[Samba] Error : You dont have permission to save at this location.
Krish Kay
tomnaugh at gmail.com
Fri Jun 4 19:53:06 UTC 2021
>>Just two questions, what is in your 'username map' and what is in the
'include' file ?
map.txt has:
stpadmin = STP-ADMIN
include has blocks like below:
[<share-name>]
comment = <comment>
create mask = 0775
force directory mode = 0775
force group = <unix group name>
path = <unix path to share>
public = no
valid users = <username1> <username2>
writeable = yes
>>What do mean by 'we use NIS' ?
NIS is naming service, Network Information Service.
https://en.wikipedia.org/wiki/Network_Information_Service
So, in our /etc/resolv.conf we currently have below. Do we add winbind,
before or after nis.
passwd: files nis
group: files nis
Thanks
On Fri, Jun 4, 2021 at 1:20 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 04/06/2021 17:59, Krish Kay wrote:
> >
> >
> > Thanks for the information, specifically reg. ver > 4.8.0.
> > We are not using sssd, and are not running winbind with samba 4.7.8 on
> > RHEL6.
> >
> >
> > (1)Since we are using AD, we are not making changes to our existing
> > /etc/krb5.conf
> > Is that okay?
>
>
> Your /etc/krb5.conf only needs this:
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> Replace 'SAMDOM.EXAMPLE.COM' with your realm.
>
> >
> >
> >
> > (2)We tested winbind for samba 4.10.16-5 on RHEL7.
> > Basic checks look good.
> > #wbinfo --ping-dc
> > checking the NETLOGON for domain[ENT] dc connection to
> > "<hostname>.com" succeeded
> >
> > However, when smb is restarted after winbind, we are unable to map the
> > samba drive in Windows.
> > This error msg pop's up in windows : You do not have permission to
> > access \\<samba-server>\<share> Contact your network admin.
> >
> > Since we use NIS, what should be updated content in /etc/nsswitch.conf.
>
>
> What do mean by 'we use NIS' ?
>
> > Does winbind come before or after nis.
>
>
> Instead of
>
> >
> > (3)We do use shares. Example:
> > [<share-name>]
> > comment = <comment>
> > create mask = 0775
> > force directory mode = 0775
> > force group = <unix group name>
> > path = <unix path to share>
> > public = no
> > valid users = <username1> <username2>
> > writeable = yes
>
>
> Instead of using all those lines, I would read this:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Then set up the share permissions from Windows, or at the very least by
> using setfacl.
>
> >
> > (4)Below is the updated smb.conf
> >
>
> This is my take on your smb.conf, without default lines etc:
>
> [global]
> workgroup = <WORKGROUP NAME>
> realm = <DOMAIN>.COM
> server string = Samba %v on (%L)
> security = ADS
>
> use sendfile = yes
> local master = no
> preferred master = no
> domain master = no
> msdfs root = yes
> log level = 3
> log file = <unix path to logfile>/samba.log.%m
> max log size = 4096
> deadtime = 5
> keepalive = 900
>
> client min protocol = SMB2
> server min protocol = SMB2
> winbind use default domain = yes
> winbind separator = +
> winbind cache time = 6000
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config <WORKGROUP NAME> : backend = rid
> idmap config <WORKGROUP NAME> : range = 10000-9999999
> # If you have rfc2307 attributes in ADD, read this
> # https://wiki.samba.org/index.php/Idmap_config_ad
>
> template shell = /bin/bash
> vfs objects = acl_xattr full_audit
> map acl inherit = Yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> username map = <unix path>/map.txt
>
> dont descend = .snapshot
> hide files = /.snapshot/._*/
> veto files = /*.one/*Notebook.onetoc2/.parentlock/
> blocking locks = no
> kernel share modes = no
> client signing = disabled
>
> full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
> full_audit:success = connect chdir opendir mkdir rmdir open
> read write unlink
> full_audit:failure = connect chdir opendir mkdir rmdir open
> read write unlink
> full_audit:facility = local6
> full_audit:priority = NOTICE
> include = <unix path>/config/general_smb.conf
>
> Just two questions, what is in your 'username map' and what is in the
> 'include' file ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list