Krish Kay
2021-Jun-04 16:59 UTC
[Samba] Error : You dont have permission to save at this location.
Thanks for the information, specifically reg. ver > 4.8.0. We are not using sssd, and are not running winbind with samba 4.7.8 on RHEL6. (1)Since we are using AD, we are not making changes to our existing /etc/krb5.conf Is that okay? The current /etc/krb5.conf is: # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM (2)We tested winbind for samba 4.10.16-5 on RHEL7. Basic checks look good. #wbinfo --ping-dc checking the NETLOGON for domain[ENT] dc connection to "<hostname>.com" succeeded However, when smb is restarted after winbind, we are unable to map the samba drive in Windows. This error msg pop's up in windows : You do not have permission to access \\<samba-server>\<share> Contact your network admin. Since we use NIS, what should be updated content in /etc/nsswitch.conf. Does winbind come before or after nis. passwd: files nis group: files nis (3)We do use shares. Example: [<share-name>] comment = <comment> create mask = 0775 force directory mode = 0775 force group = <unix group name> path = <unix path to share> public = no valid users = <username1> <username2> writeable = yes (4)Below is the updated smb.conf [global] workgroup = <WORKGROUP NAME> netbios name = <NETBIOS NAME> server string = Samba %v on (%L) security = ADS encrypt passwords = Yes passdb backend = tdbsam:<path to db>/passdb.tdb use sendfile = yes invalid users = @samba_restricted_users local master = no preferred master = no domain master = no realm = <DOMAIN>.COM template shell = /bin/bash msdfs root = yes log level = 3 log file = <unix path to logfile>/samba.log.%m max log size = 4096 name resolve order = wins host deadtime = 5 keepalive = 900 wins support = no wins server = <IP 1>, <IP 2> dns proxy = yes preserve case = yes short preserve case = yes allow trusted domains = yes client min protocol = SMB2 winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind separator = + winbind cache time = 6000 idmap config * : range = 100-60000 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes client ldap sasl wrapping = sign client NTLMv2 auth = yes username map = <unix path>/map.txt allow insecure wide links = yes follow symlinks = yes wide links = no dont descend = .snapshot hide files = /.snapshot/._*/ veto files = /*.one/*Notebook.onetoc2/.parentlock/ browseable = No guest ok = No blocking locks = no kernel share modes = no client signing = disabled vfs objects = full_audit full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S full_audit:success = connect chdir opendir mkdir rmdir open read write unlink full_audit:failure = connect chdir opendir mkdir rmdir open read write unlink full_audit:facility = local6 full_audit:priority = NOTICE include = <unix path>/config/general_smb.conf On Thu, Jun 3, 2021 at 1:49 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 03/06/2021 19:23, Krish Kay wrote: > > > > Rowland, > > > > Thanks for responding. > > We DO NOT run winbind daemon on RHEL7 at this time, since it is not > > running on RHEL6 > > > > Below is the smb.conf that we are testing on ver 4.10.16-5 on RHEL7.4, > > the contents in < > are redacted. > > > > [global] > > workgroup = <WORKGROUP NAME> > > netbios name = <NETBIOS NAME> > > server string = Samba %v on (%L) > > security = ADS > > encrypt passwords = Yes > > > > passdb backend = tdbsam:<path to db> > > > > use sendfile = yes > > invalid users = @samba_restricted_users > > local master = no > > preferred master = no > > domain master = no > > realm = <DOMAIN>.COM > > template shell = /bin/bash > > msdfs root = yes > > log level = 3 > > log file = <path to logfile>/samba.log.%m > > max log size = 4096 > > name resolve order = wins host > > deadtime = 5 > > keepalive = 900 > > wins support = no > > wins server = <IP 1>, <IP 2> > > dns proxy = yes > > preserve case = yes > > short preserve case = yes > > allow trusted domains = yes > > client min protocol = SMB2 > > winbind use default domain = yes > > winbind enum users = no > > winbind enum groups = no > > winbind nested groups = yes > > winbind separator = + > > winbind cache time = 6000 > > idmap config * : range = 100-60000 > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > client ldap sasl wrapping = sign > > client NTLMv2 auth = yes > > username map = <path to>/map.txt > > allow insecure wide links = yes > > follow symlinks = yes > > wide links = no > > > > dont descend = .snapshot > > hide files = /.snapshot/._*/ > > veto files = /*.one/*Notebook.onetoc2/.parentlock/ > > browseable = No > > guest ok = No > > blocking locks = no > > kernel share modes = no > > client signing = disabled > > vfs objects = full_audit > > > > full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S > > full_audit:success = connect chdir opendir mkdir rmdir open > > read write unlink > > full_audit:failure = connect chdir opendir mkdir rmdir open > > read write unlink > > full_audit:facility = local6 > > full_audit:priority = NOTICE > > > > > > OK, do you plan to use shares ? You haven't shown any. > > If you are planning to use shares with Samba, then remove sssd, install > winbind and setup your smb.conf, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > If you just want authentication, then remove Samba and use sssd. > > If you continue to use Samba >= 4.8.0 with 'security = ADS' , you must > run winbind, this will require the removal of sssd. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2021-Jun-04 18:19 UTC
[Samba] Error : You dont have permission to save at this location.
On 04/06/2021 17:59, Krish Kay wrote:> > > Thanks for the information, specifically reg. ver > 4.8.0. > We are not using sssd, and are not running winbind with samba 4.7.8 on > RHEL6. > > > (1)Since we are using AD, we are not making changes to our existing > /etc/krb5.conf > Is that okay?Your /etc/krb5.conf only needs this: [libdefaults] ??? default_realm = SAMDOM.EXAMPLE.COM ??? dns_lookup_realm = false ??? dns_lookup_kdc = true Replace 'SAMDOM.EXAMPLE.COM' with your realm.> > > > (2)We tested winbind for samba 4.10.16-5 on RHEL7. > Basic checks look good. > #wbinfo --ping-dc > checking the NETLOGON for domain[ENT] dc connection to > "<hostname>.com" succeeded > > However, when smb is restarted after winbind, we are unable to map the > samba drive in Windows. > This error msg pop's up in windows : You do not have permission to > access \\<samba-server>\<share> Contact your network admin. > > Since we use NIS, what should be updated content in /etc/nsswitch.conf.What do mean by 'we use NIS' ?> Does winbind come before or after nis.Instead of> > (3)We do use shares. Example: > [<share-name>] > ? ? ? ? ?comment = <comment> > ? ? ? ? ?create mask = 0775 > ? ? ? ? ?force directory mode = 0775 > ? ? ? ? ?force group = <unix group name> > ? ? ? ? ?path = <unix path to share> > ? ? ? ? ?public = no > ? ? ? ? ?valid users = <username1> <username2> > ? ? ? ? ?writeable = yesInstead of using all those lines, I would read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Then set up the share permissions from Windows, or at the very least by using setfacl.> > (4)Below is the updated smb.conf >This is my take on your smb.conf, without default lines etc: [global] ??????? workgroup = <WORKGROUP NAME> ??????? realm = <DOMAIN>.COM ??????? server string = Samba %v on (%L) ??????? security = ADS ??????? use sendfile = yes ??????? local master = no ??????? preferred master = no ??????? domain master = no ??????? msdfs root = yes ??????? log level = 3 ??????? log file = <unix path to logfile>/samba.log.%m ??????? max log size = 4096 ??????? deadtime = 5 ??????? keepalive = 900 ??????? client min protocol = SMB2 ??????? server min protocol = SMB2 ??????? winbind use default domain = yes ??????? winbind separator = + ??????? winbind cache time = 6000 ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 ??????? idmap config <WORKGROUP NAME> : backend = rid ??????? idmap config <WORKGROUP NAME> : range = 10000-9999999 ??????? # If you have rfc2307 attributes in ADD, read this ??????? # https://wiki.samba.org/index.php/Idmap_config_ad ??????? template shell = /bin/bash ??????? vfs objects = acl_xattr full_audit ??????? map acl inherit = Yes ??????? load printers = no ??????? printing = bsd ??????? printcap name = /dev/null ??????? disable spoolss = yes ??????? username map = <unix path>/map.txt ??????? dont descend = .snapshot ??????? hide files = /.snapshot/._*/ ??????? veto files = /*.one/*Notebook.onetoc2/.parentlock/ ??????? blocking locks = no ??????? kernel share modes = no ??????? client signing = disabled ??????? full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S ??????? full_audit:success = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:failure = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:facility = local6 ??????? full_audit:priority = NOTICE ??????? include = <unix path>/config/general_smb.conf Just two questions, what is in your 'username map' and what is in the 'include' file ? Rowland