samba - Jan 2018 - cannot list/access samba share from Windows client

Hi,
I have a problem to list/access share from Windows client to share hosted on
samba domain member server.
I followed the instruction from
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
step by step but I used sssd instead of winbind for the authentication method.
The Linux samba server is an Ubuntu server 16.04 and I successfully added this
samba server to a awindows active directory domain (Windows server 2012 R2).
I login to the domain server machine as a domain admins user but II’m not able
to list/access to the share when I digit in Windows Explorer \\servername I have
the access denied with the request to insert the credential of a user enabled to
it. Only the user mapped in  /etc/samba/user.map can manage the server via the
ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all
domain admin Group

 root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
  COM_SPOLETO\Domain Admins
  BUILTIN\Administrators

Is there anyone can help me?

Below my configuration files.
----------------------------------------------------------------------
My /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = standalone server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        username map = /etc/samba/user.map
        unix password sync = Yes
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config comune.spoleto.local : range = 10000-29999
        idmap config comune.spoleto.local : backend = rig
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
-----------------------------------------------------------------------------
My /etc/samba/user.map
!root = COM_SPOLETO\Adminserver
----------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat sss winbind
group:          compat sss winbind
shadow:         compat sss
gshadow:        files

hosts:          files dns winbind
networks:       files

protocols:      db files
services:       db files sss winbind
ethers:         db files
rpc:            db files

netgroup:       nis sss winbind
sudoers:        files sss winbind
---------------------------------------------------------------------------------------------------------------------
My /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = COMUNE.SPOLETO.LOCAL

[domain/COMUNE.SPOLETO.LOCAL]
id_provider = ad
access_provider = ad

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with
pam_mkhomedir.so
override_homedir = /home/%d/%u

# Uncomment if the client machine hostname doesn't match the computer object
on the DC.
# ad_hostname = SRVLNXINTRA01.comune.spoleto.local

# Uncomment if DNS SRV resolution is not working
# ad_server = SRVW3KDC01.comune.spoleto.local

# Uncomment if the AD domain is named differently than the Samba domain
# ad_domain = COMUNE.SPOLETO.LOCAL

# Enumeration is discouraged for performance reasons.
# enumerate = true
-------------------------------------------------------------------------------------------
My /etc/krb5.conf
[libdefaults]
        default_realm = COMUNE.SPOLETO.LOCAL
        ticket_lifetime = 24h #
        renew_lifetime = 7d

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
        COMUNE.SPOLETO.LOCAL = {
        kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL
        default_domain = COMUNE.SPOLETO.LOCAL
        }

[domain_realm]
        .comune.spoleto.local = COMUNE.SPOLETO.LOCAL
        comune.spoleto.local = COMUNE.SPOLETO.LOCAL

[login]
        krb4_convert = true
        krb4_get_tickets = false
-------------------------------------------------------------------------------------------

Inviato da Posta per Windows 10

Please see inline comments:

On Mon, 8 Jan 2018 14:41:01 +0100
Andrea Rossetti via samba <samba at lists.samba.org> wrote:
> Hi,
> I have a problem to list/access share from Windows client to share
> hosted on samba domain member server. I followed the instruction from
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> step by step but I used sssd instead of winbind for the
> authentication method. 
Then you didn't follow the wiki page.
>The Linux samba server is an Ubuntu server
> 16.04 and I successfully added this samba server to a awindows active
> directory domain (Windows server 2012 R2). I login to the domain
> server machine as a domain admins user but II’m not able to
> list/access to the share when I digit in Windows Explorer
> \\servername I have the access denied with the request to insert the
> credential of a user enabled to it. Only the user mapped
> in  /etc/samba/user.map can manage the server via the ADUC interface
> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
> admin Group
The only mapping in the user.map should be Administrator to root.
> 
>  root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>   COM_SPOLETO\Domain Admins
>   BUILTIN\Administrators
> 
> Is there anyone can help me?
> 
> Below my configuration files.
> ----------------------------------------------------------------------
> My /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = COM_SPOLETO
>         realm = COMUNE.SPOLETO.LOCAL
>         server string = %h server (Samba, Ubuntu)
>         interfaces = lo ens32
>         bind interfaces only = Yes
>         server role = standalone server
>         security = ADS
'server role' is wrong, it is a Unix domain member
>         map to guest = Bad User
>         obey pam restrictions = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
I would remove the above 4 lines, you do not need them in a Unix domain
member smb.conf
> username map = /etc/samba/user.map
 
