Hi, We're having issues accessing shares from our Samba file server. If we try to access the share from a domain joined Windows machine, it prompts with enter username and password. If we supply the domain password it fails. The error that we get is the following. Failed to find a Unix account for peteruser 'lin\aadamson' (from session setup) not permitted to access this share (data) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED However, if we supply the pdcname\username and password it works, as per below [2018/03/29 20:04:07.754925, 5] auth/auth_util.c:111(make_user_info_map) Mapping user [lin-pdc]\[aaamson] from workstation [PC-WIN-001-AR] The server is joined to the Domain net rpc join -U tadmin Enter tadmin's password: Joined domain LIN. Here is /etc/nssswith.conf #passwd: compat #group: compat #shadow: compat passwd: files winbind group: files winbind shadow: files winbind smb.conf workgroup = LIN netbios name = LINFS01 security = domain obey pam restrictions = no idmap config * : backend = tdb idmap config * : range = 3000-7999 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes wins server = 192.168.100.23 password server = lin-pdc [homes] comment = our home create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H/samba other shares are also defined. What could be the issue? Regards, RT
Is this something that used to work but no longer does? What are the results of "net rpc testjoin" command on the samba server? Is the domain controller also samba? What does "wbinfo -u" command show on the samba server? On my servers shows "DOMAINNAME\eachuser" but that is with "winbind trusted domains only = No" and "winbind use default domain = No" set in smb.conf. Does "getent passwd" shows domain users? On 04/02/18 06:21, Rob Thoman via samba wrote:> Hi, > > We're having issues accessing shares from our Samba file server. > > If we try to access the share from a domain joined Windows machine, it > prompts with enter username and password. If we supply the domain password > it fails. The error that we get is the following. > Failed to find a Unix account for peteruser 'lin\aadamson' (from session > setup) not permitted to access this share (data) > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > > However, if we supply the pdcname\username and password it works, as per > below > [2018/03/29 20:04:07.754925, 5] auth/auth_util.c:111(make_user_info_map) > Mapping user [lin-pdc]\[aaamson] from workstation [PC-WIN-001-AR] > > The server is joined to the Domain > > net rpc join -U tadmin > Enter tadmin's password: > Joined domain LIN. > > Here is > /etc/nssswith.conf > > #passwd: compat > #group: compat > #shadow: compat > > passwd: files winbind > group: files winbind > shadow: files winbind > > smb.conf > > workgroup = LIN > netbios name = LINFS01 > security = domain > obey pam restrictions = no > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > wins server = 192.168.100.23 > > password server = lin-pdc > > [homes] > comment = our home > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H/samba > > other shares are also defined. > > What could be the issue? > > Regards, > RT
Hi, The setup used to work on a when both file and AD were in the same box. We're trying to separate them. The 'net rpc testjoin' gives: Join to "LIN" is ok. The wbinfo -u does list all users with "LIN\username". The getent passwd lists the LIN\username with all the attrributes". This is after putting in your suggestions about winbind trusted domains only and use default domain option. Do I need to change anything on the the PDC side? nsswitch? On Mon, Apr 2, 2018 at 9:48 PM, Gaiseric Vandal via samba < samba at lists.samba.org> wrote:> Is this something that used to work but no longer does? > > What are the results of "net rpc testjoin" command on the samba server? > > Is the domain controller also samba? > > > What does "wbinfo -u" command show on the samba server? On my servers > shows "DOMAINNAME\eachuser" but that is with "winbind trusted domains only > = No" and "winbind use default domain = No" set in smb.conf. > > Does "getent passwd" shows domain users? > > > > > > > On 04/02/18 06:21, Rob Thoman via samba wrote: > >> Hi, >> >> We're having issues accessing shares from our Samba file server. >> >> If we try to access the share from a domain joined Windows machine, it >> prompts with enter username and password. If we supply the domain password >> it fails. The error that we get is the following. >> Failed to find a Unix account for peteruser 'lin\aadamson' (from session >> setup) not permitted to access this share (data) >> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED >> >> However, if we supply the pdcname\username and password it works, as per >> below >> [2018/03/29 20:04:07.754925, 5] auth/auth_util.c:111(make_user_info_map) >> Mapping user [lin-pdc]\[aaamson] from workstation [PC-WIN-001-AR] >> >> The server is joined to the Domain >> >> net rpc join -U tadmin >> Enter tadmin's password: >> Joined domain LIN. >> >> Here is >> /etc/nssswith.conf >> >> #passwd: compat >> #group: compat >> #shadow: compat >> >> passwd: files winbind >> group: files winbind >> shadow: files winbind >> >> smb.conf >> >> workgroup = LIN >> netbios name = LINFS01 >> security = domain >> obey pam restrictions = no >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> wins server = 192.168.100.23 >> >> password server = lin-pdc >> >> [homes] >> comment = our home >> create mask = 0700 >> directory mask = 0700 >> browseable = No >> read only = No >> path = %H/samba >> >> other shares are also defined. >> >> What could be the issue? >> >> Regards, >> RT >> > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >