Krish Kay
2021-Jun-04 16:59 UTC
[Samba] Error : You dont have permission to save at this location.
Thanks for the information, specifically reg. ver > 4.8.0.
We are not using sssd, and are not running winbind with samba 4.7.8 on
RHEL6.
(1)Since we are using AD, we are not making changes to our existing
/etc/krb5.conf
Is that okay?
The current /etc/krb5.conf is:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
(2)We tested winbind for samba 4.10.16-5 on RHEL7.
Basic checks look good.
#wbinfo --ping-dc
checking the NETLOGON for domain[ENT] dc connection to
"<hostname>.com"
succeeded
However, when smb is restarted after winbind, we are unable to map the
samba drive in Windows.
This error msg pop's up in windows : You do not have permission to access
\\<samba-server>\<share> Contact your network admin.
Since we use NIS, what should be updated content in /etc/nsswitch.conf.
Does winbind come before or after nis.
passwd: files nis
group: files nis
(3)We do use shares. Example:
[<share-name>]
comment = <comment>
create mask = 0775
force directory mode = 0775
force group = <unix group name>
path = <unix path to share>
public = no
valid users = <username1> <username2>
writeable = yes
(4)Below is the updated smb.conf
[global]
workgroup = <WORKGROUP NAME>
netbios name = <NETBIOS NAME>
server string = Samba %v on (%L)
security = ADS
encrypt passwords = Yes
passdb backend = tdbsam:<path to db>/passdb.tdb
use sendfile = yes
invalid users = @samba_restricted_users
local master = no
preferred master = no
domain master = no
realm = <DOMAIN>.COM
template shell = /bin/bash
msdfs root = yes
log level = 3
log file = <unix path to logfile>/samba.log.%m
max log size = 4096
name resolve order = wins host
deadtime = 5
keepalive = 900
wins support = no
wins server = <IP 1>, <IP 2>
dns proxy = yes
preserve case = yes
short preserve case = yes
allow trusted domains = yes
client min protocol = SMB2
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
winbind nested groups = yes
winbind separator = +
winbind cache time = 6000
idmap config * : range = 100-60000
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
client ldap sasl wrapping = sign
client NTLMv2 auth = yes
username map = <unix path>/map.txt
allow insecure wide links = yes
follow symlinks = yes
wide links = no
dont descend = .snapshot
hide files = /.snapshot/._*/
veto files = /*.one/*Notebook.onetoc2/.parentlock/
browseable = No
guest ok = No
blocking locks = no
kernel share modes = no
client signing = disabled
vfs objects = full_audit
full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
full_audit:success = connect chdir opendir mkdir rmdir open read
write unlink
full_audit:failure = connect chdir opendir mkdir rmdir open read
write unlink
full_audit:facility = local6
full_audit:priority = NOTICE
include = <unix path>/config/general_smb.conf
On Thu, Jun 3, 2021 at 1:49 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 03/06/2021 19:23, Krish Kay wrote:
> >
> > Rowland,
> >
> > Thanks for responding.
> > We DO NOT run winbind daemon on RHEL7 at this time, since it is not
> > running on RHEL6
> >
> > Below is the smb.conf that we are testing on ver 4.10.16-5 on RHEL7.4,
> > the contents in < > are redacted.
> >
> > [global]
> > workgroup = <WORKGROUP NAME>
> > netbios name = <NETBIOS NAME>
> > server string = Samba %v on (%L)
> > security = ADS
> > encrypt passwords = Yes
> >
> > passdb backend = tdbsam:<path to db>
> >
> > use sendfile = yes
> > invalid users = @samba_restricted_users
> > local master = no
> > preferred master = no
> > domain master = no
> > realm = <DOMAIN>.COM
> > template shell = /bin/bash
> > msdfs root = yes
> > log level = 3
> > log file = <path to logfile>/samba.log.%m
> > max log size = 4096
> > name resolve order = wins host
> > deadtime = 5
> > keepalive = 900
> > wins support = no
> > wins server = <IP 1>, <IP 2>
> > dns proxy = yes
> > preserve case = yes
> > short preserve case = yes
> > allow trusted domains = yes
> > client min protocol = SMB2
> > winbind use default domain = yes
> > winbind enum users = no
> > winbind enum groups = no
> > winbind nested groups = yes
> > winbind separator = +
> > winbind cache time = 6000
> > idmap config * : range = 100-60000
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> > client ldap sasl wrapping = sign
> > client NTLMv2 auth = yes
> > username map = <path to>/map.txt
> > allow insecure wide links = yes
> > follow symlinks = yes
> > wide links = no
> >
> > dont descend = .snapshot
> > hide files = /.snapshot/._*/
> > veto files = /*.one/*Notebook.onetoc2/.parentlock/
> > browseable = No
> > guest ok = No
> > blocking locks = no
> > kernel share modes = no
> > client signing = disabled
> > vfs objects = full_audit
> >
> > full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S
> > full_audit:success = connect chdir opendir mkdir rmdir open
> > read write unlink
> > full_audit:failure = connect chdir opendir mkdir rmdir open
> > read write unlink
> > full_audit:facility = local6
> > full_audit:priority = NOTICE
> >
> >
>
> OK, do you plan to use shares ? You haven't shown any.
>
> If you are planning to use shares with Samba, then remove sssd, install
> winbind and setup your smb.conf, see here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> If you just want authentication, then remove Samba and use sssd.
>
> If you continue to use Samba >= 4.8.0 with 'security = ADS' ,
you must
> run winbind, this will require the removal of sssd.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2021-Jun-04 18:19 UTC
[Samba] Error : You dont have permission to save at this location.
On 04/06/2021 17:59, Krish Kay wrote:> > > Thanks for the information, specifically reg. ver > 4.8.0. > We are not using sssd, and are not running winbind with samba 4.7.8 on > RHEL6. > > > (1)Since we are using AD, we are not making changes to our existing > /etc/krb5.conf > Is that okay?Your /etc/krb5.conf only needs this: [libdefaults] ??? default_realm = SAMDOM.EXAMPLE.COM ??? dns_lookup_realm = false ??? dns_lookup_kdc = true Replace 'SAMDOM.EXAMPLE.COM' with your realm.> > > > (2)We tested winbind for samba 4.10.16-5 on RHEL7. > Basic checks look good. > #wbinfo --ping-dc > checking the NETLOGON for domain[ENT] dc connection to > "<hostname>.com" succeeded > > However, when smb is restarted after winbind, we are unable to map the > samba drive in Windows. > This error msg pop's up in windows : You do not have permission to > access \\<samba-server>\<share> Contact your network admin. > > Since we use NIS, what should be updated content in /etc/nsswitch.conf.What do mean by 'we use NIS' ?> Does winbind come before or after nis.Instead of> > (3)We do use shares. Example: > [<share-name>] > ? ? ? ? ?comment = <comment> > ? ? ? ? ?create mask = 0775 > ? ? ? ? ?force directory mode = 0775 > ? ? ? ? ?force group = <unix group name> > ? ? ? ? ?path = <unix path to share> > ? ? ? ? ?public = no > ? ? ? ? ?valid users = <username1> <username2> > ? ? ? ? ?writeable = yesInstead of using all those lines, I would read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Then set up the share permissions from Windows, or at the very least by using setfacl.> > (4)Below is the updated smb.conf >This is my take on your smb.conf, without default lines etc: [global] ??????? workgroup = <WORKGROUP NAME> ??????? realm = <DOMAIN>.COM ??????? server string = Samba %v on (%L) ??????? security = ADS ??????? use sendfile = yes ??????? local master = no ??????? preferred master = no ??????? domain master = no ??????? msdfs root = yes ??????? log level = 3 ??????? log file = <unix path to logfile>/samba.log.%m ??????? max log size = 4096 ??????? deadtime = 5 ??????? keepalive = 900 ??????? client min protocol = SMB2 ??????? server min protocol = SMB2 ??????? winbind use default domain = yes ??????? winbind separator = + ??????? winbind cache time = 6000 ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 ??????? idmap config <WORKGROUP NAME> : backend = rid ??????? idmap config <WORKGROUP NAME> : range = 10000-9999999 ??????? # If you have rfc2307 attributes in ADD, read this ??????? # https://wiki.samba.org/index.php/Idmap_config_ad ??????? template shell = /bin/bash ??????? vfs objects = acl_xattr full_audit ??????? map acl inherit = Yes ??????? load printers = no ??????? printing = bsd ??????? printcap name = /dev/null ??????? disable spoolss = yes ??????? username map = <unix path>/map.txt ??????? dont descend = .snapshot ??????? hide files = /.snapshot/._*/ ??????? veto files = /*.one/*Notebook.onetoc2/.parentlock/ ??????? blocking locks = no ??????? kernel share modes = no ??????? client signing = disabled ??????? full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S ??????? full_audit:success = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:failure = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:facility = local6 ??????? full_audit:priority = NOTICE ??????? include = <unix path>/config/general_smb.conf Just two questions, what is in your 'username map' and what is in the 'include' file ? Rowland