[Samba] Error : You dont have permission to save at this location.

Krish Kay tomnaugh at gmail.com
Fri Jun 4 19:53:06 UTC 2021 

>>Just two questions, what is in your 'username map' and what is in the
'include' file ?
map.txt has:
stpadmin = STP-ADMIN

include has blocks like below:
[<share-name>]
          comment = <comment>
          create mask = 0775
          force directory mode = 0775
          force group = <unix group name>
          path = <unix path to share>
          public = no
          valid users = <username1> <username2>
          writeable = yes

>>What do mean by 'we use NIS' ?
NIS is naming service, Network Information Service.
https://en.wikipedia.org/wiki/Network_Information_Service

So, in our /etc/resolv.conf we currently have below. Do we add winbind,
before or after nis.
passwd:     files nis
group:      files nis


Thanks


On Fri, Jun 4, 2021 at 1:20 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 04/06/2021 17:59, Krish Kay wrote:
> >
> >
> > Thanks for the information, specifically reg. ver > 4.8.0.
> > We are not using sssd, and are not running winbind with samba 4.7.8 on
> > RHEL6.
> >
> >
> > (1)Since we are using AD, we are not making changes to our existing
> > /etc/krb5.conf
> > Is that okay?
>
>
> Your /etc/krb5.conf only needs this:
>
> [libdefaults]
>      default_realm = SAMDOM.EXAMPLE.COM
>      dns_lookup_realm = false
>      dns_lookup_kdc = true
>
> Replace 'SAMDOM.EXAMPLE.COM' with your realm.
>
> >
> >
> >
> > (2)We tested winbind for samba 4.10.16-5 on RHEL7.
> > Basic checks look good.
> > #wbinfo --ping-dc
> > checking the NETLOGON for domain[ENT] dc connection to
> > "<hostname>.com" succeeded
> >
> > However, when smb is restarted after winbind, we are unable to map the
> > samba drive in Windows.
> > This error msg pop's up in windows : You do not have permission to
> > access \\<samba-server>\<share> Contact your network admin.
> >
> > Since we use NIS, what should be updated content in /etc/nsswitch.conf.
>
>
> What do mean by 'we use NIS' ?
>
> > Does winbind come before or after nis.
>
>
> Instead of
>
> >
> > (3)We do use shares. Example:
> > [<share-name>]
> >          comment = <comment>
> >          create mask = 0775
> >          force directory mode = 0775
> >          force group = <unix group name>
> >          path = <unix path to share>
> >          public = no
> >          valid users = <username1> <username2>
> >          writeable = yes
>
>
> Instead of using all those lines, I would read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Then set up the share permissions from Windows, or at the very least by
> using setfacl.
>
> >
> > (4)Below is the updated smb.conf
> >
>
> This is my take on your smb.conf, without default lines etc:
>
> [global]
>          workgroup = <WORKGROUP NAME>
>          realm = <DOMAIN>.COM
>          server string = Samba %v on (%L)
>          security = ADS
>
>          use sendfile = yes
>          local master = no
>          preferred master = no
>          domain master = no
>          msdfs root = yes
>          log level = 3
>          log file = <unix path to logfile>/samba.log.%m
>          max log size = 4096
>          deadtime = 5
>          keepalive = 900
>
>          client min protocol = SMB2
>          server min protocol = SMB2
>          winbind use default domain = yes
>          winbind separator = +
>          winbind cache time = 6000
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
>          idmap config <WORKGROUP NAME> : backend = rid
>          idmap config <WORKGROUP NAME> : range = 10000-9999999
>          # If you have rfc2307 attributes in ADD, read this
>          # https://wiki.samba.org/index.php/Idmap_config_ad
>
>          template shell = /bin/bash
>          vfs objects = acl_xattr full_audit
>          map acl inherit = Yes
>
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
>
>          username map = <unix path>/map.txt
>
>          dont descend = .snapshot
>          hide files = /.snapshot/._*/
>          veto files = /*.one/*Notebook.onetoc2/.parentlock/
>          blocking locks = no
>          kernel share modes = no
>          client signing = disabled
>
>          full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
>          full_audit:success = connect chdir opendir mkdir rmdir open
> read write unlink
>          full_audit:failure = connect chdir opendir mkdir rmdir open
> read write unlink
>          full_audit:facility = local6
>          full_audit:priority = NOTICE
>          include = <unix path>/config/general_smb.conf
>
> Just two questions, what is in your 'username map' and what is in the
> 'include' file ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list