samba - Jan 2018 - R: R: cannot list/access samba share from Windows client

Inviato da Posta per Windows 10
>Da: Rowland Penny via samba
>Inviato: lunedì 8 gennaio 2018 18:48
>A: samba at lists.samba.org
>Oggetto: Re: [Samba] R: cannot list/access samba share from Windows client
>
>You are now solely using sssd for the authentication, you need to ask
>on the sssd-users mailing list, either that or purge sssd and set up
>winbind correctly.
>I repeat, 'sssd' has nothing to do with Samba and as such, I cannot
>help any further.
>
>Rowland
Ok I try to purge sssd and configure winbind.

apt-get remove --purge sssd && apt-get autoremove --purge

I successfull removed and re-joined the Linux domain member

root at SRVLNXWINTRA01:/home/data# net ads leave -U
"com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Deleted account for 'SRVLNXWINTRA01' in realm
'COMUNE.SPOLETO.LOCAL'
root at SRVLNXWINTRA01:/home/data# net ads join -U
"com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
Using short domain name -- COM_SPOLETO
Joined 'SRVLNXWINTRA01' to dns domain 'comune.spoleto.local'

I modified the config files (see below)
And restarted the services

systemctl restart smbd nmbd winbind

I verified that the SeDiskOperatorPrivilege was set up correctly to “domain
admins” Group

root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
SeDiskOperatorPrivilege -U "com_spoleto\adminserver"
Enter com_spoleto\adminserver's password:
SeDiskOperatorPrivilege:
  COM_SPOLETO\Domain Admins
  BUILTIN\Administrators

I verified the connectiviti with the domain

root at SRVLNXWINTRA01:/home/data# wbinfo --ping-dc
checking the NETLOGON for domain[COM_SPOLETO] dc connection to
"SRVW3KDC01.comune.spoleto.local" succeeded

but now when I Look up Domain Users and Groups

root at SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\andrea.rossetti
root at SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain
admins"

I have no response and so I’m unable to assign the permission attribute to the
share

root at SRVLNXWINTRA01:/home/data# LANG=en_EN chown
root:"com_spoleto\domain admins" share
chown: invalid group: 'root:com_spoleto\\domain admins'

I’m very confused now!

--------------------------------------------------------------------------------
now my /etc/samba/smb.conf is

# Global parameters
[global]
        workgroup = COM_SPOLETO
        realm = COMUNE.SPOLETO.LOCAL
        server string = %h server (Samba, Ubuntu)
        interfaces = lo ens32
        bind interfaces only = Yes
        server role = member server
        security = ADS
        map to guest = Bad User
        username map = /etc/samba/user.map
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        max log size = 1000
        client signing = if_required
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        winbind refresh tickets = Yes
        idmap config com_spoleto : range = 10000-29999
        idmap config com_spoleto : backend = rid
        idmap config * : range = 3000-7999
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr


[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers


[share]
        comment = Progetti QGIS per Lizmap
        path = /home/data/share
        read only = No
        inherit acls = Yes
----------------------------------------------------------------------------
My /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files
-------------------------------------------------------------------------------------

My /etc/krb5.conf
[libdefaults]
         default_realm = COMUNE.SPOLETO.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

On Mon, 8 Jan 2018 19:57:59 +0100
Andrea Rossetti <andy.ros at gmail.com> wrote:
> Inviato da Posta per Windows 10
> 
> >Da: Rowland Penny via samba
> >Inviato: lunedì 8 gennaio 2018 18:48
> >A: samba at lists.samba.org
> >Oggetto: Re: [Samba] R: cannot list/access samba share from Windows
> >client
> >
> >You are now solely using sssd for the authentication, you need to ask
> >on the sssd-users mailing list, either that or purge sssd and set up
> >winbind correctly.
> 
> >I repeat, 'sssd' has nothing to do with Samba and as such, I
cannot
> >help any further.
> >
> >Rowland
> 
> Ok I try to purge sssd and configure winbind.
> 
> apt-get remove --purge sssd && apt-get autoremove --purge
> 
> I successfull removed and re-joined the Linux domain member
> 
> root at SRVLNXWINTRA01:/home/data# net ads leave -U
> "com_spoleto\adminserver" Enter com_spoleto\adminserver's
password:
> Deleted account for 'SRVLNXWINTRA01' in realm
'COMUNE.SPOLETO.LOCAL'
> root at SRVLNXWINTRA01:/home/data# net ads join -U
> "com_spoleto\adminserver" Enter com_spoleto\adminserver's
password:
> Using short domain name -- COM_SPOLETO
> Joined 'SRVLNXWINTRA01' to dns domain
'comune.spoleto.local'
> 
> I modified the config files (see below)
> And restarted the services
> 
> systemctl restart smbd nmbd winbind
> 
> I verified that the SeDiskOperatorPrivilege was set up correctly to
> “domain admins” Group
> 
> root at SRVLNXWINTRA01:/home/data# net rpc rights list privileges
> SeDiskOperatorPrivilege -U "com_spoleto\adminserver" Enter
> com_spoleto\adminserver's password: SeDiskOperatorPrivilege:
>   COM_SPOLETO\Domain Admins
>   BUILTIN\Administrators
> 
> I verified the connectiviti with the domain
> 
> root at SRVLNXWINTRA01:/home/data# wbinfo --ping-dc
> checking the NETLOGON for domain[COM_SPOLETO] dc connection to
> "SRVW3KDC01.comune.spoleto.local" succeeded
> 
> but now when I Look up Domain Users and Groups
> 
> root at SRVLNXWINTRA01:/home/data# getent passwd
> com_spoleto\andrea.rossetti root at SRVLNXWINTRA01:/home/data# getent
> group "com_spoleto\\domain admins"
> 
> I have no response and so I’m unable to assign the permission
> attribute to the share
> 
> root at SRVLNXWINTRA01:/home/data# LANG=en_EN chown
> root:"com_spoleto\domain admins" share chown: invalid group:
> 'root:com_spoleto\\domain admins'
> 
> I’m very confused now!
> 
>
OK, If I run this on a Unix domain member:

getent passwd samdom\rowland

I get no output, but this:

getent passwd samdom\\rowland

gets me this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

I use the winbind 'ad' backend and 'Domain Admins' does not have
a
gidNumber attribute, but 'Domain Users' does.

getent group "samdom\\domain users"

gets me this:

domain users:x:10000:<list of group members>

Try running 'net cache flush' and then try again.

Rowland

Ok.
I’ve done
root at SRVLNXWINTRA01:/home/data# nano /etc/samba/smb.conf

modified 
idmap config COM_SPOLETO : backend = rid
to
idmap config COM_SPOLETO : backend = ad

root at SRVLNXWINTRA01:/home/data# systemctl restart smbd nmbd winbind
root at SRVLNXWINTRA01:/home/data# net cache flush
root at SRVLNXWINTRA01:/home/data# getent passwd com_spoleto\\andrea.rossetti
root at SRVLNXWINTRA01:/home/data# getent group "com_spoleto\\domain
admins"

nothing is changed!

More and more confused now! ☹

Inviato da Posta per Windows 10

Da: Rowland Penny via samba
Inviato: lunedì 8 gennaio 2018 20:31
A: samba at lists.samba.org
Oggetto: Re: [Samba] R: R: cannot list/access samba share from Windows client
>OK, If I run this on a Unix domain member:
>
>getent passwd samdom\rowland
>
>I get no output, but this:
>
>getent passwd samdom\\rowland
>
>gets me this:
>
>rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
>I use the winbind 'ad' backend and 'Domain Admins' does not
have a
>gidNumber attribute, but 'Domain Users' does.
>
>getent group "samdom\\domain users"
>
>gets me this:
>
>domain users:x:10000:<list of group members>
>
>Try running 'net cache flush' and then try again.
>
>Rowland