Andrea Rossetti
2018-Jan-08 17:27 UTC
[Samba] R: cannot list/access samba share from Windows client
Thanks for the rapid reply! I think the problem was in the server role options I’ve modified it in “server member” and now I’m able to list the shares under \\linuxserver from any domain user authenticated in a Windows pc AD member. But now 1. Execute computer management from a Windows domain member client as a domain admin user (run as com_spoleto\rossetti.admin that is a “domain admins” member 2. Right click on computer management -> connect to another computer -> srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” -> I expand “Shared Folders” -> click on “Shares” right click on “share” -> Click Properties -> click on tab “Security”. In this tab I have the message “You musr have Read permission to view the properties of this object” even if I have granted SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If I execute “Computer Management” as “com_spoleto\adminserver” user (I explained below the reason I used this user) I can view/modify the ACLs. Please see MY inline comments, and at the end of this message I pasted my modified config files: Inviato da Posta per Windows 10 Da: Rowland Penny Inviato: lunedì 8 gennaio 2018 15:15 A: samba at lists.samba.org Cc: Andrea Rossetti Oggetto: Re: [Samba] cannot list/access samba share from Windows client>>The Linux samba server is an Ubuntu server >> 16.04 and I successfully added this samba server to a awindows active >> directory domain (Windows server 2012 R2). I login to the domain >> server machine as a domain admins user but II’m not able to >> list/access to the share when I digit in Windows Explorer >> \\servername I have the access denied with the request to insert the >> credential of a user enabled to it. Only the user mapped >> in /etc/samba/user.map can manage the server via the ADUC interface >> and list, but I’ve assigned the SeDiskOperatorPrivilege to all domain >> admin Group>The only mapping in the user.map should be Administrator to root.I’ve mapped the user COM_SPOLETO\adminserver because it is an enterprise admin as the COM_SPOLETO\Administrator For security reasons we have disabled the Administrator user account. In fact I used adminserver to grant SeDiskOperatoPrivilege do “com_spoleto\domain admins” group (see lines below)>> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege: >> COM_SPOLETO\Domain Admins >> BUILTIN\Administrators>> ----------------------------------------------------------------------------- >> My /etc/samba/user.map >> !root = COM_SPOLETO\Adminserver>It is Administrator not AdminserverAs just explained the adminserver is for us the enterprise domain admin. ---------------------------------------------- My modified /etc/samba/smb.conf # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No ------------------------------------------------------------------------------- My modified /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat sss group: compat sss shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sss sudoers: files sss -------------------------------------------------------------------------------- My modified /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Rowland Penny
2018-Jan-08 17:47 UTC
[Samba] R: cannot list/access samba share from Windows client
On Mon, 8 Jan 2018 18:27:44 +0100 Andrea Rossetti <andy.ros at gmail.com> wrote:> Thanks for the rapid reply! > > I think the problem was in the server role options I’ve modified it > in “server member” and now I’m able to list the shares under > \\linuxserver from any domain user authenticated in a Windows pc AD > member. But now 1. Execute computer management from a Windows domain > member client as a domain admin user (run as > com_spoleto\rossetti.admin that is a “domain admins” member 2. Right > click on computer management -> connect to another computer -> > srvlnxwintra01 (the Linux server member) 3. I expand “System Tools” > -> I expand “Shared Folders” -> click on “Shares” right click on > “share” -> Click Properties -> click on tab “Security”. In this tab I > have the message “You musr have Read permission to view the > properties of this object” even if I have granted > SeDiskOperatorPrivilege to “com_spoleto\domain admins” Group. But If > I execute “Computer Management” as “com_spoleto\adminserver” user (I > explained below the reason I used this user) I can view/modify the > ACLs. > > Please see MY inline comments, and at the end of this message I > pasted my modified config files: > > Inviato da Posta per Windows 10 > > Da: Rowland Penny > Inviato: lunedì 8 gennaio 2018 15:15 > A: samba at lists.samba.org > Cc: Andrea Rossetti > Oggetto: Re: [Samba] cannot list/access samba share from Windows > client > > > > >>The Linux samba server is an Ubuntu server > >> 16.04 and I successfully added this samba server to a awindows > >> active directory domain (Windows server 2012 R2). I login to the > >> domain server machine as a domain admins user but II’m not able to > >> list/access to the share when I digit in Windows Explorer > >> \\servername I have the access denied with the request to insert > >> the credential of a user enabled to it. Only the user mapped > >> in /etc/samba/user.map can manage the server via the ADUC > >> interface and list, but I’ve assigned the SeDiskOperatorPrivilege > >> to all domain admin Group > > >The only mapping in the user.map should be Administrator to root. > > I’ve mapped the user COM_SPOLETO\adminserver because it is an > enterprise admin as the COM_SPOLETO\Administrator For security > reasons we have disabled the Administrator user account. In fact I > used adminserver to grant SeDiskOperatoPrivilege do > “com_spoleto\domain admins” group (see lines below) > > >> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges > >> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter > >> com_spoleto\adminserver's password: SeDiskOperatorPrivilege: > >> COM_SPOLETO\Domain Admins > >> BUILTIN\Administrators > > >> ----------------------------------------------------------------------------- > >> My /etc/samba/user.map > >> !root = COM_SPOLETO\Adminserver > > >It is Administrator not Adminserver > > As just explained the adminserver is for us the enterprise domain > admin. > > ---------------------------------------------- > My modified /etc/samba/smb.conf > # Global parameters > [global] > workgroup = COM_SPOLETO > realm = COMUNE.SPOLETO.LOCAL > server string = %h server (Samba, Ubuntu) > interfaces = lo ens32 > bind interfaces only = Yes > server role = member server > security = ADS > map to guest = Bad User > username map = /etc/samba/user.map > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > client signing = if_required > dns proxy = No > panic action = /usr/share/samba/panic-action %d > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > printable = Yes > browseable = No > > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > > [share] > comment = Progetti QGIS per Lizmap > path = /home/data/share > read only = No > ------------------------------------------------------------------------------- > > My modified /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > passwd: compat sss > group: compat sss > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis sss > sudoers: files sss > -------------------------------------------------------------------------------- > > My modified /etc/krb5.conf > > [libdefaults] > default_realm = COMUNE.SPOLETO.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = trueYou are now solely using sssd for the authentication, you need to ask on the sssd-users mailing list, either that or purge sssd and set up winbind correctly. I repeat, 'sssd' has nothing to do with Samba and as such, I cannot help any further. Rowland
Andrea Rossetti
2018-Jan-08 18:57 UTC
[Samba] R: R: cannot list/access samba share from Windows client
Inviato da Posta per Windows 10>Da: Rowland Penny via samba >Inviato: lunedì 8 gennaio 2018 18:48 >A: samba at lists.samba.org >Oggetto: Re: [Samba] R: cannot list/access samba share from Windows client > >You are now solely using sssd for the authentication, you need to ask >on the sssd-users mailing list, either that or purge sssd and set up >winbind correctly.>I repeat, 'sssd' has nothing to do with Samba and as such, I cannot >help any further. > >RowlandOk I try to purge sssd and configure winbind. apt-get remove --purge sssd && apt-get autoremove --purge I successfull removed and re-joined the Linux domain member root at SRVLNXWINTRA01:/home/data# net ads leave -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: Deleted account for 'SRVLNXWINTRA01' in realm 'COMUNE.SPOLETO.LOCAL' root at SRVLNXWINTRA01:/home/data# net ads join -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: Using short domain name -- COM_SPOLETO Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local' I modified the config files (see below) And restarted the services systemctl restart smbd nmbd winbind I verified that the SeDiskOperatorPrivilege was set up correctly to “domain admins” Group root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter com_spoleto\adminserver's password: SeDiskOperatorPrivilege: COM_SPOLETO\Domain Admins BUILTIN\Administrators I verified the connectiviti with the domain root at SRVLNXWINTRA01:/home/data# wbinfo --ping-dc checking the NETLOGON for domain[COM_SPOLETO] dc connection to "SRVW3KDC01.comune.spoleto.local" succeeded but now when I Look up Domain Users and Groups root at SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti root at SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain admins" I have no response and so I’m unable to assign the permission attribute to the share root at SRVLNXWINTRA01:/home/data# LANG=en_EN chown root:"com_spoleto\domain admins" share chown: invalid group: 'root:com_spoleto\\domain admins' I’m very confused now! -------------------------------------------------------------------------------- now my /etc/samba/smb.conf is # Global parameters [global] workgroup = COM_SPOLETO realm = COMUNE.SPOLETO.LOCAL server string = %h server (Samba, Ubuntu) interfaces = lo ens32 bind interfaces only = Yes server role = member server security = ADS map to guest = Bad User username map = /etc/samba/user.map kerberos method = secrets and keytab log file = /var/log/samba/log.%m max log size = 1000 client signing = if_required dns proxy = No panic action = /usr/share/samba/panic-action %d winbind refresh tickets = Yes idmap config com_spoleto : range = 10000-29999 idmap config com_spoleto : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [share] comment = Progetti QGIS per Lizmap path = /home/data/share read only = No inherit acls = Yes ---------------------------------------------------------------------------- My /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis sudoers: files ------------------------------------------------------------------------------------- My /etc/krb5.conf [libdefaults] default_realm = COMUNE.SPOLETO.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Maybe Matching Threads
- R: cannot list/access samba share from Windows client
- cannot list/access samba share from Windows client
- R: R: cannot list/access samba share from Windows client
- R: R: cannot list/access samba share from Windows client
- cannot list/access samba share from Windows client