hello, i migrate a NT4 to ad. User can login with AD username and can connect to share on DC. When i try to connect to the fileserver via windows i get access denied. connect from dc1 to fileserver via smbclient does work. on the fileserver: - wbinfo -u show user - wbinfo -P succeeded - wbinfo -g show groups - wbinfo -a Administrator succeeded - pam-auth-update -> kbr, unix, winbind nsswitch as compad winbind like https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member getent passwd does *not* show domain unsers but thats not the problem i think. how can help please?
Hai, For server and member, post the OS and samba versions And both the smb.conf's If these are debian/ubuntu servers. Then get my debug script and post the info. wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh |bash Ps. But first try : smbclient --option='client min protocol=NT1' .. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: woensdag 16 oktober 2019 14:44 > Aan: samba at lists.samba.org > Onderwerp: [Samba] cant login to fileserver > > hello, > i migrate a NT4 to ad. > User can login with AD username and can connect to share on DC. > When i try to connect to the fileserver via windows i get > access denied. > > connect from dc1 to fileserver via smbclient does work. > > on the fileserver: > - wbinfo -u show user > - wbinfo -P succeeded > - wbinfo -g show groups > - wbinfo -a Administrator succeeded > - pam-auth-update -> kbr, unix, winbind > > nsswitch as compad winbind like > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > getent passwd does *not* show domain unsers but thats not the > problem i > think. > > how can help please? > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 16/10/2019 13:44, basti via samba wrote:> hello, > i migrate a NT4 to ad. > User can login with AD username and can connect to share on DC. > When i try to connect to the fileserver via windows i get access denied. > > connect from dc1 to fileserver via smbclient does work. > > on the fileserver: > - wbinfo -u show user > - wbinfo -P succeeded > - wbinfo -g show groups > - wbinfo -a Administrator succeeded > - pam-auth-update -> kbr, unix, winbind > > nsswitch as compad winbind like > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > getent passwd does *not* show domain unsers but thats not the problem i > think.I think it probably is, can you post your smb.conf from the fileserver. Rowland
[global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of ??? security = ADS ??? workgroup = NET ??? realm = relam.fqdn ??? log file = /var/log/samba/%m.log ??? log level = 3 ??? # Default ID mapping configuration for local BUILTIN accounts ??? # and groups on a domain member. The default (*) domain: ??? # - must not overlap with any domain ID mapping configuration! ??? # - must use an read-write-enabled back end, such as tdb. ??? idmap config * : backend = tdb ??? idmap config * : range = 1000-1000 ??? # idmap config for the NET domain ??? idmap config NET:backend = ad ??? idmap config NET:schema_mode = rfc2307 ??? idmap config NET:range = 1001-999999 ??? idmap uid = 1001-999999 ??? idmap gid = 1001-999999 ??????? winbind enum users = yes ??? winbind enum groups = yes ?? winbind use default domain = yes ??? # fix dfs error's in log ? ??? host msdfs = no ??? # fix connection lost ? ??? client min protocol = SMB2 ??? client max protocol = SMB2 ??? # master for doamin ??? local master = yes ??? os level = 255 ??? preferred master = yes # This will prevent nmbd to search for NetBIOS names through DNS. ?? dns proxy = no ?? map to guest = bad user admin users = root, Administrator, @Domain Admins ... shares [tmp] ??? path = /tmp ??? guest ok = yes ??? browsable = yes ??? read only = no tmp is working connect via ip to server. (guest mapping) and yes the userid's start at 1001 On 16.10.19 16:27, Rowland penny via samba wrote:> On 16/10/2019 13:44, basti via samba wrote: >> hello, >> i migrate a NT4 to ad. >> User can login with AD username and can connect to share on DC. >> When i try to connect to the fileserver via windows i get access denied. >> >> connect from dc1 to fileserver via smbclient does work. >> >> on the fileserver: >> - wbinfo -u show user >> - wbinfo -P succeeded >> - wbinfo -g show groups >> - wbinfo -a Administrator succeeded >> - pam-auth-update -> kbr, unix, winbind >> >> nsswitch as compad winbind like >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> >> getent passwd does *not* show domain unsers but thats not the problem i >> think. > > I think it probably is, can you post your smb.conf from the fileserver. > > Rowland > > >
Read this (again). https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and one of these: https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Idmap_config_rid So realm = relam.fqdn << in CAPS idmap uid = 1001-999999 << remove these idmap gid = 1001-999999 << remove these>???? winbind enum users = yes << remove these > ??? winbind enum groups = yes << remove theseOr set these to no, these are really not needed.> ??? idmap config * : range = 1000-1000 << much to small range.If you inherited these low UID/GID, set this one to : 1000000-1005000 Or and other range that does not overlap any other range. You should also verify that with (see) cat /etc/addusers.conf> # This will prevent nmbd to search for NetBIOS names through DNS. > ?? dns proxy = noIf you dns is setup correclty, setting that to yes, will work fine. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > basti via samba > Verzonden: woensdag 16 oktober 2019 16:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] cant login to fileserver > > [global] > > ## Browsing/Identification ### > > # Change this to the workgroup/NT-domain name your Samba > server will part of > > ??? security = ADS > ??? workgroup = NET > ??? realm = relam.fqdn > ??? log file = /var/log/samba/%m.log > ??? log level = 3 > > ??? # Default ID mapping configuration for local BUILTIN accounts > ??? # and groups on a domain member. The default (*) domain: > ??? # - must not overlap with any domain ID mapping configuration! > ??? # - must use an read-write-enabled back end, such as tdb. > ??? idmap config * : backend = tdb > ??? idmap config * : range = 1000-1000 > > ??? # idmap config for the NET domain > ??? idmap config NET:backend = ad > ??? idmap config NET:schema_mode = rfc2307 > ??? idmap config NET:range = 1001-999999 > ??? idmap uid = 1001-999999 > ??? idmap gid = 1001-999999 > > > ??????? winbind enum users = yes > ??? winbind enum groups = yes > > ?? winbind use default domain = yes > > ??? # fix dfs error's in log ? > ??? host msdfs = no > > ??? # fix connection lost ? > ??? client min protocol = SMB2 > ??? client max protocol = SMB2 > > ??? # master for doamin > ??? local master = yes > ??? os level = 255 > ??? preferred master = yes > > # This will prevent nmbd to search for NetBIOS names through DNS. > ?? dns proxy = no > > ?? map to guest = bad user > > admin users = root, Administrator, @Domain Admins > > ... shares > [tmp] > ??? path = /tmp > ??? guest ok = yes > ??? browsable = yes > ??? read only = no > > tmp is working connect via ip to server. (guest mapping) > and yes the userid's start at 1001 > > > On 16.10.19 16:27, Rowland penny via samba wrote: > > On 16/10/2019 13:44, basti via samba wrote: > >> hello, > >> i migrate a NT4 to ad. > >> User can login with AD username and can connect to share on DC. > >> When i try to connect to the fileserver via windows i get > access denied. > >> > >> connect from dc1 to fileserver via smbclient does work. > >> > >> on the fileserver: > >> - wbinfo -u show user > >> - wbinfo -P succeeded > >> - wbinfo -g show groups > >> - wbinfo -a Administrator succeeded > >> - pam-auth-update -> kbr, unix, winbind > >> > >> nsswitch as compad winbind like > >> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >> > >> getent passwd does *not* show domain unsers but thats not > the problem i > >> think. > > > > I think it probably is, can you post your smb.conf from the > fileserver. > > > > Rowland > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >