Ian Collier
2016-Apr-15 15:21 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote:> Having got that out of the way, can you post your smb.conf ?This is slightly redacted so apologise if some essential info was missing. Also there are lots of shares but the 0700 access problem happens on the [homes] share so here's that one: [global] workgroup = ... realm = ... server string = Samba Server interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS password server = dc1... dc2... log level = 1 log file = /var/log/samba/log.%m load printers = No printcap name = /dev/null disable spoolss = Yes read only = No create mask = 0664 hosts allow = .../22 printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j posix locking = no kernel oplocks = no username map script = /bin/echo [homes] comment = UNIX Home Directories path = /auto/users/%U create mask = 0750 directory mask = 0750 browseable = No Ian Collier.
Rowland penny
2016-Apr-15 16:36 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
On 15/04/16 16:21, Ian Collier wrote:> On Fri, Apr 15, 2016 at 04:06:53PM +0100, you wrote: >> Having got that out of the way, can you post your smb.conf ? > This is slightly redacted so apologise if some essential info > was missing. Also there are lots of shares but the 0700 access > problem happens on the [homes] share so here's that one: > > [global] > workgroup = ... > realm = ... > server string = Samba Server > interfaces = 127.0.0.1, eth0 > bind interfaces only = Yes > security = ADS > password server = dc1... dc2... > log level = 1 > log file = /var/log/samba/log.%m > load printers = No > printcap name = /dev/null > disable spoolss = Yes > read only = No > create mask = 0664 > hosts allow = .../22 > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > posix locking = no > kernel oplocks = no > username map script = /bin/echo > > [homes] > comment = UNIX Home Directories > path = /auto/users/%U > create mask = 0750 > directory mask = 0750 > browseable = No > > Ian Collier. >OK, you have a Samba domain member that is joined to an AD domain and you also say you are running winbindd, but there doesn't seem to be any winbind or 'idmap config' lines in your smb.conf, are you also running sssd ? If you are not running sssd, can I suggest having a look here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member You will probably want to use the 'rid' backend Rowland
Ian Collier
2016-Apr-15 17:18 UTC
[Samba] Cannot browse mode 0700 directories from Windows with security=ads
rpenny at samba.org writes:> OK, you have a Samba domain member that is joined to an AD domain and you > also say you are running winbindd, but there doesn't seem to be any winbind > or 'idmap config' lines in your smb.conf, are you also running sssd ?The server has "passwd: files ldap" in nsswitch.conf and sssd is not running, but "getent passwd randomuser" does the right thing. I'm not 100% sure how this works if I'm honest, because it was set up by someone else and we do run sssd on our *ix machines as a general rule.> If you are not running sssd, can I suggest having a look here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > You will probably want to use the 'rid' backendOK I will look at that in detail later, but it mentions putting winbind in nsswitch.conf which I don't think we want to do. I'm not entirely sure what the idmap backend thing does although my impression is that it's for when you are using winbind to provide services to NSS, which we're not doing here. I have previously tried adding "backend = nss" but it didn't seem to have any effect. Ian Collier.
Possibly Parallel Threads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads
- Cannot browse mode 0700 directories from Windows with security=ads