Hello,
I have setup and ADDC and an file server.
On fileserver i can see domain users with wbinfo and getent passwd.
When I try to manage a share on the fileserver
(https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs)
I get an error "Computer cannot be managed. Verify that the network path
is correct ...." and after that "you do not have permission to see the
list of shares for windows clients samba"
The I try to connect to the AD member with smbclient I get
root at fileserver:/var/log/samba# smbclient -k -L
fileserver.ad.example.com -d 3 -U admin
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
added interface eth0 ip=192.168.122.7 bcast=192.168.122.255
netmask=255.255.255.0
Client started (version 4.2.14-Debian).
Connecting to 192.168.122.7 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/fileserver.ad.example.com at ad.example.com
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
root at fileserver:/var/log/samba#
root at fileserver:/var/log/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at ad.example.com
Valid starting Expires Service principal
22.02.2017 14:54:15 23.02.2017 00:54:15
krbtgt/ad.example.com at ad.example.com
renew until 23.02.2017 14:54:12
22.02.2017 15:05:00 23.02.2017 00:54:15
cifs/kes-fileserver.ad.example.com at ad.example.com
root at fileserver:/var/log/samba# getent passwd someuser
someuser:*:7072:30000:someuser:/home/users/someuser:/bin/bash
[global]
security = ADS
workgroup = AD
realm = AD.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 3
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000-1005
# idmap config for the AD domain
# alf has uid 1006
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 1006-999999
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/users/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
[Demo]
path = /home/demo/
read only = no
valid users = +AD\"Domain Users"
guest ok = yes
On Wed, 22 Feb 2017 15:22:44 +0100 basti via samba <samba at lists.samba.org> wrote:> Hello, > I have setup and ADDC and an file server. > On fileserver i can see domain users with wbinfo and getent passwd. > > When I try to manage a share on the fileserver > (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs) > I get an error "Computer cannot be managed. Verify that the network > path is correct ...." and after that "you do not have permission to > see the list of shares for windows clients samba"Are you trying to manage the share from windows ?> # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000-1005I would love to know just how you plan to get the well known SIDs inside 6 IDs (there are approx 100 of them) Who owns the share and what permissions are set ? By any chance is Apparmor or a firewall running ? Rowland
Hello rowland, i have "solve" it. I used the user Administrator it look like he can't manage the share and I have a ldap user called "admin" and that user can manage shares. I have used imap 1006- .... because my lowed user id is 1006. Thanks a lot. Best regards On 22.02.2017 15:44, Rowland Penny via samba wrote:> On Wed, 22 Feb 2017 15:22:44 +0100 > basti via samba <samba at lists.samba.org> wrote: > >> Hello, >> I have setup and ADDC and an file server. >> On fileserver i can see domain users with wbinfo and getent passwd. >> >> When I try to manage a share on the fileserver >> (https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs) >> I get an error "Computer cannot be managed. Verify that the network >> path is correct ...." and after that "you do not have permission to >> see the list of shares for windows clients samba" > > Are you trying to manage the share from windows ? > > > >> # - must not overlap with any domain ID mapping configuration! >> # - must use an read-write-enabled back end, such as tdb. >> idmap config * : backend = tdb >> idmap config * : range = 1000-1005 > > I would love to know just how you plan to get the well known SIDs > inside 6 IDs (there are approx 100 of them) > > > Who owns the share and what permissions are set ? > > By any chance is Apparmor or a firewall running ? > > Rowland > >