Bruno Sousa
2018-Mar-27 19:42 UTC
[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
I joined my Debian 9 server into a Active Directory Structure as a domain
member. Not as a DC. Then when I try to share a folder on this server and the
client PC can't correctly authenticate and use the folder. It keeps saying
"Access Denied" on Windows client PC. There is no error in log files
(/var/log/samba/). If I allow anonymous users, it works fine. I used to use the
same configuration on Debian 7 and it worked.
What is wrong?
/etc/samba/smb.conf:
[global]
workgroup = MP
realm = INTRANET.OBFUSCATEDDOMAIN
server string = %h server
wins server = intranet.obfuscateddomain
dns proxy = no
interfaces = ens32 lo
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
security = ads
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
load printers = no
idmap config MP : schema_mode = rfc2307
idmap config MP : range = 10000000-29999999
idmap config MP : default = yes
idmap config MP : backend = ad
idmap config * : range = 20000-29999
idmap config *:backend = rid
winbind enum groups = yes
winbind enum users = yes
local master = no
domain master = no
preferred master = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
invalid users = root
template homedir = /home/%D/%U
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
[GR-UITEC]
comment = Pasta para GR-UITEC
path = /home/apache/desenvolvimento
readonly = no
valid users = MP\bruno.guimaraes
admin users = MP\bruno.guimaraes
force user = www-data
force group = www-data
/etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/etc/krb5.conf
[libdefaults]
default_realm = INTRANET.OBFUSCATEDDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
INTRANET.OBFUSCATEDDOMAIN = {
kdc = INTRANET.OBFUSCATEDDOMAIN:88
admin_server = INTRANET.OBFUSCATEDDOMAIN
}
[domain_realm]
.intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
intranet.obfuscateddomain = INTRANET.OBFUSCATEDDOMAIN
[cid:part1.4D015579.7A457904 at mpba.mp.br]
att,
--
Bruno Guimarães Sousa
Missão do MPBA: Defender a sociedade e o regime democrático para garantia da
cidadania plena.
Rowland Penny
2018-Mar-27 20:25 UTC
[Samba] Debian 9 + Samba 4.5 + Winbind 4.5 = Can't authenticate user for shared folder
On Tue, 27 Mar 2018 16:42:00 -0300 Bruno Sousa via samba <samba at lists.samba.org> wrote:> I joined my Debian 9 server into a Active Directory Structure as a > domain member. Not as a DC. Then when I try to share a folder on this > server and the client PC can't correctly authenticate and use the > folder. It keeps saying "Access Denied" on Windows client PC. There > is no error in log files (/var/log/samba/). If I allow anonymous > users, it works fine. I used to use the same configuration on Debian > 7 and it worked. > > What is wrong? > > /etc/samba/smb.conf: > > [global] > workgroup = MP > realm = INTRANET.OBFUSCATEDDOMAIN > server string = %h server > wins server = intranet.obfuscateddomainYou should remove the above line, you should be using DNS to find the DC> dns proxy = no > interfaces = ens32 lo > > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > security = ads > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yesDo you have users in /etc/passwd that are also in AD ? If you do, you should remove them from /etc/passwd'. You should remove the unix password sync line.> passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes map to guest = bad user > load printers = no > > idmap config MP : schema_mode = rfc2307 > idmap config MP : range = 10000000-29999999 > idmap config MP : default = yes > idmap config MP : backend = ad > idmap config * : range = 20000-29999 > idmap config *:backend = ridSome of the above lines are wrong, the backend for the BUILTIN domain (the '*' domain) should be 'tdb' You do not need the 'default = yes' line Do your users & groups have uidNumber & gidNumber attributes containing numbers inside the '10000000-29999999' range ?> winbind enum groups = yes > winbind enum users = yes > local master = no > domain master = no > preferred master = no > winbind uid = 10000-20000 > winbind gid = 10000-20000The above two lines are replaced by the 'idmap config' lines and should be removed.> winbind use default domain = yes > invalid users = root > template homedir = /home/%D/%U > template shell = /bin/bash > winbind offline logon = yes > winbind refresh tickets = yes > > [GR-UITEC] > comment = Pasta para GR-UITEC > path = /home/apache/desenvolvimento > readonly = no > > valid users = MP\bruno.guimaraes > admin users = MP\bruno.guimaraes > force user = www-data > force group = www-data > > > > /etc/nsswitch.conf: > > passwd: compat winbind > > group: compat winbind > > shadow: compat winbindYou shouldn't have 'winbind' on the 'shadow line> > hosts: files dns > networks: files > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > netgroup: nis > > > > /etc/krb5.conf > > [libdefaults] > default_realm = INTRANET.OBFUSCATEDDOMAIN > dns_lookup_realm = false > dns_lookup_kdc = falseYou only need the above lines in /etc/krb5.conf and the 'dns_lookup_kdc' should be set to true, you can safely remove the rest of the lines. Rowland