Hi Roland-
On 11/3/21 11:20, Rowland Penny via samba wrote:> On Wed, 2021-11-03 at 10:58 -0500, Patrick Goetz via samba wrote:
>> Sorry for spamming the list today.
>>
>> I'm slowly testing out my new Samba AD network. At the moment
I'm
>> trying
>> to mount a share on a W10 client from a CMD prompt, and the mount is
>> failing:
>>
>> net use G: \\data2\share
>>
>> I tried a suggestion from Louis to use the FQDN:
>>
>> net use G: \\data2.ea.linuxcs.com\share
>>
>> and it still failed, but with a different Windows error
>> message. When I
>> tail -f /var/log/samba/smbd on the fileserver I see
>>
>>
>> ---------------------------
>> [2021/11/03 10:20:25.088689, 0]
>> ../../source3/auth/token_util.c:565(add_local_groups)
>> add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>> 1103
>> -> getpwuid(11103) failed, is nsswitch configured?
>> [2021/11/03 10:20:35.371582, 0]
>> ../../source3/auth/token_util.c:565(add_local_groups)
>> add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>> 1103
>> -> getpwuid(11103) failed, is nsswitch configured?
>> [2021/11/03 10:20:35.383936, 0]
>> ../../source3/auth/token_util.c:565(add_local_groups)
>> add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
>> 1103
>> -> getpwuid(11103) failed, is nsswitch configured?
>> ---------------------------
>>
>>
>> 11103 is the uid of the user I'm trying to connect this share
>> for. The
>> suggestion is that nsswitch.conf isn't configured, but in fact it
is:
>>
>> root at data2:/etc# cat nsswitch.conf
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages
>> installed, try:
>> # `info libc "Name Service Switch"' for information about
this file.
>>
>> passwd: files systemd winbind
>> group: files systemd winbind
>> ...
>>
>>
>>
>> I know I'm using the correct password, because I used it to log in
>> on
>> the W10 client as this user. Any thoughts on what I should look at
>> next?
>>
>>
>> Other AD stuff works properly:
>> root at data2:/etc# getent passwd patrickgoetz
>> patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
>> root at data2:/etc# wbinfo -i mduffy
>> mduffy:*:11103:10513::/home/EA/mduffy:/bin/false
>>
>>
>>
>> The share has appropriate ACLs set:
>>
>> root at data2:/data# ls -ld share
>> drwxrwx--- 2 root staff 4096 Nov 2 19:15 share
>
> The only people that can connect to that share are, the Unix user
> 'root' and members of the Unix group 'staff'
> Remember what I said about 'setfacl'
>
Maybe this is the problem? I set up staff as an AD security group, not
realizing it's a built in group in /etc/group. But this is likely
confusing the system. The group does ID correctly. You can tell from
the group UID that it's an AD group:
root at data2:/data# id staff
uid=11110(staff) gid=11110(staff) groups=11110(staff)
root at data2:/data# grep staff /etc/group
staff:x:50:
OK, let me change the name of the Security Group to see if this resolves
the issue.
>>
>>
>> The user is a member of the staff group.
>
> Where did you make the user a member of 'staff' and how ?
>
>> I can't get `get-adgroup` or
>> `get-adgroupmember` to work in PowerShell to demonstrate this;
>> presumably this has to do with the Windows web interface thing.
>
> More likely Windows not having a clue what the Unix group 'staff'
is.
>
>>
>>
>> And here is the resource section from smb.conf:
>>
>> [share]
>> comment = Share Directory
>> path = /data/share
>> guest ok = no
>> browseable = yes
>> writeable = yes
>> create mask = 0770
>> directory mask = 0770
>> follow symlinks = yes
>
> Please do not post parts of a smb.conf, without the 'global' part,
it
> hasn't any context (I know you may have posted it previously, but this
> would mean searching for it and you may have changed it anyway) :-)
>
> Rowland
>
>
>