[Samba] Access denied to shares moved from AD DC to member server
Antonio Trogu
a.trogu at gruppoconcorde.it
Wed Mar 2 17:04:56 UTC 2022
Hello everybody.
I have joined a new Ubuntu 20.04 server with Samba 4.13.17 (packaged) to
an AD on CentOS 7.9 and Samba 4.14.4 (compiled), following Samba's Team
Howto, and everything appears to have succeeded.
Moving our iSCSI target hosting the shares from the PDC to the member
server and configuring them on Samba, only the domain's Administrator can
access them, no other authenticated user can. No credentials are asked on
the client, but a Windows "Network error" appears, while the member
server's Samba log shows several NT_STATUS_ACCESS_DENIED errors.
Windows ACLs on the shares appear correct, but seem not being applied to
the moved shares.
This is the AD DC's smb.conf (only global and example share):
[global]
workgroup = MYAD
realm = MYAD.MYDOMAIN.IT
netbios name = MYADDC
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/%m.log
log level = 2
[Share1]
path = /path/to/share1
read only = no
This instead is the member server's smb.conf:
[global]
security = ADS
workgroup = MYAD
realm = MYAD.MYDOMAIN.IT
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
winbind nss info = rfc2307
log file = /var/log/samba/%m.log
log level = 5 winbind:10
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYAD:backend = rid
idmap config MYAD:range = 10000-9999999
min domain uid = 0
acl_xattr:ignore system acls = yes
[Share1]
path = /path/to/Share1
read only = no
I've increased the logging, especially winbind's, but I'm not able to see
anything helpful. Where should I look now?
Thanks,
Antonio
The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.
More information about the samba
mailing list