Stephen
2019-Mar-29 16:14 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Hi there, I wonder if anyone can help me? I recently created an active directory setup with a primary domain controller ad1 and secondary domain controller ad2 for a domain SAMDOM. In-line with what I understand to be Samba best practices I then setup a separate file-server fs1 on which I created a file share, /fsrv/shares/OgdenFiles/. This has all been done using Samba version 4.5.16-Debian, on Raspbian. The domain and fileshare do appear to work, and I have confirmed that I can logon as SAMDOM/Administrator and apparently read and write to the share without issue in Windows 10 without issue. Creation of new text files on the share works as normal. The problem I am having is that although I am able to log onto the domain as SAMDOM/stephene I am not able to use this regular *unprivileged* account to access the OgdenFiles share in Windows. I keep on getting "Access Denied" messages in Windows, and a large grey box appears asking me to re-enter my username and password to access the share FS1. Below is my smb.conf for my fileserver FS1: pi at fs1:~ $ cat /etc/samba/smb.conf [global] workgroup = samdom realm = samdom.example.com netbios name = fs1 security = ADS dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!) idmap config * : backend = tdb idmap config *:range = 3000-7999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-999999 template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes [OgdenFiles] path = /fsrv/shares/OgdenFiles read only = no When I enter wbinfo on the fileserver I can see the user account stephene that I wish to use to access the share, but it doesn't seem to work in Windows. pi at fs1:~ $ wbinfo -u stephenellwood administrator krbtgt guest Can anyone possibly suggest what I am doing wrong here - possibly a permissions issue? This is a little frustrating as I seem very close to getting everything I need working here! Thanks Stephen Ellwood
Rowland Penny
2019-Mar-29 16:33 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
On Fri, 29 Mar 2019 16:14:20 +0000 Stephen via samba <samba at lists.samba.org> wrote:> Hi there, I wonder if anyone can help me? > > I recently created an active directory setup with a primary domain > controller ad1 and secondary domain controller ad2 for a domain > SAMDOM.Nope, you have two AD DC's, one called 'ad1' and one called 'ad2' Apart from the FSMO roles, all DC's are equal.> In-line with what I understand to be Samba best practices I > then setup a separate file-server fs1 on which I created a file > share, /fsrv/shares/OgdenFiles/. This has all been done using Samba > version 4.5.16-Debian, on Raspbian.Roll on 'Buster' ;-) 4.5.x is well EOL.> > The domain and fileshare do appear to work, and I have confirmed that > I can logon as SAMDOM/Administrator and apparently read and write to > the share without issue in Windows 10 without issue. Creation of new > text files on the share works as normal. > > The problem I am having is that although I am able to log onto the > domain as SAMDOM/stephene I am not able to use this regular > *unprivileged* account to access the OgdenFiles share in Windows. I > keep on getting "Access Denied" messages in Windows, and a large grey > box appears asking me to re-enter my username and password to access > the share FS1. > > Below is my smb.conf for my fileserver FS1: > > pi at fs1:~ $ cat /etc/samba/smb.conf > [global] > workgroup = samdom > realm = samdom.example.com > netbios name = fs1 > security = ADS > dns forwarder = XXX XXX XXX (obliterated here for privacy > reasons!)You might as well 'obliterate' totally, it is only used on a DC.> idmap config * : backend = tdb > idmap config *:range = 3000-7999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-999999 > template homedir = /home/%D/%U > template shell = /bin/bash > winbind use default domain = true > winbind offline logon = false > winbind nss info = rfc2307 > winbind enum users = yes > winbind enum groups = yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > [OgdenFiles] > path = /fsrv/shares/OgdenFiles > read only = no > > > When I enter wbinfo on the fileserver I can see the user account > stephene that I wish to use to access the share, but it doesn't seem > to work in Windows. > > pi at fs1:~ $ wbinfo -u > stephenellwood > administrator > krbtgt > guestSo, stephenellwood is an AD user, but is it also a Unix user? Have you added RFC2307 attributes to AD ? Have you installed these packages: libpam-winbind libnss-winbind libpam-krb5 Have you added 'winbind' to the 'passwd' & 'group' lines in /etc/nsswitch.conf ? Rowland
Stephen
2019-Mar-29 17:21 UTC
[Samba] Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
Hi Rowland! On 29/03/2019 16:33, Rowland Penny via samba wrote> Roll on 'Buster' ;-) 4.5.x is well EOL.Its not ideal I know! ;) Unfortunately I (and every other Raspberry Pi user) is stuck with this for now since this is the default Samba package that Raspbian currently uses unfortunately. I did check to see if it could be upgraded using apt to something a little more recent but apparently not :(> dns forwarder = XXX XXX XXX (obliterated here for privacy reasons!) > > You might as well 'obliterate' totally, it is only used on a DC.Duly noted, thanks for the tip.> So, stephenellwood is an AD user, but is it also a Unix user?Aha! That's probably why my setup is not working! My passwd file on fs1 below suggests there is no stephenellwood unix user account pi at fs1:~ $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false pi:x:1000:1000:,,,:/home/pi:/bin/bash messagebus:x:105:109::/var/run/dbus:/bin/false statd:x:106:65534::/var/lib/nfs:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin avahi:x:108:112:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false There is obviously a major gap in my understanding here. Have I understood you correctly Rowland? You appear to be suggesting that there must be separate individual linux user account on EVERY samba file server, one new unix user account corresponding to every active directory account? So what's the point in using a centralised authentication service like active directory then - I don't understand - what does AD actually achieve in Windows networking? I used the following Samba tutorials to setup my fileserver fs1 but unfortunately these do not mention the need to create user accounts to complement those that active directory creates. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Using_Domain_Accounts_and_Groups_in_Operating_System_Commands https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs How do I rectify this? Can you point me at a suitable tutorial?> Have you added RFC2307 attributes to AD ?I don't know what this means, can you please clarify? All I could find on google was this link https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD and I believe I have already followed the instructions there.> Have you installed these packages: libpam-winbind libnss-winbind > libpam-krb5Yes I definitely installed those packages.> Have you added 'winbind' to the 'passwd' & 'group' lines > in /etc/nsswitch.conf ?Yes, please see my nsswitch.conf below: pi at fs1:~ $ cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Ser # If you have the `glibc-doc-reference' # `info libc "Name Service Switch"' for passwd: files winbind group: files winbind shadow: compat gshadow: files hosts: files mdns4_minimal [NO networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: files winbind Thanks Stephen
Possibly Parallel Threads
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.
- Can only access new SAMBA fileshare from Windows as privileged user SAMDOM/Administrator, not as an ordinary user.