Hi all, I have exactly the same problem as the OP and tried the solution below, but I still get the error: 'Username IUCNNL\PC050$ is invalid on this system'. Should I map useraccount, enable Guest account, chang eunix directory permissions or things like that? Problem: My Windows 10 computers' machine accounts cannot acces shares on a domain member (samba 4.6 , id map = ad, centos 7). more detailed: Startup script in windows 10 runs under the system account and accesses shares on the network with the machine account. My samba domain member (fileserver FS1) is not happy with the useraccount of the machine. The log file says: "Username SAMDOM\PC050$ is invalid on this system". However, the machine is joined to the domain. Normal user accounts can access shares without problems, machine accounts cannot. Samba - General mailing list wrote> Ps. > > To overcome this problem is very simple ( AD or RID ) > > 1) setup the SHARE where you need user NT Authority\SYSTEM with > acl_xattr:ignore system acls = yes > > 2) setup you share with Everyone full access.. ( If you dont like > everyone, you need domain users/computers/guest and maybe even more ) > 1! You must do this from within windows. ( message access denies when > connection, you forgot something, see 2!) > 2! Check your SePrivileges setup. (script: > https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh > ) > > 3) setup the FOLDER security. > Make sure you add "Creator Owner/Creator Group" one or both, you setup is > your guide. I cant tell that. > Verified Users, Read > System Full Controll > Any other group you want, but at least "Domain Admins" FULL control. > > 4) Try to avoid chmod/chown use getfacl setfacl in scripts. > > > Give it a try, this works fine here. (as of Debian jessie and up, with > samba 4.4+ up to 4.6.7 tested/in production) > > > Greetz, > > LouisBelow is relevant info (I think) for my case What I did/tried: -With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix attributes of users, groups, and also to computers (is the latter nesecary?) -I test the connection to the shares as system user on the win10 machine by using "psexec.exe -s cmd.exe", and then "dir \\fs1\datasys" (see smb.conf below) or any other share name. Access is denied. The startup script has the same problem. -I can get AD groups and users on FS1 with getent group and getent passwd. -The windows 10 machine account can succesfully access the the sysvol share on the domain controller DC ("dir \\dc1\sysvol") -The three shares in the conf file below are inaccessible to the machine account. The third share is the one I am testing with. I tried the suggesion above to add "acl_xattr:ignore system acls = yes" to the share. This did not solve the problem, so I probably missed something. -I do not want to make an other fileserver with backend = rid if I can avoid it. -If i map the PC050$ name to root i can access the shares, but i don not want that permanently (security). I think I could add another user and map computers to that name but that still seems awkward to me. Configuration info: -The DC and the fileserver (FS1, the domain member) run centos 7, samba 4.6.10. smb.conf on FS1: [global] security = ADS workgroup = SAMDOM realm = AD.EXAMPLE.NL ntlm auth = yes # log file = /var/log/samba/%m.log # log level = 2 log level = 3 passdb:5 auth:5 idmap config * : backend = tdb idmap config * : range = 3000-9999 idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 idmap config SAMDOM : default = yes winbind nss info = template template shell = /bin/bash template homedir = /data/home/%U winbind use default domain = yes allow dns updates = nonsecure username map = /etc/samba/user.map spoolss: architecture = Windows x64 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes # shares [datatest] vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes path = /data/datatest read only = no [datasys] vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes path = /data/datasys read only = no # testfolder [testfolfder] vfs objects = acl_xattr acl_xattr:ignore system acls = yes # I used: mkdir /data/testfolder ; chmod 0770 /data/testfolder ; chown root."domain admins" /data/testfolder path = /data/testfolder read only = no smb.conf on DC1 [global] workgroup = SAMDOM realm = AD.EXAMPLE.NL netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.3.2 idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure winbind enum users = yes winbind enum groups = yes ldap server require strong auth = no username map = /etc/samba/user.map log level = 3 [netlogon] path = /var/lib/samba/sysvol/ad.example.nl/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Rowland Penny
2017-Nov-20 15:43 UTC
[Samba] samba 4 ad member - idmap = ad for machine accounts
On Mon, 20 Nov 2017 07:59:14 -0700 (MST) tomict via samba <samba at lists.samba.org> wrote:> Below is relevant info (I think) for my case > > What I did/tried: > -With ADUC (WS 2012) I added NIS domain 'samdom' to the Unix > attributes of users, groups, and also to computers (is the latter > nesecary?) -I test the connection to the shares as system user on the > win10 machine by using "psexec.exe -s cmd.exe", and then "dir > \\fs1\datasys" (see smb.conf below) or any other share name. Access > is denied. The startup script has the same problem. > -I can get AD groups and users on FS1 with getent group and getent > passwd. -The windows 10 machine account can succesfully access the > the sysvol share on the domain controller DC ("dir \\dc1\sysvol") > -The three shares in the conf file below are inaccessible to the > machine account. The third share is the one I am testing with. I > tried the suggesion above to add "acl_xattr:ignore system acls = yes" > to the share. This did not solve the problem, so I probably missed > something. -I do not want to make an other fileserver with backend > rid if I can avoid it. > -If i map the PC050$ name to root i can access the shares, but i don > not want that permanently (security). I think I could add another > user and map computers to that name but that still seems awkward to > me. > > > Configuration info: > -The DC and the fileserver (FS1, the domain member) run centos 7, > samba 4.6.10. > > smb.conf on FS1: > [global] > security = ADS > workgroup = SAMDOM > realm = AD.EXAMPLE.NL > ntlm auth = yes > log level = 3 passdb:5 auth:5 > > idmap config * : backend = tdb > idmap config * : range = 3000-9999 > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : range = 10000-999999 > idmap config SAMDOM : default = yes > winbind nss info = template > template shell = /bin/bash > template homedir = /data/home/%U > winbind use default domain = yes > allow dns updates = nonsecure > username map = /etc/samba/user.map > spoolss: architecture = Windows x64 > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > > # shares > [datatest] > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > path = /data/datatest > read only = no > > [datasys] > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > path = /data/datasys > read only = no > > # testfolder > [testfolfder] > vfs objects = acl_xattr > acl_xattr:ignore system acls = yes > # I used: mkdir /data/testfolder ; chmod > 0770 /data/testfolder ; chown root."domain admins" /data/testfolder > path = /data/testfolder > read only = no > > > smb.conf on DC1 > [global] > workgroup = SAMDOM > realm = AD.EXAMPLE.NL > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.3.2 > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > winbind enum users = yes > winbind enum groups = yes > ldap server require strong auth = no > username map = /etc/samba/user.map > log level = 3 > > [netlogon] > path = /var/lib/samba/sysvol/ad.example.nl/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > >Can I suggest you read these wikipages: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs https://wiki.samba.org/index.php/The_SYSTEM_Account Can I also suggest you remove the 'winbind enum' lines, you do not need these. And finally, definitely remove the user.map line from the DC. Rowland
Hi, Thanks for the quick reply. I read the links you suggested when I setup my domain member configuration. Followed the links a s closely as I could. Just read them again. Did you mean to point me at some part I missed in order to get the machine network accounts to be able to access the shares? Which part? I removed the 'winbind' lines and 'username map' lines. They are traces of my efforts to get things working. (still getting 'username xxxx invalid on this system' for the machine network accounts) About the SYSTEM account: My understanding is that it is not causing the 'access denied' on the domain member (FS1). I just put it in the properties->security tab because the answer I quoted suggested it. I saw no follow up on the answer I quoted. Should I expect it to work at all in my setup? regards, Tom -- Sent from: http://samba.2283325.n4.nabble.com/Samba-General-f2403709.html
Maybe Matching Threads
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]
- samba 4 ad member - idmap = ad for machine accounts
- samba 4 ad member - idmap = ad for machine accounts [SOLVED]