>unix password sync = Yes
You definitely do not want the above line in a Unix domain member
smb.conf, all your domain members should be in AD.
>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client signing = if_required
>         dns proxy = No
>         panic action = /usr/share/samba/panic-action %d
>         winbind refresh tickets = Yes
>         idmap config comune.spoleto.local : range = 10000-29999
>         idmap config comune.spoleto.local : backend = rig
>         idmap config * : range = 3000-7999
>         idmap config * : backend = tdb
As you are using sssd, you don't need the lines above, also it is
'rid'
not 'rig'

>
-----------------------------------------------------------------------------
> My /etc/samba/user.map
> !root = COM_SPOLETO\Adminserver
It is Administrator not Adminserver
> ----------------------------------------------------------------
> My /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for
information
> about this file.
> 
> passwd:         compat sss winbind
> group:          compat sss winbind
You either use 'sss' or 'winbind', not both
> shadow:         compat sss
You shouldn't add anything to the shadow line.
> gshadow:        files
> 
> hosts:          files dns winbind
You do not use winbind for hosts
> networks:       files
> 
> protocols:      db files
> services:       db files sss winbind
Same goes for services
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis sss winbind
> sudoers:        files sss winbind
Same goes for netgroup and sudoers
>
---------------------------------------------------------------------------------------------------------------------
> My /etc/sssd/sssd.conf
> [sssd]
Pointless telling us what your sssd.conf is, it isn't anything to do
with Samba
>
-------------------------------------------------------------------------------------------
> My /etc/krb5.conf
> [libdefaults]
>         default_realm = COMUNE.SPOLETO.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
This is all you need in krb5.conf.

I would make the alterations I have suggested, then choose whether to
use 'sssd' or 'winbind', you cannot use both.
If you decide to continue to use 'sssd' and you still have problems,
you need to ask on the 'sssd-users' mailing list.

Rowland

Thanks for the rapid reply!

I think the problem was in the server role options I’ve modified it in  “server
member” and now I’m able to list the shares under \\linuxserver from any domain
user authenticated in a Windows pc AD member.
But now
1. Execute computer management from a Windows domain member client as a domain
admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member
2. Right click on computer management -> connect to another computer ->
srvlnxwintra01 (the Linux server member)
3. I expand “System Tools” -> I expand “Shared Folders” -> click on
“Shares”  right click on “share” -> Click Properties -> click on tab
“Security”. In this tab I have the message “You musr have Read permission to
view the properties of this object” even if I have granted
SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute
“Computer Management” as “com_spoleto\adminserver” user (I explained below the
reason I used this user) I can view/modify the ACLs.

Please see MY inline comments, and at the end of this message I pasted my
modified config files:

Inviato da Posta per Windows 10

Da: Rowland Penny
Inviato: lunedì 8 gennaio 2018 15:15
A: samba at lists.samba.org
Cc: Andrea Rossetti
Oggetto: Re: [Samba] cannot list/access samba share from Windows client


>>The Linux samba server is an Ubuntu server
>> 16.04 and I successfully added this samba server to a awindows active
>> directory domain (Windows server 2012 R2). I login to the domain
>> server machine as a domain admins user but II’m not able to
>> list/access to the share when I digit in Windows Explorer
>> \\servername I have the access denied with the request to insert the
>> credential of a user enabled to it. Only the user mapped
>> in  /etc/samba/user.map can manage the server via the ADUC interface
>> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain
>> admin Group
>The only mapping in the user.map should be Administrator to root.
I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin
as the COM_SPOLETO\Administrator
For security reasons we have disabled the Administrator user account. In fact I
used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins”
group (see lines below)
>>  root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
>> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
>> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>>   COM_SPOLETO\Domain Admins
>>   BUILTIN\Administrators
>>
-----------------------------------------------------------------------------
>> My /etc/samba/user.map
>> !root = COM_SPOLETO\Adminserver
>It is Administrator not Adminserver
As just explained the adminserver is for us the enterprise domain admin.

----------------------------------------------
My modified /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
-------------------------------------------------------------------------------

My modified /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat sss
group:          compat sss
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis sss
sudoers:        files sss
--------------------------------------------------------------------------------

My modified /etc/krb5.conf

[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true