Rowland penny
2021-Jun-04 18:19 UTC
[Samba] Error : You dont have permission to save at this location.
On 04/06/2021 17:59, Krish Kay wrote:> > > Thanks for the information, specifically reg. ver > 4.8.0. > We are not using sssd, and are not running winbind with samba 4.7.8 on > RHEL6. > > > (1)Since we are using AD, we are not making changes to our existing > /etc/krb5.conf > Is that okay?Your /etc/krb5.conf only needs this: [libdefaults] ??? default_realm = SAMDOM.EXAMPLE.COM ??? dns_lookup_realm = false ??? dns_lookup_kdc = true Replace 'SAMDOM.EXAMPLE.COM' with your realm.> > > > (2)We tested winbind for samba 4.10.16-5 on RHEL7. > Basic checks look good. > #wbinfo --ping-dc > checking the NETLOGON for domain[ENT] dc connection to > "<hostname>.com" succeeded > > However, when smb is restarted after winbind, we are unable to map the > samba drive in Windows. > This error msg pop's up in windows : You do not have permission to > access \\<samba-server>\<share> Contact your network admin. > > Since we use NIS, what should be updated content in /etc/nsswitch.conf.What do mean by 'we use NIS' ?> Does winbind come before or after nis.Instead of> > (3)We do use shares. Example: > [<share-name>] > ? ? ? ? ?comment = <comment> > ? ? ? ? ?create mask = 0775 > ? ? ? ? ?force directory mode = 0775 > ? ? ? ? ?force group = <unix group name> > ? ? ? ? ?path = <unix path to share> > ? ? ? ? ?public = no > ? ? ? ? ?valid users = <username1> <username2> > ? ? ? ? ?writeable = yesInstead of using all those lines, I would read this: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs Then set up the share permissions from Windows, or at the very least by using setfacl.> > (4)Below is the updated smb.conf >This is my take on your smb.conf, without default lines etc: [global] ??????? workgroup = <WORKGROUP NAME> ??????? realm = <DOMAIN>.COM ??????? server string = Samba %v on (%L) ??????? security = ADS ??????? use sendfile = yes ??????? local master = no ??????? preferred master = no ??????? domain master = no ??????? msdfs root = yes ??????? log level = 3 ??????? log file = <unix path to logfile>/samba.log.%m ??????? max log size = 4096 ??????? deadtime = 5 ??????? keepalive = 900 ??????? client min protocol = SMB2 ??????? server min protocol = SMB2 ??????? winbind use default domain = yes ??????? winbind separator = + ??????? winbind cache time = 6000 ??????? idmap config * : backend = tdb ??????? idmap config * : range = 3000-7999 ??????? idmap config <WORKGROUP NAME> : backend = rid ??????? idmap config <WORKGROUP NAME> : range = 10000-9999999 ??????? # If you have rfc2307 attributes in ADD, read this ??????? # https://wiki.samba.org/index.php/Idmap_config_ad ??????? template shell = /bin/bash ??????? vfs objects = acl_xattr full_audit ??????? map acl inherit = Yes ??????? load printers = no ??????? printing = bsd ??????? printcap name = /dev/null ??????? disable spoolss = yes ??????? username map = <unix path>/map.txt ??????? dont descend = .snapshot ??????? hide files = /.snapshot/._*/ ??????? veto files = /*.one/*Notebook.onetoc2/.parentlock/ ??????? blocking locks = no ??????? kernel share modes = no ??????? client signing = disabled ??????? full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S ??????? full_audit:success = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:failure = connect chdir opendir mkdir rmdir open read write unlink ??????? full_audit:facility = local6 ??????? full_audit:priority = NOTICE ??????? include = <unix path>/config/general_smb.conf Just two questions, what is in your 'username map' and what is in the 'include' file ? Rowland
Krish Kay
2021-Jun-04 19:53 UTC
[Samba] Error : You dont have permission to save at this location.
>>Just two questions, what is in your 'username map' and what is in the'include' file ? map.txt has: stpadmin = STP-ADMIN include has blocks like below: [<share-name>] comment = <comment> create mask = 0775 force directory mode = 0775 force group = <unix group name> path = <unix path to share> public = no valid users = <username1> <username2> writeable = yes>>What do mean by 'we use NIS' ?NIS is naming service, Network Information Service. https://en.wikipedia.org/wiki/Network_Information_Service So, in our /etc/resolv.conf we currently have below. Do we add winbind, before or after nis. passwd: files nis group: files nis Thanks On Fri, Jun 4, 2021 at 1:20 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 04/06/2021 17:59, Krish Kay wrote: > > > > > > Thanks for the information, specifically reg. ver > 4.8.0. > > We are not using sssd, and are not running winbind with samba 4.7.8 on > > RHEL6. > > > > > > (1)Since we are using AD, we are not making changes to our existing > > /etc/krb5.conf > > Is that okay? > > > Your /etc/krb5.conf only needs this: > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > Replace 'SAMDOM.EXAMPLE.COM' with your realm. > > > > > > > > > (2)We tested winbind for samba 4.10.16-5 on RHEL7. > > Basic checks look good. > > #wbinfo --ping-dc > > checking the NETLOGON for domain[ENT] dc connection to > > "<hostname>.com" succeeded > > > > However, when smb is restarted after winbind, we are unable to map the > > samba drive in Windows. > > This error msg pop's up in windows : You do not have permission to > > access \\<samba-server>\<share> Contact your network admin. > > > > Since we use NIS, what should be updated content in /etc/nsswitch.conf. > > > What do mean by 'we use NIS' ? > > > Does winbind come before or after nis. > > > Instead of > > > > > (3)We do use shares. Example: > > [<share-name>] > > comment = <comment> > > create mask = 0775 > > force directory mode = 0775 > > force group = <unix group name> > > path = <unix path to share> > > public = no > > valid users = <username1> <username2> > > writeable = yes > > > Instead of using all those lines, I would read this: > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > Then set up the share permissions from Windows, or at the very least by > using setfacl. > > > > > (4)Below is the updated smb.conf > > > > This is my take on your smb.conf, without default lines etc: > > [global] > workgroup = <WORKGROUP NAME> > realm = <DOMAIN>.COM > server string = Samba %v on (%L) > security = ADS > > use sendfile = yes > local master = no > preferred master = no > domain master = no > msdfs root = yes > log level = 3 > log file = <unix path to logfile>/samba.log.%m > max log size = 4096 > deadtime = 5 > keepalive = 900 > > client min protocol = SMB2 > server min protocol = SMB2 > winbind use default domain = yes > winbind separator = + > winbind cache time = 6000 > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config <WORKGROUP NAME> : backend = rid > idmap config <WORKGROUP NAME> : range = 10000-9999999 > # If you have rfc2307 attributes in ADD, read this > # https://wiki.samba.org/index.php/Idmap_config_ad > > template shell = /bin/bash > vfs objects = acl_xattr full_audit > map acl inherit = Yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > username map = <unix path>/map.txt > > dont descend = .snapshot > hide files = /.snapshot/._*/ > veto files = /*.one/*Notebook.onetoc2/.parentlock/ > blocking locks = no > kernel share modes = no > client signing = disabled > > full_audit:prefix = %D|%u|%g|%m|%I|%R|%p|%S > full_audit:success = connect chdir opendir mkdir rmdir open > read write unlink > full_audit:failure = connect chdir opendir mkdir rmdir open > read write unlink > full_audit:facility = local6 > full_audit:priority = NOTICE > include = <unix path>/config/general_smb.conf > > Just two questions, what is in your 'username map' and what is in the > 'include' file ? > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >