samba - Jun 2021 - Error : You dont have permission to save at this location.

On 03/06/2021 19:23, Krish Kay wrote:
>
> Rowland,
>
> Thanks for responding.
> We DO NOT run winbind daemon on RHEL7 at this time, since it is not 
> running on RHEL6
>
> Below is the smb.conf that we are testing on ver 4.10.16-5 on RHEL7.4, 
> the contents in < > are redacted.
>
> [global]
> ? ? ? ? workgroup = <WORKGROUP NAME>
> ? ? ? ? netbios name = <NETBIOS NAME>
> ? ? ? ? server string = Samba %v on (%L)
> ? ? ? ? security = ADS
> ? ? ? ? encrypt passwords = Yes
>
> ? ? ? ? passdb backend = tdbsam:<path to db>
>
> ? ? ? ? use sendfile = yes
> ? ? ? ? invalid users = @samba_restricted_users
> ? ? ? ? local master = no
> ? ? ? ? preferred master = no
> ? ? ? ? domain master = no
> ? ? ? ? realm = <DOMAIN>.COM
> ? ? ? ? template shell = /bin/bash
> ? ? ? ? msdfs root = yes
> ? ? ? ? log level = 3
> ? ? ? ? log file = <path to logfile>/samba.log.%m
> ? ? ? ? max log size = 4096
> ? ? ? ? name resolve order = wins host
> ? ? ? ? deadtime = 5
> ? ? ? ? keepalive = 900
> ? ? ? ? wins support = no
> ? ? ? ? wins server = <IP 1>, <IP 2>
> ? ? ? ? dns proxy = yes
> ? ? ? ? preserve case = yes
> ? ? ? ? short preserve case = yes
> ? ? ? ? allow trusted domains = yes
> ? ? ? ? client min protocol = SMB2
> ? ? ? ? winbind use default domain = yes
> ? ? ? ? winbind enum users = no
> ? ? ? ? winbind enum groups = no
> ? ? ? ? winbind nested groups = yes
> ? ? ? ? winbind separator = +
> ? ? ? ? winbind cache time = 6000
> ? ? ? ? idmap config * : range = 100-60000
> ? ? ? ? load printers = no
> ? ? ? ? printing = bsd
> ? ? ? ? printcap name = /dev/null
> ? ? ? ? disable spoolss = yes
> ? ? ? ? client ldap sasl wrapping = sign
> ? ? ? ? client NTLMv2 auth = yes
> ? ? ? ? username map = <path to>/map.txt
> ? ? ? ? allow insecure wide links = yes
> ? ? ? ? follow symlinks = yes
> ? ? ? ? wide links = no
>
> ? ? ? ? dont descend = .snapshot
> ? ? ? ? hide files = /.snapshot/._*/
> ? ? ? ? veto files = /*.one/*Notebook.onetoc2/.parentlock/
> ? ? ? ? browseable = No
> ? ? ? ? guest ok = No
> ? ? ? ? blocking locks = no
> ? ? ? ? kernel share modes = no
> ? ? ? ? client signing = disabled
> ? ? ? ? vfs objects = full_audit
>
> ? ? ? ? full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
> ? ? ? ? full_audit:success = connect chdir opendir mkdir rmdir open 
> read write unlink
> ? ? ? ? full_audit:failure = connect chdir opendir mkdir rmdir open 
> read write unlink
> ? ? ? ? full_audit:facility = local6
> ? ? ? ? full_audit:priority = NOTICE
>
>
OK, do you plan to use shares ? You haven't shown any.

If you are planning to use shares with Samba, then remove sssd, install 
winbind and setup your smb.conf, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

If you just want authentication, then remove Samba and use sssd.

If you continue to use Samba >= 4.8.0 with 'security = ADS' , you
must
run winbind, this will require the removal of sssd.

Rowland

Thanks for the information, specifically reg. ver > 4.8.0.
We are not using sssd, and are not running winbind with samba 4.7.8 on
RHEL6.


(1)Since we are using AD, we are not making changes to our existing
/etc/krb5.conf
Is that okay?

The current /etc/krb5.conf is:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

(2)We tested winbind for samba 4.10.16-5 on RHEL7.
Basic checks look good.
#wbinfo --ping-dc
checking the NETLOGON for domain[ENT] dc connection to
"<hostname>.com"
succeeded

However, when smb is restarted after winbind, we are unable to map the
samba drive in Windows.
This error msg pop's up in windows : You do not have permission to access
\\<samba-server>\<share> Contact your network admin.

Since we use NIS, what should be updated content in /etc/nsswitch.conf.
Does winbind come before or after nis.

passwd:     files nis
group:      files nis


(3)We do use shares. Example:
[<share-name>]
         comment = <comment>
         create mask = 0775
         force directory mode = 0775
         force group = <unix group name>
         path = <unix path to share>
         public = no
         valid users = <username1> <username2>
         writeable = yes

(4)Below is the updated smb.conf
[global]
        workgroup = <WORKGROUP NAME>
        netbios name = <NETBIOS NAME>
        server string = Samba %v on (%L)
        security = ADS
        encrypt passwords = Yes

        passdb backend = tdbsam:<path to db>/passdb.tdb

        use sendfile = yes
        invalid users = @samba_restricted_users
        local master = no
        preferred master = no
        domain master = no
        realm = <DOMAIN>.COM
        template shell = /bin/bash
        msdfs root = yes
        log level = 3
        log file = <unix path to logfile>/samba.log.%m
        max log size = 4096
        name resolve order = wins host
        deadtime = 5
        keepalive = 900
        wins support = no
        wins server = <IP 1>, <IP 2>
        dns proxy = yes
        preserve case = yes
        short preserve case = yes
        allow trusted domains = yes
        client min protocol = SMB2
        winbind use default domain = yes
        winbind enum users = no
        winbind enum groups = no
        winbind nested groups = yes
        winbind separator = +
        winbind cache time = 6000
        idmap config * : range = 100-60000

        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        client ldap sasl wrapping = sign
        client NTLMv2 auth = yes
        username map = <unix path>/map.txt
        allow insecure wide links = yes
        follow symlinks = yes
        wide links = no

        dont descend = .snapshot
        hide files = /.snapshot/._*/
        veto files = /*.one/*Notebook.onetoc2/.parentlock/
        browseable = No
        guest ok = No
        blocking locks = no
        kernel share modes = no
        client signing = disabled
        vfs objects = full_audit

        full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
        full_audit:success = connect chdir opendir mkdir rmdir open read
write unlink
        full_audit:failure = connect chdir opendir mkdir rmdir open read
write unlink
        full_audit:facility = local6
        full_audit:priority = NOTICE
        include = <unix path>/config/general_smb.conf



On Thu, Jun 3, 2021 at 1:49 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 03/06/2021 19:23, Krish Kay wrote:
> >
> > Rowland,
> >
> > Thanks for responding.
> > We DO NOT run winbind daemon on RHEL7 at this time, since it is not
> > running on RHEL6
> >
> > Below is the smb.conf that we are testing on ver 4.10.16-5 on RHEL7.4,
> > the contents in < > are redacted.
> >
> > [global]
> >         workgroup = <WORKGROUP NAME>
> >         netbios name = <NETBIOS NAME>
> >         server string = Samba %v on (%L)
> >         security = ADS
> >         encrypt passwords = Yes
> >
> >         passdb backend = tdbsam:<path to db>
> >
> >         use sendfile = yes
> >         invalid users = @samba_restricted_users
> >         local master = no
> >         preferred master = no
> >         domain master = no
> >         realm = <DOMAIN>.COM
> >         template shell = /bin/bash
> >         msdfs root = yes
> >         log level = 3
> >         log file = <path to logfile>/samba.log.%m
> >         max log size = 4096
> >         name resolve order = wins host
> >         deadtime = 5
> >         keepalive = 900
> >         wins support = no
> >         wins server = <IP 1>, <IP 2>
> >         dns proxy = yes
> >         preserve case = yes
> >         short preserve case = yes
> >         allow trusted domains = yes
> >         client min protocol = SMB2
> >         winbind use default domain = yes
> >         winbind enum users = no
> >         winbind enum groups = no
> >         winbind nested groups = yes
> >         winbind separator = +
> >         winbind cache time = 6000
> >         idmap config * : range = 100-60000
> >         load printers = no
> >         printing = bsd
> >         printcap name = /dev/null
> >         disable spoolss = yes
> >         client ldap sasl wrapping = sign
> >         client NTLMv2 auth = yes
> >         username map = <path to>/map.txt
> >         allow insecure wide links = yes
> >         follow symlinks = yes
> >         wide links = no
> >
> >         dont descend = .snapshot
> >         hide files = /.snapshot/._*/
> >         veto files = /*.one/*Notebook.onetoc2/.parentlock/
> >         browseable = No
> >         guest ok = No
> >         blocking locks = no
> >         kernel share modes = no
> >         client signing = disabled
> >         vfs objects = full_audit
> >
> >         full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
> >         full_audit:success = connect chdir opendir mkdir rmdir open
> > read write unlink
> >         full_audit:failure = connect chdir opendir mkdir rmdir open
> > read write unlink
> >         full_audit:facility = local6
> >         full_audit:priority = NOTICE
> >
> >
>
> OK, do you plan to use shares ? You haven't shown any.
>
> If you are planning to use shares with Samba, then remove sssd, install
> winbind and setup your smb.conf, see here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> If you just want authentication, then remove Samba and use sssd.
>
> If you continue to use Samba >= 4.8.0 with 'security = ADS' ,
you must
> run winbind, this will require the removal of sssd.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>