Hello, I've tried to set up a member server for my AD domain, but all users get "Permission Denied" when accessing the server, even without a share specified (by entering \\ika in Windows Explorer). Samba version isĀ 4.2.10-debian on Debian Jessie. I've mapped DOMAIN\Administrator to root, which allows the Administrator to connect to the server and set permissions. wbinfo -g and wbinfo -u lists all the users and groups. The smb.conf on the member looks like this: [global] workgroup = DOMAIN security = ads realm = DOMAIN.COMPANY.COM idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 20001-99999 winbind nss info = rfc2307 dns proxy = no log file = /var/log/samba/log.%m syslog = 0 server role = member server username map = /etc/samba/usermap load printers = yes spoolss: architecture = Windows x64 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes [printers] path = /var/spool/samba read only = no printable = yes printing = CUPS guest ok = yes writable = yes available = yes [print$] path = /var/fileserver/Printer_drivers comment = Printer Drivers writeable = yes What am I doing wrong? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 831 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160624/c312c625/signature.sig>
Rowland penny
2016-Jun-24 10:53 UTC
[Samba] Permission denied on server root for all users
On 24/06/16 11:23, mots wrote:> Hello, > > I've tried to set up a member server for my AD domain, but all users get "Permission Denied" when accessing the server, even without a share specified (by entering \\ika in Windows Explorer). > Samba version is 4.2.10-debian on Debian Jessie. > > I've mapped DOMAIN\Administrator to root, which allows the Administrator to connect to the server and set permissions. > wbinfo -g and wbinfo -u lists all the users and groups. > > The smb.conf on the member looks like this: > > [global] > workgroup = DOMAIN > security = ads > realm = DOMAIN.COMPANY.COM > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 20001-99999 > winbind nss info = rfc2307 > dns proxy = no > log file = /var/log/samba/log.%m > syslog = 0 > server role = member server > username map = /etc/samba/usermap > load printers = yes > spoolss: architecture = Windows x64 > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > [printers] > path = /var/spool/samba > read only = no > printable = yes > printing = CUPS > guest ok = yes > writable = yes > available = yes > [print$] > path = /var/fileserver/Printer_drivers > comment = Printer Drivers > writeable = yes > > What am I doing wrong? > >You are using the winbind 'ad' backend, have you given each user a 'uidNumber' attribute containing a unique number in the range you set in smb.conf (20001-99999), have you also also given 'Domain users' a 'gidNumber' inside the same range ? Does 'getent passwd <ausername>', run on the domain member, return anything ? Rowland