Hi @ll ! I am trying to set up a samba fileserver in SuSe 42.3 as domain member in a debian based Samba4 AD. The join seems to be ok, as I can get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/. I can also list all browsable shares with /smbclient -L \\SambaFS -Uusername/, but when i add -k, I get following errors : /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER// //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT// //session setup failed: NT_STATUS_INVALID_PARAMETER/ /----------------------------------------------------------------------------------------/ So bought a book from Stefan Kania for Samba4 in AD that I worked through site to site - but I do not get access to shares for the domain members except the domain admin. Windows prompts for user authentification. The "profiles" share works perfect and is owned to the same gid than the other "general" share is. I would like to use Windows Rightsmanagement for the shares in future. Some Informations : /Samba1:/ # getent passwd mjackson// //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/ /Samba1:/ # ls -ln /home/samba total 4 drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata / /Samba1:/ # ls -lh /home/samba total 4.0K drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/ and another one for the working profiles share: /Samba1:/home # ls -lh total 4.0K drwxrwx--T 3 root domain users 27 Apr 17 10:46 profile drwxrwsr-x 3 administrator domain users 25 Apr 18 10:37 samba drwxr-xr-x 19 samba1 users 4.0K Apr 19 08:56 samba1 / /Samba1:/home # ls -ln total 4 drwxrwx--T 3 0 10013 27 Apr 17 10:46 profile drwxrwsr-x 3 10003 10013 25 Apr 18 10:37 samba drwxr-xr-x 19 1000 100 4096 Apr 19 08:56 samba1/ --------------------------------------------------------------------------- S/amba1:/ # smbclient -L \\Samba1 -Umjackson/ WARNING: The "idmap gid" option is deprecated <------- what is the actual way? :) WARNING: The "idmap uid" option is deprecated lp_load_ex: changing to config backend registry WARNING: The "idmap gid" option is deprecated WARNING: The "idmap uid" option is deprecated Enter SAMDOM\mjackson's password: OS=[Windows 6.1] Server=[Samba 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64) domData Disk Famous domdata test2 Disk tester OS=[Windows 6.1] Server=[Samba 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP SOMEPC smb.conf : [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global] "idmap gid"="10000-20000" "idmap uid"="10000-20000" "usershare allow guests"="No" "workgroup"="SAMDOM" "template homedir"="/home/%D/%U" "winbind refresh tickets"="yes" "netbios name"="Samba1" "wins support"="Yes" "winbind enum users"="yes" "winbind enum groups"="yes" "winbind use default domain"="yes" "idmap config * : range"="10000 - 19999" "idmap config SAMDOM: backend"="rid" "idmap config SAMDOM : range"="1000000 - 1999999" "store dos attributes"="yes" "vfs objects"="acl_xattr" "hide unreadable"="yes" "security"="ads" "realm"="SAMDOM.TEST" [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\Admin-Share] "browseable"="no" "read only"="no" "path"="/home/samba" "comment"="AdminShare" "guest ok"="no" "inherit acls"="yes" [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\profile] "guest ok"="no" "browseable"="no" "read only"="no" "profile acls"="yes" "comment"="User Profile" "path"="/home/profile" [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\domData] "path"="/home/samba/domdata/" "comment"="Famous domdataLW" "guest ok"="no" "read only"="no" Any help is much appreciated, thanks in advance! br Sascha
On Thu, 19 Apr 2018 10:08:12 +0200 Sascha Wiechmann via samba <samba at lists.samba.org> wrote:> Hi @ll ! > > I am trying to set up a samba fileserver in SuSe 42.3 as domain > member in a debian based Samba4 AD. The join seems to be ok, as I can > get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/. > I can also list all browsable shares with /smbclient -L \\SambaFS > -Uusername/, but when i add -k, I get following errors : > > /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed > (next[(null)]): NT_STATUS_INVALID_PARAMETER// > //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT// > //session setup failed: NT_STATUS_INVALID_PARAMETER/ > > /----------------------------------------------------------------------------------------/ > > So bought a book from Stefan Kania for Samba4 in AD that I worked > through site to siteWhy ? what is wrong with the Samba wiki ? https://wiki.samba.org/index.php/Main_Page>- but I do not get access to shares for the > domain members except the domain admin. Windows prompts for user > authentification. The "profiles" share works perfect and is owned to > the same gid than the other "general" share is. I would like to use > Windows Rightsmanagement for the shares in future. Some Informations : > > /Samba1:/ # getent passwd mjackson// > //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/ > > /Samba1:/ # ls -ln /home/samba > total 4 > drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata > / >You have a problem, there shouldn't be numbers here, there should be names> --------------------------------------------------------------------------- > > S/amba1:/ # smbclient -L \\Samba1 -Umjackson/ > WARNING: The "idmap gid" option is deprecated <------- what is the > actual way? :)Try using this smb.conf: [global] workgroup = SAMDOM security = ads realm = SAMDOM.TEST netbios name = Samba1 kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = yes winbind use default domain = yes idmap config * : range = 3000-7999 idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 1000000-1999999 vfs objects = acl_xattr map acl inherit = Yes store dos attributes=yes hide unreadable=yes [Admin-Share] path=/home/samba comment=AdminShare browseable=no read only=no [profile] path=/home/profile comment=User Profile browseable=no read only=no [domData] path=/home/samba/domdata/ comment=Famous domdataLW read only=no Rowland
Ok, please post of both servers the smb.conf and tell the samba versions. You have a misconfiguration in these.> WARNING: The "idmap gid" option is deprecated > WARNING: The "idmap uid" option is deprecated^^^^^^^^^^^^^^^^^^^^^^^^^^^> "idmap gid"="10000-20000" > "idmap uid"="10000-20000"You need something like this example. # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOM : backend = ad idmap config NTDOM : schema_mode = rfc2307 idmap config NTDOM : range = 10000-3999999 ## these to depend on how u use samba. ( 4.6+) #idmap config NTDOM : unix_nss_info = yes #idmap config NTDOM : unix_primary_group = yes If thats fixed my first guess would be.. You use: smbclient -L \\SambaFS -Uusername You should use : Smbclient -L \\FQDN -Uusername And depending on the samba/smblcient versions add -mSMB1 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Sascha Wiechmann via samba > Verzonden: donderdag 19 april 2018 10:08 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Share authentication problem > > Hi @ll ! > > I am trying to set up a samba fileserver in SuSe 42.3 as > domain member > in a debian based Samba4 AD. The join seems to be ok, as I can get > /wbinfo -u/ and /-g/, and /getent group/ and /passwd/. > I can also list all browsable shares with /smbclient -L \\SambaFS > -Uusername/, but when i add -k, I get following errors : > > /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed > (next[(null)]): NT_STATUS_INVALID_PARAMETER// > //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT// > //session setup failed: NT_STATUS_INVALID_PARAMETER/ > > /------------------------------------------------------------- > ---------------------------/ > > So bought a book from Stefan Kania for Samba4 in AD that I worked > through site to site - but I do not get access to shares for > the domain > members except the domain admin. Windows prompts for user > authentification. > The "profiles" share works perfect and is owned to the same > gid than the > other "general" share is. I would like to use Windows > Rightsmanagement > for the shares in future. Some Informations : > > /Samba1:/ # getent passwd mjackson// > //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/ > > /Samba1:/ # ls -ln /home/samba > total 4 > drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata > / > > /Samba1:/ # ls -lh /home/samba > total 4.0K > drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/ > > and another one for the working profiles share: > > /Samba1:/home # ls -lh > total 4.0K > drwxrwx--T 3 root domain users 27 Apr 17 > 10:46 profile > drwxrwsr-x 3 administrator domain users 25 Apr 18 10:37 samba > drwxr-xr-x 19 samba1 users 4.0K Apr 19 08:56 samba1 > / > > /Samba1:/home # ls -ln > total 4 > drwxrwx--T 3 0 10013 27 Apr 17 10:46 profile > drwxrwsr-x 3 10003 10013 25 Apr 18 10:37 samba > drwxr-xr-x 19 1000 100 4096 Apr 19 08:56 samba1/ > > -------------------------------------------------------------- > ------------- > > S/amba1:/ # smbclient -L \\Samba1 -Umjackson/ > WARNING: The "idmap gid" option is deprecated <------- what is the > actual way? :) > WARNING: The "idmap uid" option is deprecated > lp_load_ex: changing to config backend registry > WARNING: The "idmap gid" option is deprecated > WARNING: The "idmap uid" option is deprecated > Enter SAMDOM\mjackson's password: > OS=[Windows 6.1] Server=[Samba > 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] > > Sharename Type Comment > --------- ---- ------- > IPC$ IPC IPC Service (Samba > 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64) > domData Disk Famous domdata > test2 Disk tester > OS=[Windows 6.1] Server=[Samba > 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > WORKGROUP SOMEPC > > smb.conf : > > [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global] > "idmap gid"="10000-20000" > "idmap uid"="10000-20000" > "usershare allow guests"="No" > "workgroup"="SAMDOM" > "template homedir"="/home/%D/%U" > "winbind refresh tickets"="yes" > "netbios name"="Samba1" > "wins support"="Yes" > "winbind enum users"="yes" > "winbind enum groups"="yes" > "winbind use default domain"="yes" > "idmap config * : range"="10000 - 19999" > "idmap config SAMDOM: backend"="rid" > "idmap config SAMDOM : range"="1000000 - 1999999" > "store dos attributes"="yes" > "vfs objects"="acl_xattr" > "hide unreadable"="yes" > "security"="ads" > "realm"="SAMDOM.TEST" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\Admin-Share] > "browseable"="no" > "read only"="no" > "path"="/home/samba" > "comment"="AdminShare" > "guest ok"="no" > "inherit acls"="yes" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\profile] > "guest ok"="no" > "browseable"="no" > "read only"="no" > "profile acls"="yes" > "comment"="User Profile" > "path"="/home/profile" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\domData] > "path"="/home/samba/domdata/" > "comment"="Famous domdataLW" > "guest ok"="no" > "read only"="no" > > Any help is much appreciated, thanks in advance! > > br > > Sascha > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Rowland, Thank you very much for your help! The main problem was fixed today - and i have to apologize for bothering sambalist because it was an error40 (40cm in front of the PC). In my test enviroment, there was still an old, non-existing SID on the domdata share, however - after deleting the access permissions in Windows and adding new, everything goes fine now. I answered your additional questions below :) Am 19.04.2018 um 10:50 schrieb Rowland Penny:> On Thu, 19 Apr 2018 10:08:12 +0200 > Sascha Wiechmann via samba <samba at lists.samba.org> wrote: > >> Hi @ll ! >> >> I am trying to set up a samba fileserver in SuSe 42.3 as domain >> member in a debian based Samba4 AD. The join seems to be ok, as I can >> get /wbinfo -u/ and /-g/, and /getent group/ and /passwd/. >> I can also list all browsable shares with /smbclient -L \\SambaFS >> -Uusername/, but when i add -k, I get following errors : >> >> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed >> (next[(null)]): NT_STATUS_INVALID_PARAMETER// >> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT// >> //session setup failed: NT_STATUS_INVALID_PARAMETER/ >> >> /----------------------------------------------------------------------------------------/ >> >> So bought a book from Stefan Kania for Samba4 in AD that I worked >> through site to site > Why ? what is wrong with the Samba wiki ? > > https://wiki.samba.org/index.php/Main_PageThe samba wiki was my first try but i got stuck at the same problem - then I thought a book might help me out what I did wrong :)>> - but I do not get access to shares for the >> domain members except the domain admin. Windows prompts for user >> authentification. The "profiles" share works perfect and is owned to >> the same gid than the other "general" share is. I would like to use >> Windows Rightsmanagement for the shares in future. Some Informations : >> >> /Samba1:/ # getent passwd mjackson// >> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/ >> >> /Samba1:/ # ls -ln /home/samba >> total 4 >> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata >> / >> > You have a problem, there shouldn't be numbers here, there should be > namesAre you sure there is a problem? ls -ln shows UID and GID, ls -lh the names ? /Samba1:/ #*ls -ln* /home/samba drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata /Samba1:/ #*ls -lh* /home/samba drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/> >> --------------------------------------------------------------------------- >> >> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/ >> WARNING: The "idmap gid" option is deprecated <------- what is the >> actual way? :) > Try using this smb.conf: > > [global] > workgroup = SAMDOM > security = ads > realm = SAMDOM.TEST > netbios name = Samba1 > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > winbind refresh tickets = yes > winbind use default domain = yes > idmap config * : range = 3000-7999 > idmap config SAMDOM : backend = rid > idmap config SAMDOM : range = 1000000-1999999 > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes=yes > hide unreadable=yes > > [Admin-Share] > path=/home/samba > comment=AdminShare > browseable=no > read only=no > > [profile] > path=/home/profile > comment=User Profile > browseable=no > read only=no > > [domData] > path=/home/samba/domdata/ > comment=Famous domdataLW > read only=no > > Rowland > >I will try it, thanks
Hi Louis, and thanks for your help. Hope you already read that the problem came from an old SID in Windows. Samba Versions are 4.6.13 on SuSE 42.3 as a Member and 4.5.12-debian on Debian. Smbclient is not found, for the idmap-misconfig I will try Rowlands and your suggestion. best regards Sascha Am 19.04.2018 um 10:54 schrieb L.P.H. van Belle:> Ok, please post of both servers the smb.conf and tell the samba versions. > > You have a misconfiguration in these. > >> WARNING: The "idmap gid" option is deprecated >> WARNING: The "idmap uid" option is deprecated > ^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> "idmap gid"="10000-20000" >> "idmap uid"="10000-20000" > You need something like this example. > # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > idmap config NTDOM : backend = ad > idmap config NTDOM : schema_mode = rfc2307 > idmap config NTDOM : range = 10000-3999999 > ## these to depend on how u use samba. ( 4.6+) > #idmap config NTDOM : unix_nss_info = yes > #idmap config NTDOM : unix_primary_group = yes > > > If thats fixed my first guess would be.. > You use: smbclient -L \\SambaFS -Uusername > You should use : Smbclient -L \\FQDN -Uusername > And depending on the samba/smblcient versions add -mSMB1 > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Sascha Wiechmann via samba >> Verzonden: donderdag 19 april 2018 10:08 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Share authentication problem >> >> Hi @ll ! >> >> I am trying to set up a samba fileserver in SuSe 42.3 as >> domain member >> in a debian based Samba4 AD. The join seems to be ok, as I can get >> /wbinfo -u/ and /-g/, and /getent group/ and /passwd/. >> I can also list all browsable shares with /smbclient -L \\SambaFS >> -Uusername/, but when i add -k, I get following errors : >> >> /SPNEGO(gse_krb5) creating NEG_TOKEN_INIT for cifs/Samba1 failed >> (next[(null)]): NT_STATUS_INVALID_PARAMETER// >> //SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT// >> //session setup failed: NT_STATUS_INVALID_PARAMETER/ >> >> /------------------------------------------------------------- >> ---------------------------/ >> >> So bought a book from Stefan Kania for Samba4 in AD that I worked >> through site to site - but I do not get access to shares for >> the domain >> members except the domain admin. Windows prompts for user >> authentification. >> The "profiles" share works perfect and is owned to the same >> gid than the >> other "general" share is. I would like to use Windows >> Rightsmanagement >> for the shares in future. Some Informations : >> >> /Samba1:/ # getent passwd mjackson// >> //mjackson:*:1001113:10013::/home/SAM//DOM///mjackson:/bin/false/ >> >> /Samba1:/ # ls -ln /home/samba >> total 4 >> drwxrws---+ 2 10003 10013 23 Apr 19 09:45 domdata >> / >> >> /Samba1:/ # ls -lh /home/samba >> total 4.0K >> drwxrws---+ 2 administrator domain users 23 Apr 19 09:45 //domdata/ >> >> and another one for the working profiles share: >> >> /Samba1:/home # ls -lh >> total 4.0K >> drwxrwx--T 3 root domain users 27 Apr 17 >> 10:46 profile >> drwxrwsr-x 3 administrator domain users 25 Apr 18 10:37 samba >> drwxr-xr-x 19 samba1 users 4.0K Apr 19 08:56 samba1 >> / >> >> /Samba1:/home # ls -ln >> total 4 >> drwxrwx--T 3 0 10013 27 Apr 17 10:46 profile >> drwxrwsr-x 3 10003 10013 25 Apr 18 10:37 samba >> drwxr-xr-x 19 1000 100 4096 Apr 19 08:56 samba1/ >> >> -------------------------------------------------------------- >> ------------- >> >> S/amba1:/ # smbclient -L \\Samba1 -Umjackson/ >> WARNING: The "idmap gid" option is deprecated <------- what is the >> actual way? :) >> WARNING: The "idmap uid" option is deprecated >> lp_load_ex: changing to config backend registry >> WARNING: The "idmap gid" option is deprecated >> WARNING: The "idmap uid" option is deprecated >> Enter SAMDOM\mjackson's password: >> OS=[Windows 6.1] Server=[Samba >> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] >> >> Sharename Type Comment >> --------- ---- ------- >> IPC$ IPC IPC Service (Samba >> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64) >> domData Disk Famous domdata >> test2 Disk tester >> OS=[Windows 6.1] Server=[Samba >> 4.6.13-git.72.2a684235f4112.1-SUSE-SLE_12-x86_64] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> WORKGROUP SOMEPC >> >> smb.conf : >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\global] >> "idmap gid"="10000-20000" >> "idmap uid"="10000-20000" >> "usershare allow guests"="No" >> "workgroup"="SAMDOM" >> "template homedir"="/home/%D/%U" >> "winbind refresh tickets"="yes" >> "netbios name"="Samba1" >> "wins support"="Yes" >> "winbind enum users"="yes" >> "winbind enum groups"="yes" >> "winbind use default domain"="yes" >> "idmap config * : range"="10000 - 19999" >> "idmap config SAMDOM: backend"="rid" >> "idmap config SAMDOM : range"="1000000 - 1999999" >> "store dos attributes"="yes" >> "vfs objects"="acl_xattr" >> "hide unreadable"="yes" >> "security"="ads" >> "realm"="SAMDOM.TEST" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\Admin-Share] >> "browseable"="no" >> "read only"="no" >> "path"="/home/samba" >> "comment"="AdminShare" >> "guest ok"="no" >> "inherit acls"="yes" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\profile] >> "guest ok"="no" >> "browseable"="no" >> "read only"="no" >> "profile acls"="yes" >> "comment"="User Profile" >> "path"="/home/profile" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Samba\smbconf\domData] >> "path"="/home/samba/domdata/" >> "comment"="Famous domdataLW" >> "guest ok"="no" >> "read only"="no" >> >> Any help is much appreciated, thanks in advance! >> >> br >> >> Sascha >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >