include' file ?
Rowland
More information about the samba
mailing list