Rowland penny
2019-Jun-18 18:34 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 19:02, Edouard Guign? via samba wrote:> Hello, > > I mean that i added "winbind refresh tickets = yes" in smb.cnf, but > does not seem to be link with my problem (Kerberos and NTLMv2 > authentication). > > After several test, without changing content of smb.conf (except for > winbind refresh tickets = yes) : > > 0. nsswitch.conf > passwd:???? files sss > shadow:???? files sss > group:????? files sss > > That's working (share is accessible from windows 7, permissions and > acls working) > But in in log, I see only NTLMv2 Auth > > 1. nsswitch.conf > passwd:???? files winbind > shadow:???? files > group:????? files winbind > > That's not working (share is not accessible from windows 7, access > denied) > > 2. nsswitch.conf > passwd:???? files sss winbind > shadow:???? files sss > group:????? files sss winbind > > not working (share is accessible but it take time to see permissions > acls from security tab on windows 7) >You are using the winbind 'ad' backend according to the smb.conf you posted earlier, have you given your AD users a uidNumber attribute containing a unique number inside the ' 10000-14999' range ? and have you also given 'Domain Users' a gidNumber attribute containing a number inside the same range ? Do you really want to use a different primary group for your Unix users over Samba (when they connect to a Samba share) ? If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes' If all the above is correct, it should work. Rowland
Edouard Guigné
2019-Jun-18 18:45 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
You are using the winbind 'ad' backend according to the smb.conf you posted earlier, have you given your AD users a uidNumber attribute containing a unique number inside the ' 10000-14999' range ? and have you also given 'Domain Users' a gidNumber attribute containing a number inside the same range ? For uid and gid, yes there are set for each user and group of the AD Do you really want to use a different primary group for your Unix users over Samba (when they connect to a Samba share) ? All users? have primary group "Domain Users", so I must remove 'idmap config MYDOMAIN : unix_primary_group = yes' I will test it, thanks Le 18/06/2019 ? 15:34, Rowland penny via samba a ?crit?:> On 18/06/2019 19:02, Edouard Guign? via samba wrote: >> Hello, >> >> I mean that i added "winbind refresh tickets = yes" in smb.cnf, but >> does not seem to be link with my problem (Kerberos and NTLMv2 >> authentication). >> >> After several test, without changing content of smb.conf (except for >> winbind refresh tickets = yes) : >> >> 0. nsswitch.conf >> passwd:???? files sss >> shadow:???? files sss >> group:????? files sss >> >> That's working (share is accessible from windows 7, permissions and >> acls working) >> But in in log, I see only NTLMv2 Auth >> >> 1. nsswitch.conf >> passwd:???? files winbind >> shadow:???? files >> group:????? files winbind >> >> That's not working (share is not accessible from windows 7, access >> denied) >> >> 2. nsswitch.conf >> passwd:???? files sss winbind >> shadow:???? files sss >> group:????? files sss winbind >> >> not working (share is accessible but it take time to see permissions >> acls from security tab on windows 7) >> > You are using the winbind 'ad' backend according to the smb.conf you > posted earlier, have you given your AD users a uidNumber attribute > containing a unique number inside the ' 10000-14999' range ? and have > you also given 'Domain Users' a gidNumber attribute containing a > number inside the same range ? > > Do you really want to use a different primary group for your Unix > users over Samba (when they connect to a Samba share) ? > > If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes' > > If all the above is correct, it should work. > > Rowland > > >
Edouard Guigné
2019-Jun-18 18:49 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
?gidNumber for 'Domain Users' is 513 not in range? '10000-14999' of uidNumber Is it a problem ? Le 18/06/2019 ? 15:34, Rowland penny via samba a ?crit?:> On 18/06/2019 19:02, Edouard Guign? via samba wrote: >> Hello, >> >> I mean that i added "winbind refresh tickets = yes" in smb.cnf, but >> does not seem to be link with my problem (Kerberos and NTLMv2 >> authentication). >> >> After several test, without changing content of smb.conf (except for >> winbind refresh tickets = yes) : >> >> 0. nsswitch.conf >> passwd:???? files sss >> shadow:???? files sss >> group:????? files sss >> >> That's working (share is accessible from windows 7, permissions and >> acls working) >> But in in log, I see only NTLMv2 Auth >> >> 1. nsswitch.conf >> passwd:???? files winbind >> shadow:???? files >> group:????? files winbind >> >> That's not working (share is not accessible from windows 7, access >> denied) >> >> 2. nsswitch.conf >> passwd:???? files sss winbind >> shadow:???? files sss >> group:????? files sss winbind >> >> not working (share is accessible but it take time to see permissions >> acls from security tab on windows 7) >> > You are using the winbind 'ad' backend according to the smb.conf you > posted earlier, have you given your AD users a uidNumber attribute > containing a unique number inside the ' 10000-14999' range ? and have > you also given 'Domain Users' a gidNumber attribute containing a > number inside the same range ? > > Do you really want to use a different primary group for your Unix > users over Samba (when they connect to a Samba share) ? > > If not, remove 'idmap config MYDOMAIN : unix_primary_group = yes' > > If all the above is correct, it should work. > > Rowland > > >
Rowland penny
2019-Jun-18 19:07 UTC
[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
On 18/06/2019 19:49, Edouard Guign? via samba wrote:> ?gidNumber for 'Domain Users' is 513 > > not in range? '10000-14999' of uidNumber > > Is it a problem ?Oh yes, ALL user uidNumber's and Domain Users gidNumber MUST be inside the DOMAIN range you set in smb.conf, if they aren't, all your users WILL be ignored by Samba. Find the next available gidNumber in AD and change the 'Domain User' gidNumber to this and I am very sure everything will then work. Rowland