Hello, We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 R2, so all users and groups are already created on the AD. The idea is to logon with the credential from de AD to the samba file server. We configured the smb.conf, acording to the samba wiki, so this is the result: [global] security = ADS workgroup = MYDOMAIN realm = MYDOMAIN.COM log file = /var/log/samba/%m.log log level = 3 max log size = 50 # Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000 - 7999 # idmap config for MYDOMAIN domain idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 10000-999999 template shell = /bin/bash template homedir = /home/%U username map = /usr/local/samba/etc/user.map vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [compa] path = /home/sistemas/compartido read only = no The server was corerectly joined to the domain and we can query the AD for users and groups with getent passwd and getent group. According to the wiki, the directory must be owned by root and owner group is system admins from the AD, like this: drwxrwx---+ 2 root system_admins 51 jun 12 17:22 compartido All good so far, and we can modify ACL from windows, and query this configuration with getfacl. But when we try to acces the shared directory, we get the access denied error, and we get this from log: ../source3/smbd/smb2_server.c:3120(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:293 We've been trying to solve this error for a few days, but we haven't get lucky. Best regards Luis Espitia
On Tue, 12 Jun 2018 18:10:16 -0500 Luis Emilio Espitia Sanchez via samba <samba at lists.samba.org> wrote:> Hello, > > We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 > R2, so all users and groups are already created on the AD. The idea > is to logon with the credential from de AD to the samba file server. >You say the users are created in AD, but do they have a uidNumber attribute ? Does Domain Users have a gidNumber attribute ? If these numbers exist, are they inside the range you have set in smb.conf The uidNumber & gidNumber attributes are not automatically created. Rowland
Hello, That's right, so I am working with a group of users that I modified so they have uidNumber and gidNumber inside the range of the domain. Also I inserted the gidNumber into the groups of those users and in the "Domain users" group. When I run "id some_user" or "getent passwd some_user" I get the back info of the user that corresponds with the info registered in the AD. El mié., 13 de jun. de 2018 1:37 AM, Rowland Penny via samba < samba at lists.samba.org> escribió:> On Tue, 12 Jun 2018 18:10:16 -0500 > Luis Emilio Espitia Sanchez via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 > > R2, so all users and groups are already created on the AD. The idea > > is to logon with the credential from de AD to the samba file server. > > > > You say the users are created in AD, but do they have a uidNumber > attribute ? > Does Domain Users have a gidNumber attribute ? > If these numbers exist, are they inside the range you have set in > smb.conf > > The uidNumber & gidNumber attributes are not automatically created. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >