Stefan G. Weichinger
2021-Dec-29 16:49 UTC
[Samba] Domain admin can't access share on samba dm-server
Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:> First.. > > Use FQDN's in you shares.But ... it worked like this for years ;-)> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows) > https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-defaultI am not guest, I am the domain admin in this context.> klist -ke shows? Can you show the full output.here you are: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5) 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5) 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96) 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96) 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc) 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5) 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96) 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96) 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac) 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc) 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5) 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)> For cifs (and nfs) you need the spn format like this. > cifs/hostname.internal.domain.tld at REALM.TLD > (net ads adds the REALM part automaticly) > > If your host is using an CNAME for cifs then you need to add, > cifs/cname.internal.domain.tld at REALM.TLD alsoAnd WHY do I have to set that up again? I understand that kerberos has to work behind the curtains, but it doesn't sound efficient to me that this isn't negotiated by the machines themselves. I mean, in the start I didn't do that either, correct?> And its really adviced to give these server a PTR record.There is a PTR> How i do it. > And ALWAYS backup you krb5.keytab file first. > Dont know why sometimes ( in my case ) the KNVO is off > When that happens i restore the original keytab file. > > cp /etc/krb5.keytab{,.backup} > kinit Administrator > net ads keytab add_update_ads cifs/$(hostname -f) > > Removing wrong entries i do like this, and maybe > someone has beter ideas on this, please add it.. > > !! MAKE THAT BACKUP FIRST !! > ktutil > rkt /etc/krb5.keytab > ? For help. > wkt /etc/krb5.keytab.new > > cp /etc/krb5.keytab.new /etc/krb5.keytab > > !! If you write the keytab as show above directly into /etc/krb5.keytab > You get everything double. > > When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong. > delent 21 << only one you need.. Just repeat it untill its all gone. > > Hope this helped a bit.Sure, thanks. I see the path but have to think twice before I touch this production file server. users use it 24/7 ... my access from that windows server isn't that important right now (transferred my ISO via another server ...).> Ps. Im picky but.. >> idmap config buero:range = 10000-99999 >> idmap config buero:backend = rid > > bero should be BUEROsigh I showed the smb.conf-files of that site maybe 10 times here and every time I get another parameter pointed out as wrong. I wonder if it ever gets finished ;-) Thanks anyway, I appreciate it!
cn at brain-biotech.de
2021-Dec-29 18:37 UTC
[Samba] Domain admin can't access share on samba dm-server
Maybe it is the resent security updates? Have you tried setting min domain uid=0? Regards Am 29. Dezember 2021 17:49:31 MEZ schrieb "Stefan G. Weichinger via samba" <samba at lists.samba.org>:>Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba: >> First.. >> >> Use FQDN's in you shares. > >But ... it worked like this for years ;-) > >> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows) >> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default > >I am not guest, I am the domain admin in this context. > >> klist -ke shows? Can you show the full output. > >here you are: > >Keytab name: FILE:/etc/krb5.keytab > >KVNO Principal > >---- -------------------------------------------------------------------------- > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > > > >> For cifs (and nfs) you need the spn format like this. >> cifs/hostname.internal.domain.tld at REALM.TLD >> (net ads adds the REALM part automaticly) >> >> If your host is using an CNAME for cifs then you need to add, >> cifs/cname.internal.domain.tld at REALM.TLD also > > >And WHY do I have to set that up again? I understand that kerberos has to work behind the curtains, but it doesn't sound efficient to me that this isn't negotiated by the machines themselves. > >I mean, in the start I didn't do that either, correct? > >> And its really adviced to give these server a PTR record. > >There is a PTR > >> How i do it. >> And ALWAYS backup you krb5.keytab file first. >> Dont know why sometimes ( in my case ) the KNVO is off >> When that happens i restore the original keytab file. >> >> cp /etc/krb5.keytab{,.backup} >> kinit Administrator >> net ads keytab add_update_ads cifs/$(hostname -f) >> >> Removing wrong entries i do like this, and maybe >> someone has beter ideas on this, please add it.. >> >> !! MAKE THAT BACKUP FIRST !! >> ktutil >> rkt /etc/krb5.keytab >> ? For help. >> wkt /etc/krb5.keytab.new >> >> cp /etc/krb5.keytab.new /etc/krb5.keytab >> >> !! If you write the keytab as show above directly into /etc/krb5.keytab >> You get everything double. >> >> When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong. >> delent 21 << only one you need.. Just repeat it untill its all gone. >> >> Hope this helped a bit. > >Sure, thanks. > >I see the path but have to think twice before I touch this production file server. users use it 24/7 ... my access from that windows server isn't that important right now (transferred my ISO via another server ...). > >> Ps. Im picky but.. >>> idmap config buero:range = 10000-99999 >>> idmap config buero:backend = rid >> >> bero should be BUERO > >sigh > >I showed the smb.conf-files of that site maybe 10 times here and every time I get another parameter pointed out as wrong. I wonder if it ever gets finished ;-) > >Thanks anyway, I appreciate it! > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
L.P.H. van Belle
2021-Dec-30 10:15 UTC
[Samba] Domain admin can't access share on samba dm-server
That a good point yes.. ( the : min domain uid=0 options in smb.conf ) Thanks Christian for pointing it out. Stefan i commented a bit below also.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > cn--- via samba > Verzonden: woensdag 29 december 2021 19:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain admin can't access share on > samba dm-server > > Maybe it is the resent security updates? Have you tried > setting min domain uid=0? > > Regards > > > Am 29. Dezember 2021 17:49:31 MEZ schrieb "Stefan G. > Weichinger via samba" <samba at lists.samba.org>: > >Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba: > >> First.. > >> > >> Use FQDN's in you shares. > > > >But ... it worked like this for years ;-)And.. After some big security updates it stopped working. It happens ;-)> > > >> Server 2019, (Guest access in SMB2 and SMB3 disabled by > default in Windows) > >> > https://docs.microsoft.com/en-us/troubleshoot/windows-server/n > etworking/guest-access-in-smb2-is-disabled-by-default > > > >I am not guest, I am the domain admin in this context. > > > >> klist -ke shows? Can you show the full output. > > > >here you are: > > > >Keytab name: FILE:/etc/krb5.keytab > > > >KVNO Principal > > > >---- > -------------------------------------------------------------- > ------------ > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > >All the entries look fine, i only dont get why i see KVNO 2 and 3 But thats me, i just dont know that..> > > > > > > > > >> For cifs (and nfs) you need the spn format like this. > >> cifs/hostname.internal.domain.tld at REALM.TLD > >> (net ads adds the REALM part automaticly) > >> > >> If your host is using an CNAME for cifs then you need to add, > >> cifs/cname.internal.domain.tld at REALM.TLD also > > > > > >And WHY do I have to set that up again? I understand that > kerberos has to work behind the curtains, but it doesn't > sound efficient to me that this isn't negotiated by the > machines themselves.Did i say setup again? I'll rephrase it next time. I only shows the options and what to set. For example, none of my servers have. cifs/hostname all use FQDN. *( for cifs and nfs that at least)> > > >I mean, in the start I didn't do that either, correct? > > > >> And its really adviced to give these server a PTR record. > > > >There is a PTRGreat, that always helps.> > > >> How i do it. > >> And ALWAYS backup you krb5.keytab file first. > >> Dont know why sometimes ( in my case ) the KNVO is off > >> When that happens i restore the original keytab file. > >> > >> cp /etc/krb5.keytab{,.backup} > >> kinit Administrator > >> net ads keytab add_update_ads cifs/$(hostname -f) > >> > >> Removing wrong entries i do like this, and maybe > >> someone has beter ideas on this, please add it.. > >> > >> !! MAKE THAT BACKUP FIRST !! > >> ktutil > >> rkt /etc/krb5.keytab > >> ? For help. > >> wkt /etc/krb5.keytab.new > >> > >> cp /etc/krb5.keytab.new /etc/krb5.keytab > >> > >> !! If you write the keytab as show above directly into > /etc/krb5.keytab > >> You get everything double. > >> > >> When you use delent nr and you have 1-40 entries. Lets say > entry 21 to 40 are wrong. > >> delent 21 << only one you need.. Just repeat it untill > its all gone. > >> > >> Hope this helped a bit. > > > >Sure, thanks. > > > >I see the path but have to think twice before I touch this > production file server. users use it 24/7 ... my access from > that windows server isn't that important right now > (transferred my ISO via another server ...).Hahah, you know, i had this problem also, 2 weeks ago.. I suggest, first try that min domain uid=0 option.> > > >> Ps. Im picky but.. > >>> idmap config buero:range = 10000-99999 > >>> idmap config buero:backend = rid > >> > >> bero should be BUERO > > > >sigh > > > >I showed the smb.conf-files of that site maybe 10 times here > and every time I get another parameter pointed out as wrong. > I wonder if it ever gets finished ;-)Hihi.. Yeah, or you missed a comment ;-) At least it wasnt wrong, it was good and now its perfect. :-))> > > >Thanks anyway, I appreciate it!Your welkom.
Stefan G. Weichinger
2022-Jan-12 13:53 UTC
[Samba] Domain admin can't access share on samba dm-server
Am 29.12.21 um 19:37 schrieb cn--- via samba:> Maybe it is the resent security updates? Have you tried setting min domain uid=0?Could someone pls point me at the exact update/changes? I have issues at a 2nd customer and the windows admin does the usual "linux is sh*t" communication (while he runs outdated DCs etc ...). trying to fast fix that now