MAS Jean-Louis
2020-Dec-15 16:32 UTC
[Samba] Users can't mount shares on a domain member file server
hi, We have replaced our old Centos 6 samba4 file server by a brand new Centos 7 file server The new Centos 7 server is a domain member joined by : net ads join -U administrator The Centos 6 samba file server was working fine, but on the new server nobody can mount windows shares either home or teams shares. We used the old Centos 6 smb.conf with some modifications suggested by 'testparm' On the Centos 6 server, we didn't use winbind, and now we must use it. and winbind cause strange mappings on our fileserver On our Centos 7 file server we've got, for example $ getent passwd jlmas jlmas:x:20025:20000:MAS Jean-Louis:/home/misi/jlmas/:/bin/bash $ wbinfo -i jlmas jlmas:*:400002:400005:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false None of this configuration above come from our AD, it's totally foreign. same command run on our samba4 AD-DC $ wbinfo -i jlmas EXAMPLE\jlmas:*:20025:513::/home/%ACCOUNTNAME%:/bin/bash Of course, I can't mount my share with an "access denied" We only have one domain, and we want to use unix uid and gid for our users as previously. Some conf files on our new Centos 7 file server. It's also a linux nfs server and it's also acceded with ssh/sftp by Linux users. The Linux side credentials come from our Samba4 AD-DC $ rpm -q samba samba-4.10.16-7.el7_9.x86_64 # /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files winbind netgroup: files winbind ldap publickey: nisplus automount: files ldap aliases: files nisplus # smb.conf (with only one teams share for example) # Global parameters [global] allow trusted domains = No disable spoolss = Yes domain master = No kerberos method = system keytab load printers = No local master = No log file = /var/log/samba/samba.log ntlm auth = ntlmv1-permitted preferred master = No printcap cache time = 0 printcap name = /dev/null realm = EXAMPLE.COM restrict anonymous = 2 security = ADS server role = member server server string = Samba Server Version %v socket options = TCP_NODELAY IPTOS_LOWDELAY winbind nss info = rfc2307 winbind use default domain = Yes workgroup = EXAMPLE rpc_daemon:spoolssd = off smbd:backgroundqueue = no idmap config example : backend = ads idmap config example : schema_mode = rfc2307 idmap config example : range = 500-400000 idmap config * : schema_mode = rfc2307 idmap config * : range = 400001-410000 idmap_ldb : use rfc2307 = Yes idmap config * : backend = tdb printing = bsd use sendfile = Yes [netlogon] browseable = No path = /var/lib/samba/sysvol/example.fr/scripts read only = No [sysvol] browseable = No path = /var/lib/samba/sysvol read only = No [profiles] browseable = No path = /var/lib/samba/profiles read only = No [homes] browseable = No comment = Home Directory read only = No [team1] comment = Equipe TEAM1 force group = +team1 path = /home/team1 read only = No valid users = +team1 Nothing is written in the logs as nobody can access the share iptables are OK, we can telnet to our fileserver on port tcp 445 from any workstations jlmas at my-workstation:~$ telnet fileserver.example.com 445 Trying 2001:660:5301:xx::x... Connected to fileserver.example.com. Escape character is '^]'. selinux is disabled Any help would be appreciated Thanks -- Jean Louis Mas
Rowland penny
2020-Dec-15 17:29 UTC
[Samba] Users can't mount shares on a domain member file server
On 15/12/2020 16:32, MAS Jean-Louis via samba wrote:> hi, > > We have replaced our old Centos 6 samba4 file server by a brand new > Centos 7 file server > > The new Centos 7 server is a domain member joined by : > > net ads join -U administrator > > The Centos 6 samba file server was working fine, but on the new server > nobody can mount windows shares either home or teams shares. > We used the old Centos 6 smb.conf with some modifications suggested by > 'testparm''testparm' doesn't suggest anything, it just checks your smb.conf> > On the Centos 6 server, we didn't use winbind, and now we must use it. > and winbind cause strange mappings on our fileserverWell it will possibly give you different ID's but they should be consistent.> # /etc/nsswitch.conf > > passwd: files ldapReplace 'ldap' with 'winbind> shadow: files ldapRemove 'ldap'> group: files ldapReplace 'ldap' with 'winbind> hosts: files dns myhostname > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files winbindRemove 'winbind'> netgroup: files winbind ldapRemove 'winbind' and 'ldap'> publickey: nisplus > automount: files ldap > aliases: files nisplus > > # smb.conf (with only one teams share for example) > > # Global parameters > [global] > allow trusted domains = No > disable spoolss = Yes > domain master = No > kerberos method = system keytab > load printers = No > local master = No > log file = /var/log/samba/samba.log > ntlm auth = ntlmv1-permitted > preferred master = No > printcap cache time = 0 > printcap name = /dev/null > realm = EXAMPLE.COM > restrict anonymous = 2 > security = ADS > server role = member server > server string = Samba Server Version %v > socket options = TCP_NODELAY IPTOS_LOWDELAYI would remove the 'socket options' line and rely on the kernel knowing what it is doing.> winbind nss info = rfc2307Remove the line above, it has been replaced.> winbind use default domain = Yes > workgroup = EXAMPLE > rpc_daemon:spoolssd = off > smbd:backgroundqueue = noWhere did you get the line above from ?> idmap config example : backend = adsThe 'ads' in the line above should be 'ad'> idmap config example : schema_mode = rfc2307 > idmap config example : range = 500-400000Why start at 500 ? do you have normal users & groups in AD with uidNumbers & gidNumbers that start so low ? Not counting the ones that start with 'Domain' e.g. 'Domain Users'> idmap config * : schema_mode = rfc2307That line is not used with the '*' domain> idmap config * : range = 400001-410000We recommend the range '3000-7999' for the '*' domain> idmap_ldb : use rfc2307 = YesThe line above is only used on an AD DC> idmap config * : backend = tdb > printing = bsd > use sendfile = Yes > > > [netlogon] > browseable = No > path = /var/lib/samba/sysvol/example.fr/scripts > read only = No > > > [sysvol] > browseable = No > path = /var/lib/samba/sysvol > read only = NoWhy are 'sysvol' & 'netlogon' on a Unix domain member, they should be on your AD DC.