On 09/02/15 19:18, sk at green.no wrote:> -----samba-bounces at lists.samba.org wrote: ----- > >> To: samba at lists.samba.org >> From: Rowland Penny >> Sent by: samba-bounces at lists.samba.org >> Date: 02/09/2015 05:12PM >> Subject: Re: [Samba] Domain users can't browse or access shares >> >> OK, as I thought, your smb.conf is setup to use the winbind 'ad' >> backend >> and I am willing to lay another bet with you, you based some of the >> changes on the samba wiki, if so, did you read what is written under >> the >> sample smb.conf ? >> >> Thought not, you need to have the users unix attributes in AD before >> the >> 'ad' backend will work and as you are using a windows server, it will >> >> also need to have 'IDMU' installed. >> >> If you will only have windows users connecting to your member server, >> >> then change >> >> idmap config GREENREEFERS:backend = ad >> idmap config GREENREEFERS:schema_mode = rfc2307 >> idmap config GREENREEFERS:range=10000-99999 >> >> To >> >> idmap config GREENREEFERS:backend = rid >> idmap config GREENREEFERS:range=10000-99999 > I did the change, restarted samba and it didn't do any changes.OK, make the [global] part of your smb.conf look like this: [global] netbios name = bgo-nfs01 workgroup = GREENREEFERS security = ADS realm = GREENREEFERS.NO dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = %h server winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind trusted domains only = no winbind nested groups = yes winbind refresh tickets = Yes winbind nss info = rfc2307 idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config GREENREEFERS:backend = rid idmap config GREENREEFERS:range=10000-99999 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes preferred master = no local master = no template homedir = /dev/null template shell = /bin/true syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No interfaces = eth1 lo bind interfaces only = yes log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 panic action = /usr/share/samba/panic-action %d valid users = @"GREENREEFERS\grr" vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes Check that /etc/krb5.conf exists and looks like this: [libdefaults] default_realm = GREENREEFERS.NO dns_lookup_realm = false dns_lookup_kdc = true Check that /etc/resolv.conf points to your AD DC (first on list) Check that the passwd & group lines in /etc/nsswitch.conf contain 'winbind' Rowland
samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43:> OK, make the [global] part of your smb.conf look like this: > > [global] > netbios name = bgo-nfs01 > workgroup = GREENREEFERS > security = ADS > realm = GREENREEFERS.NO > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = %h server > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind trusted domains only = no > winbind nested groups = yes > winbind refresh tickets = Yes > winbind nss info = rfc2307 > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config GREENREEFERS:backend = rid > idmap config GREENREEFERS:range=10000-99999 > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > preferred master = no > local master = no > template homedir = /dev/null > template shell = /bin/true > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > interfaces = eth1 lo > bind interfaces only = yes > log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 > panic action = /usr/share/samba/panic-action %d > valid users = @"GREENREEFERS\grr" > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > Check that /etc/krb5.conf exists and looks like this: > > [libdefaults] > default_realm = GREENREEFERS.NO > dns_lookup_realm = false > dns_lookup_kdc = true > > Check that /etc/resolv.conf points to your AD DC (first on list) > > Check that the passwd & group lines in /etc/nsswitch.conf contain'winbind' Hi, sorry for late answer. I did change the [global], and pasted smb.cfg here: http://pastebin.com/WRNCKu42 I changed the krb5.conf file and pasted it here: http://pastebin.com/JqSavqD1 nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN resolv.conf have been correct all the time, I have verified now as well.
On 12/02/15 09:51, sk at green.no wrote:> samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43: > >> OK, make the [global] part of your smb.conf look like this: >> >> [global] >> netbios name = bgo-nfs01 >> workgroup = GREENREEFERS >> security = ADS >> realm = GREENREEFERS.NO >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = %h server >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind trusted domains only = no >> winbind nested groups = yes >> winbind refresh tickets = Yes >> winbind nss info = rfc2307 >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config GREENREEFERS:backend = rid >> idmap config GREENREEFERS:range=10000-99999 >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> preferred master = no >> local master = no >> template homedir = /dev/null >> template shell = /bin/true >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> dns proxy = No >> interfaces = eth1 lo >> bind interfaces only = yes >> log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 >> panic action = /usr/share/samba/panic-action %d >> valid users = @"GREENREEFERS\grr" >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> Check that /etc/krb5.conf exists and looks like this: >> >> [libdefaults] >> default_realm = GREENREEFERS.NO >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> Check that /etc/resolv.conf points to your AD DC (first on list) >> >> Check that the passwd & group lines in /etc/nsswitch.conf contain > 'winbind' > > Hi, sorry for late answer. > > I did change the [global], and pasted smb.cfg here: > http://pastebin.com/WRNCKu42 > I changed the krb5.conf file and pasted it here: > http://pastebin.com/JqSavqD1 > nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN > resolv.conf have been correct all the time, I have verified now as well. >Does 'getent passwd <a domain user>' now show anything ? Rowland
You are using idmap module rid for your domain. I think getent passwd could not resolve anything because of your id range. I would try a range of 1000 (one thousand)-99999 and see what happens. New users in AD start with a rid of 1000. Well known Users like administrator got their rid starting in the 500 range. You should think of using rfc2307. Regards Tim Am 12. Februar 2015 10:51:47 MEZ, schrieb sk at green.no:>samba-bounces at lists.samba.org wrote on 09.02.2015 20:52:43: > >> OK, make the [global] part of your smb.conf look like this: >> >> [global] >> netbios name = bgo-nfs01 >> workgroup = GREENREEFERS >> security = ADS >> realm = GREENREEFERS.NO >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = %h server >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind trusted domains only = no >> winbind nested groups = yes >> winbind refresh tickets = Yes >> winbind nss info = rfc2307 >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config GREENREEFERS:backend = rid >> idmap config GREENREEFERS:range=10000-99999 >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> preferred master = no >> local master = no >> template homedir = /dev/null >> template shell = /bin/true >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> dns proxy = No >> interfaces = eth1 lo >> bind interfaces only = yes >> log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3 >> panic action = /usr/share/samba/panic-action %d >> valid users = @"GREENREEFERS\grr" >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> Check that /etc/krb5.conf exists and looks like this: >> >> [libdefaults] >> default_realm = GREENREEFERS.NO >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> Check that /etc/resolv.conf points to your AD DC (first on list) >> >> Check that the passwd & group lines in /etc/nsswitch.conf contain >'winbind' > >Hi, sorry for late answer. > >I did change the [global], and pasted smb.cfg here: >http://pastebin.com/WRNCKu42 >I changed the krb5.conf file and pasted it here: >http://pastebin.com/JqSavqD1 >nsswitch.com is unchanged, pasted here: http://pastebin.com/bW3HcKKN >resolv.conf have been correct all the time, I have verified now as >well. > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba