Bruno Sousa
2018-Mar-27 19:42 UTC
[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
I joined my Debian 9 server into a Active Directory Structure as a domain member. Not as a DC. Then when I try to share a folder on this server and the client PC can't correctly authenticate and use the folder. It keeps saying "Access Denied" on Windows client PC. There is no error in log files (/var/log/samba/). If I allow anonymous users, it works fine. I used to use the same configuration on Debian 7 and it worked. What is wrong? /etc/samba/smb.conf: [global] workgroup = MP realm = INTRANET.OBFUSCATEDDOMAIN server string = %h server wins server = intranet.obfuscateddomain dns proxy = no interfaces = ens32 lo log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user load printers = no idmap config MP : schema_mode = rfc2307 idmap config MP : range = 10000000-29999999 idmap config MP : default = yes idmap config MP : backend = ad idmap config * : range = 20000-29999 idmap config *:backend = rid winbind enum groups = yes winbind enum users = yes local master = no domain master = no preferred master = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes invalid users = root template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes [GR-UITEC] comment = Pasta para GR-UITEC path = /home/apache/desenvolvimento readonly = no valid users = MP\bruno.guimaraes admin users = MP\bruno.guimaraes force user = www-data force group = www-data /etc/nsswitch.conf: passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis /etc/krb5.conf [libdefaults] default_realm = INTRANET.OBFUSCATEDDOMAIN dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] INTRANET.OBFUSCATEDDOMAIN = { kdc = INTRANET.OBFUSCATEDDOMAIN:88 admin_server = INTRANET.OBFUSCATEDDOMAIN } [domain_realm] .intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN [cid:part1.4D015579.7A457904 at mpba.mp.br] att, -- Bruno Guimarães Sousa Missão do MPBA: Defender a sociedade e o regime democrático para garantia da cidadania plena.
Rowland Penny
2018-Mar-27 20:25 UTC
[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
On Tue, 27 Mar 2018 16:42:00 -0300 Bruno Sousa via samba <samba at lists.samba.org> wrote:> I joined my Debian 9 server into a Active Directory Structure as a > domain member. Not as a DC. Then when I try to share a folder on this > server and the client PC can't correctly authenticate and use the > folder. It keeps saying "Access Denied" on Windows client PC. There > is no error in log files (/var/log/samba/). If I allow anonymous > users, it works fine. I used to use the same configuration on Debian > 7 and it worked. > > What is wrong? > > /etc/samba/smb.conf: > > [global] > workgroup = MP > realm = INTRANET.OBFUSCATEDDOMAIN > server string = %h server > wins server = intranet.obfuscateddomainYou should remove the above line, you should be using DNS to find the DC> dns proxy = no > interfaces = ens32 lo > > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > security = ads > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yesDo you have users in /etc/passwd that are also in AD ? If you do, you should remove them from /etc/passwd'. You should remove the unix password sync line.> passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes map to guest = bad user > load printers = no > > idmap config MP : schema_mode = rfc2307 > idmap config MP : range = 10000000-29999999 > idmap config MP : default = yes > idmap config MP : backend = ad > idmap config * : range = 20000-29999 > idmap config *:backend = ridSome of the above lines are wrong, the backend for the BUILTIN domain (the '*' domain) should be 'tdb' You do not need the 'default = yes' line Do your users & groups have uidNumber & gidNumber attributes containing numbers inside the '10000000-29999999' range ?> winbind enum groups = yes > winbind enum users = yes > local master = no > domain master = no > preferred master = no > winbind uid = 10000-20000 > winbind gid = 10000-20000The above two lines are replaced by the 'idmap config' lines and should be removed.> winbind use default domain = yes > invalid users = root > template homedir = /home/%D/%U > template shell = /bin/bash > winbind offline logon = yes > winbind refresh tickets = yes > > [GR-UITEC] > comment = Pasta para GR-UITEC > path = /home/apache/desenvolvimento > readonly = no > > valid users = MP\bruno.guimaraes > admin users = MP\bruno.guimaraes > force user = www-data > force group = www-data > > > > /etc/nsswitch.conf: > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbindYou shouldn't have 'winbind' on the 'shadow line> > hosts: files dns > networks: files > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > netgroup: nis > > > > /etc/krb5.conf > > [libdefaults] > default_realm = INTRANET.OBFUSCATEDDOMAIN > dns_lookup_realm = false > dns_lookup_kdc = falseYou only need the above lines in /etc/krb5.conf and the 'dns_lookup_kdc' should be set to true, you can safely remove the rest of the lines. Rowland