[Samba] clients not connecting to samba shares

[Kees van Vloten]

On 01-04-2023 20:38, Rowland Penny via samba wrote:
>
>
> On 01/04/2023 19:10, Gary Dale via samba wrote:
>
>> https://wiki.samba.org/index.php/Idmap_config_ad in the Configuring 
>> the ad Back End section.
>
> Yes, but right at the top there is a warning box that says:
>
> ID mapping back ends are not supported in the smb.conf file on a Samba 
> Active Directory (AD) domain controller (DC).
> For details, see Failure To Access Shares on Domain Controllers If 
> idmap config Parameters Set in the smb.conf File.
>
> I will update that say, do not add anything on this page to a Samba AD 
> DC smb.conf.
>
>>
>> Which shows that the documentation is fragmented and contradictory 
>> (not to mention obfuscated). If something is OK to set in one 
>> instance but not another, shouldn't that be highlighted? We have 
>> hyperlinks these days.
>>
>
> It isn't as easy as that on the Samba wiki, I wish it was. I know that 
> the Samba wiki isn't the best in the world, but I cannot change the 
> wiki software.
>
>> Not according to a lot of the recent documentation. It's telling me 
>> to use the Windows tools, which are a nightmare, to do things that 
>> I'd prefer to do through the Linux tools.
>>
>
> The Samba wiki mentions ADUC a lot, but this isn't as easy to use as 
> it once was and samba-tool has got a lot better.
>
>>
>> How would that stop my Windows 10 VM from accessing shares? I recall 
>> some registry settings being needed to get Windows 7 to work with 
>> Samba but that's ancient history...
>
> The lack of SMBv1 shouldn't stop Win10 access a share, it would stop 
> Network Browsing though. If Win10 cannot access a Samba share, then 
> there should be something in the Windows event log and or the logs of 
> the Samba server. There are two things to note, Win10 may require the 
> latest Heimdal and if you are trying to connect to a guest Samba 
> share, you should check if Windows doesn't have guest access turned off.
>
>> Haven't tried it since pre-pandemic - certainly not with a Bullseye 
>> server - so it is not going to be interesting to look at. It 
>> definitely predates the backports version of Samba.
>>
>> That's why I'm looking for something more recent so I can retry.
>
> The actual way you setup a smb.conf hasn't changed much for quite a 
> few years, so it should be valid.
>
>> I tried using Samba once rather than NFS but that broke things. I 
>> keep my mail on the server and Thunderbird didn't work properly. 
>> Reverting to NFS fixed that. Also, Samba shares seemed slower and 
>> less reliable. NFS just works.
>
> I use Thunderbird on a Unix domain member and apart from an annoying 
> Thunderbird bug, everything works okay.
>
> As for speed, there isn't much difference between the two now, but you 
> can use NFS with Samba authentication, I just wouldn't share an NFS 
> export.
Indeed share the same directory over SMB and over NFS is a bad idea. 
Hosting a Samba share on an NFS share is a similar bad idea.
>
> There are probably users out there using NFS with AD authentication, I 
> hope one of them will help here.

For NFS the most important thing is to have a single source for UIDs and 
GIDs, winbind + Samba-ADDC does a great job get this done.

Next you decide if you are good with unencrypted shares authorized by 
client-machine-IP, if so the simplest form of NFS4 (very similar to the 
setup of NFS3) will do. If not you have to setup Kerberized NFS which 
has user-authentication (due to kerberos) and allows shares encrypted on 
the wire just as SMB has in recent versions.

At the moment I am still using NFS4 for my Linux clients because Samba 
does not offer the Unix-extensions with SMB3 yet. Unfortunately I 
noticed that did not make it into 4.18.

- Kees.

>
> Rowland
>
>
>