Kyle Manel
2016-Aug-26 15:11 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
I've completed the configuration specified, and the command 'wbinfo -g' provides a list of the groups available and 'wbinfo -u' provides a list of all the users on the system, but I cannot access the shares; When I navigate a file explorer to \\ip.ad.dre.ss I am presented with a login screen, which I cannot log into with my ID; 'The user name or password is incorrect' I suspect an issue with my idmap configuration: [global] netbios name = FILESERVER-001 security = ADS workgroup = SUBDOMAIN realm = SUBDOMAIN.DOMAIN.COM log file = /var/log/samba/%m.log log level = 1 idmap config CORP: backend = ad idmap config CORP: schema_mode = rfc2307 idmap config CORP: range = 1000-9999999999 idmap uid = 50-9999999999 idmap gid = 50-9999999999 winbind nss info = rfc2307 allow dns updates = nonsecure [public] path = /srv/samba/share available = yes read only = no browsable = yes public = yes guest ok = yes writable = yes Regards, Kyle -----Original Message----- From: Michael A Weber [mailto:mweber.subscriptions01 at gmail.com] Sent: Wednesday, August 24, 2016 5:21 PM To: Kyle Manel <Kyle.Manel at inbaytech.com> Cc: samba at lists.samba.org Subject: Re: [Samba] Configuration of smb.conf for Active Directory authentication Kyle— Keep it simple and follow the guide you linked, and Rowland’s rid recommendation, and you’ll be set. Mike> On Aug 24, 2016, at 3:04 PM, Kyle Manel via samba <samba at lists.samba.org> wrote: > > I've been working through a guide documenting how to do this at https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member and am presently deciphering what needs I have in my winbind configuration. > In doing so, I've come across the 'passdb backend = ldapsam' option and am curious if I can use this, and if it is wise, identifying that key exchange is complex and a vulnerability at times, but it does provide no local storage of pw either, which may be a greater vulnerability. > > Any insight into this, or if this passdb option even works as I > believe it to would be valuable to me, Kyle > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Aug-26 15:51 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
See inline comments. On Fri, 26 Aug 2016 15:11:25 +0000 Kyle Manel via samba <samba at lists.samba.org> wrote:> I've completed the configuration specified,No you haven't> and the command 'wbinfo > -g' provides a list of the groups available and 'wbinfo -u' provides > a list of all the users on the system, but I cannot access the > shares; When I navigate a file explorer to \\ip.ad.dre.ss I am > presented with a login screen, which I cannot log into with my ID; > 'The user name or password is incorrect' > > I suspect an issue with my idmap configuration: > > [global] > netbios name = FILESERVER-001 > security = ADS > workgroup = SUBDOMAIN > realm = SUBDOMAIN.DOMAIN.COM > > log file = /var/log/samba/%m.log > log level = 1 > > idmap config CORP: backend = ad > idmap config CORP: schema_mode = rfc2307 > idmap config CORP: range = 1000-9999999999I thought you were advised to use the 'rid' backend> idmap uid = 50-9999999999 > idmap gid = 50-9999999999Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, they are not on the domain member wiki page.> winbind nss info = rfc2307You dont use the above line with the 'rid' backend> > allow dns updates = nonsecure > > [public] > path = /srv/samba/share > available = yes > read only = no > browsable = yes > public = yes > guest ok = yes > writable = yesthe available line is the default 'read only = no' and 'writable = yes' are the same way of saying the same thing, you do not need both. 'browsable = yes' is the default. 'public = yes' and 'guest ok = yes' are the same way of saying the same thing, you do not need both. Rowland> > Regards, > Kyle
Michael A Weber
2016-Aug-26 16:34 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
> On Aug 26, 2016, at 10:51 AM, Rowland Penny via samba <samba at lists.samba.org> wrote: > > > See inline comments. > > On Fri, 26 Aug 2016 15:11:25 +0000 > Kyle Manel via samba <samba at lists.samba.org> wrote: > >> I've completed the configuration specified, > > No you haven't > >> and the command 'wbinfo >> -g' provides a list of the groups available and 'wbinfo -u' provides >> a list of all the users on the system, but I cannot access the >> shares; When I navigate a file explorer to \\ip.ad.dre.ss I am >> presented with a login screen, which I cannot log into with my ID; >> 'The user name or password is incorrect' >> >> I suspect an issue with my idmap configuration: >> >> [global] >> netbios name = FILESERVER-001 >> security = ADS >> workgroup = SUBDOMAIN >> realm = SUBDOMAIN.DOMAIN.COM >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> idmap config CORP: backend = ad >> idmap config CORP: schema_mode = rfc2307 >> idmap config CORP: range = 1000-9999999999 > > I thought you were advised to use the 'rid' backend > >> idmap uid = 50-9999999999 >> idmap gid = 50-9999999999 > > Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, > they are not on the domain member wiki page. > >> winbind nss info = rfc2307 > > You dont use the above line with the 'rid' backend > >> >> allow dns updates = nonsecure >> >> [public] >> path = /srv/samba/share >> available = yes >> read only = no >> browsable = yes >> public = yes >> guest ok = yes >> writable = yes > > the available line is the default > 'read only = no' and 'writable = yes' are the same way of saying the > same thing, you do not need both. > 'browsable = yes' is the default. > 'public = yes' and 'guest ok = yes' are the same way of saying the > same thing, you do not need both. > > Rowland > > >> >> Regards, >> Kyle > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaRowland— I’m curious… if Kyle didn’t set the permissions on the share, and the ID he’s using to attempt to access them did not have permission to access, would the login prompt tell him “access denied,” or would it just present itself saying ‘incorrect id/password?” I seem to recall trying to access a share on a Mac from a Windows machine and it just telling me my username/pw were wrong rather than telling me I don’t have access. Kyle— Are you able to use the Computer Management tool to access your new samba file server and its shares, and set permissions on them? Also, if you joined it to the domain, you should be able to see it in your AD DNS as well as access it by host name rather than IP address. https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29 <https://wiki.samba.org/index.php/Shares_with_Windows_ACLs#Setup_share_permissions_.28optional.29> Mike
Kyle Manel
2016-Aug-26 19:42 UTC
[Samba] Configuration of smb.conf for Active Directory authentication
Thanks for the feedback. With the modifications you specified I have this smb.conf, however it cannot be accessed?; " [global] netbios name = FILESERVER-001 security = ADS workgroup = CORP realm = CORP.INBAYTECH.COM log file = /var/log/samba/%m.log log level = 1 idmap config *: backend = tdb idmap config *: range = 2000-9999 idmap config CORP: backend = rid idmap config CORP: schema_mode = rfc2307 idmap config CORP: range = 1000-9999999999 template shell = /sbin/bash template homedir = /home/%U [public] path = /srv/samba/share public = yes guest ok = yes writable = yes " As for your question: "Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, they are not on the domain member wiki page." -NOTE: line 108 of https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member This stipulates; '# Just adding the following three lines is not enough!!' -I apologize; Without further instruction I chose to access the wiki and documentation: https://wiki.samba.org/index.php/Idmap_config_rid and https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606596 -The latter specifies IDMAP_RID with WinBind and specifies the idmap uid and gid as global parameters alongside this construct; You have now identified them as deprecated. -If there was some expectation of using RID exclusively, I did not read it as such, my apologies. {Now: -removed (as above)-} -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Friday, August 26, 2016 11:51 AM To: samba at lists.samba.org Subject: Re: [Samba] Configuration of smb.conf for Active Directory authentication See inline comments. On Fri, 26 Aug 2016 15:11:25 +0000 Kyle Manel via samba <samba at lists.samba.org> wrote:> I've completed the configuration specified,No you haven't> and the command 'wbinfo > -g' provides a list of the groups available and 'wbinfo -u' provides a > list of all the users on the system, but I cannot access the shares; > When I navigate a file explorer to \\ip.ad.dre.ss I am presented with > a login screen, which I cannot log into with my ID; 'The user name or > password is incorrect' > > I suspect an issue with my idmap configuration: > > [global] > netbios name = FILESERVER-001 > security = ADS > workgroup = SUBDOMAIN > realm = SUBDOMAIN.DOMAIN.COM > > log file = /var/log/samba/%m.log > log level = 1 > > idmap config CORP: backend = ad > idmap config CORP: schema_mode = rfc2307 > idmap config CORP: range = 1000-9999999999I thought you were advised to use the 'rid' backend> idmap uid = 50-9999999999 > idmap gid = 50-9999999999Why have you also added the deprecated 'idmap uid' & 'idmap gid' lines, they are not on the domain member wiki page.> winbind nss info = rfc2307You dont use the above line with the 'rid' backend> > allow dns updates = nonsecure > > [public] > path = /srv/samba/share > available = yes > read only = no > browsable = yes > public = yes > guest ok = yes > writable = yesthe available line is the default 'read only = no' and 'writable = yes' are the same way of saying the same thing, you do not need both. 'browsable = yes' is the default. 'public = yes' and 'guest ok = yes' are the same way of saying the same thing, you do not need both. Rowland> > Regards, > Kyle-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- Configuration of smb.conf for Active Directory authentication
- Configuration of smb.conf for Active Directory authentication
- Configuration of smb.conf for Active Directory authentication
- Configuring Samba as a file server to use AD authentication
- Joining Ubuntu Server to Domain - "kinit succeeded but ads_sasl_spnego_gensec_bind failed"