Hello,
We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 R2, so
all users and groups are already created on the AD. The idea is to logon
with the credential from de AD to the samba file server.
We configured the smb.conf, acording to the samba wiki, so this is the
result:
[global]
security = ADS
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
log file = /var/log/samba/%m.log
log level = 3
max log size = 50
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
# idmap config for MYDOMAIN domain
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 10000-999999
template shell = /bin/bash
template homedir = /home/%U
username map = /usr/local/samba/etc/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
[compa]
path = /home/sistemas/compartido
read only = no
The server was corerectly joined to the domain and we can query the AD for
users and groups with getent passwd and getent group.
According to the wiki, the directory must be owned by root and owner group
is system admins from the AD, like this:
drwxrwx---+ 2 root system_admins 51 jun 12 17:22 compartido
All good so far, and we can modify ACL from windows, and query this
configuration with getfacl.
But when we try to acces the shared directory, we get the access denied
error, and we get this from log:
../source3/smbd/smb2_server.c:3120(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_create.c:293
We've been trying to solve this error for a few days, but we haven't get
lucky.
Best regards
Luis Espitia
On Tue, 12 Jun 2018 18:10:16 -0500 Luis Emilio Espitia Sanchez via samba <samba at lists.samba.org> wrote:> Hello, > > We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 > R2, so all users and groups are already created on the AD. The idea > is to logon with the credential from de AD to the samba file server. >You say the users are created in AD, but do they have a uidNumber attribute ? Does Domain Users have a gidNumber attribute ? If these numbers exist, are they inside the range you have set in smb.conf The uidNumber & gidNumber attributes are not automatically created. Rowland
Hello, That's right, so I am working with a group of users that I modified so they have uidNumber and gidNumber inside the range of the domain. Also I inserted the gidNumber into the groups of those users and in the "Domain users" group. When I run "id some_user" or "getent passwd some_user" I get the back info of the user that corresponds with the info registered in the AD. El mié., 13 de jun. de 2018 1:37 AM, Rowland Penny via samba < samba at lists.samba.org> escribió:> On Tue, 12 Jun 2018 18:10:16 -0500 > Luis Emilio Espitia Sanchez via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > We're running Centos 7 with samba 4.7.1 and we have an AD on WS2012 > > R2, so all users and groups are already created on the AD. The idea > > is to logon with the credential from de AD to the samba file server. > > > > You say the users are created in AD, but do they have a uidNumber > attribute ? > Does Domain Users have a gidNumber attribute ? > If these numbers exist, are they inside the range you have set in > smb.conf > > The uidNumber & gidNumber attributes are not automatically created. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >