Andrea Rossetti
2018-Jan-08 13:41 UTC
[Samba] cannot list/access samba share from Windows client
Hi, I have a problem to list/access share from Windows client to share hosted on samba domain member server. I followed the instruction from https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member step by step but I used sssd instead of winbind for the authentication method. The Linux samba server is an Ubuntu server 16.04 and I successfully added this samba server to a awindows active directory domain (Windows server 2012 R2). I login to the domain server machine as a domain admins user but II’m not able to list/access to the share when I digit in Windows Explorer \\servername I have the access denied with the request to insert the credential of a user enabled to it. Only the user mapped in /etc/samba/user.map can manage the server via the ADUC interface and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain admin Group root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: SeDiskOperatorPrivilege: COM_SPOLETO\Domain Admins BUILTIN\Administrators Is there anyone can help me? Below my configuration files. ---------------------------------------------------------------------- My /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = standalone server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . username map = /etc/samba/user.map unix password sync = Yes kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d winbind refresh tickets = Yes idmap config comune.spoleto.local : range = 10000-29999 idmap config comune.spoleto.local : backend = rig idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No inherit acls = Yes ----------------------------------------------------------------------------- My /etc/samba/user.map !root = COM_SPOLETO\Adminserver ---------------------------------------------------------------- My /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss winbind group: compat sss winbind shadow: compat sss gshadow: files hosts: files dns winbind networks: files protocols: db files services: db files sss winbind ethers: db files rpc: db files netgroup: nis sss winbind sudoers: files sss winbind --------------------------------------------------------------------------------------------------------------------- My /etc/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = COMUNE.SPOLETO.LOCAL [domain/COMUNE.SPOLETO.LOCAL] id_provider = ad access_provider = ad # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /home/%d/%u # Uncomment if the client machine hostname doesn't match the computer object on the DC. # ad_hostname = SRVLNXINTRA01.comune.spoleto.local # Uncomment if DNS SRV resolution is not working # ad_server = SRVW3KDC01.comune.spoleto.local # Uncomment if the AD domain is named differently than the Samba domain # ad_domain = COMUNE.SPOLETO.LOCAL # Enumeration is discouraged for performance reasons. # enumerate = true ------------------------------------------------------------------------------------------- My /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL ticket_lifetime = 24h # renew_lifetime = 7d # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true dns_lookup_realm = false dns_lookup_kdc = true [realms] COMUNE.SPOLETO.LOCAL = { kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL master_kdc = SRVW3KDC01.COMUNE.SPOLETO.LOCAL admin_server = SRVW3KDC01.COMUNE.SPOLETO.LOCAL default_domain = COMUNE.SPOLETO.LOCAL } [domain_realm] .comune.spoleto.local = COMUNE.SPOLETO.LOCAL comune.spoleto.local = COMUNE.SPOLETO.LOCAL [login] krb4_convert = true krb4_get_tickets = false ------------------------------------------------------------------------------------------- Inviato da Posta per Windows 10
Rowland Penny
2018-Jan-08 14:15 UTC
[Samba] cannot list/access samba share from Windows client
Please see inline comments: On Mon, 8 Jan 2018 14:41:01 +0100 Andrea Rossetti via samba <samba at lists.samba.org> wrote:> Hi, > I have a problem to list/access share from Windows client to share > hosted on samba domain member server. I followed the instruction from > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > step by step but I used sssd instead of winbind for the > authentication method.Then you didn't follow the wiki page.>The Linux samba server is an Ubuntu server > 16.04 and I successfully added this samba server to a awindows active > directory domain (Windows server 2012 R2). I login to the domain > server machine as a domain admins user but II’m not able to > list/access to the share when I digit in Windows Explorer > \\servername I have the access denied with the request to insert the > credential of a user enabled to it. Only the user mapped > in /etc/samba/user.map can manage the server via the ADUC interface > and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain > admin GroupThe only mapping in the user.map should be Administrator to root.> > root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges > SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter > com_spoleto\adminserver's password: SeDiskOperatorPrivilege: > COM_SPOLETO\Domain Admins > BUILTIN\Administrators > > Is there anyone can help me? > > Below my configuration files. > ---------------------------------------------------------------------- > My /etc/samba/smb.conf > # Global parameters > [global] > workgroup = COM_SPOLETO > realm = COMUNE.SPOLETO.LOCAL > server string = %h server (Samba, Ubuntu) > interfaces = lo ens32 > bind interfaces only = Yes > server role = standalone server > security = ADS'server role' is wrong, it is a Unix domain member> map to guest = Bad User> obey pam restrictions = Yes > pam password change = Yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .I would remove the above 4 lines, you do not need them in a Unix domain member smb.conf> username map = /etc/samba/user.map>unix password sync = YesYou definitely do not want the above line in a Unix domain member smb.conf, all your domain members should be in AD.> kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > client signing = if_required > dns proxy = No > panic action = /usr/share/samba/panic-action %d > winbind refresh tickets = Yes> idmap config comune.spoleto.local : range = 10000-29999 > idmap config comune.spoleto.local : backend = rig > idmap config * : range = 3000-7999 > idmap config * : backend = tdbAs you are using sssd, you don't need the lines above, also it is 'rid' not 'rig'> ----------------------------------------------------------------------------- > My /etc/samba/user.map > !root = COM_SPOLETO\AdminserverIt is Administrator not Adminserver> ---------------------------------------------------------------- > My /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss winbind > group: compat sss winbindYou either use 'sss' or 'winbind', not both> shadow: compat sssYou shouldn't add anything to the shadow line.> gshadow: files > > hosts: files dns winbindYou do not use winbind for hosts> networks: files > > protocols: db files > services: db files sss winbindSame goes for services> ethers: db files > rpc: db files > > netgroup: nis sss winbind > sudoers: files sss winbindSame goes for netgroup and sudoers> --------------------------------------------------------------------------------------------------------------------- > My /etc/sssd/sssd.conf > [sssd]Pointless telling us what your sssd.conf is, it isn't anything to do with Samba> ------------------------------------------------------------------------------------------- > My /etc/krb5.conf > [libdefaults] > default_realm = COMUNE.SPOLETO.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true >This is all you need in krb5.conf. I would make the alterations I have suggested, then choose whether to use 'sssd' or 'winbind', you cannot use both. If you decide to continue to use 'sssd' and you still have problems, you need to ask on the 'sssd-users' mailing list. Rowland
Andrea Rossetti
2018-Jan-08 17:27 UTC
[Samba] R: cannot list/access samba share from Windows client
Thanks for the rapid reply! I think the problem was in the server role options I’ve modified it in “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member. But now 1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member 2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs. Please see MY inline comments, and at the end of this message I pasted my modified config files: Inviato da Posta per Windows 10 Da: Rowland Penny Inviato: lunedì 8 gennaio 2018 15:15 A: samba at lists.samba.org Cc: Andrea Rossetti Oggetto: Re: [Samba] cannot list/access samba share from Windows client>>The Linux samba server is an Ubuntu server >> 16.04 and I successfully added this samba server to a awindows active >> directory domain (Windows server 2012 R2). I login to the domain >> server machine as a domain admins user but II’m not able to >> list/access to the share when I digit in Windows Explorer >> \\servername I have the access denied with the request to insert the >> credential of a user enabled to it. Only the user mapped >> in /etc/samba/user.map can manage the server via the ADUC interface >> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain >> admin Group>The only mapping in the user.map should be Administrator to root.I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below)>> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege: >> COM_SPOLETO\Domain Admins >> BUILTIN\Administrators>> ----------------------------------------------------------------------------- >> My /etc/samba/user.map >> !root = COM_SPOLETO\Adminserver>It is Administrator not AdminserverAs just explained the adminserver is for us the enterprise domain admin. ---------------------------------------------- My modified /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No ------------------------------------------------------------------------------- My modified /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss sudoers: files sss -------------------------------------------------------------------------------- My modified /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Seemingly Similar Threads
- cannot list/access samba share from Windows client
- R: cannot list/access samba share from Windows client
- R: cannot list/access samba share from Windows client
- R: R: cannot list/access samba share from Windows client
- R: R: cannot list/access samba share from Windows client