Antonio Trogu
2022-Mar-02 17:04 UTC
[Samba] Access denied to shares moved from AD DC to member server
Hello everybody. I have joined a new Ubuntu 20.04 server with Samba 4.13.17 (packaged) to an AD on CentOS 7.9 and Samba 4.14.4 (compiled), following Samba's Team Howto, and everything appears to have succeeded. Moving our iSCSI target hosting the shares from the PDC to the member server and configuring them on Samba, only the domain's Administrator can access them, no other authenticated user can. No credentials are asked on the client, but a Windows "Network error" appears, while the member server's Samba log shows several NT_STATUS_ACCESS_DENIED errors. Windows ACLs on the shares appear correct, but seem not being applied to the moved shares. This is the AD DC's smb.conf (only global and example share): [global] workgroup = MYAD realm = MYAD.MYDOMAIN.IT netbios name = MYADDC server role = active directory domain controller idmap_ldb:use rfc2307 = yes log file = /var/log/samba/%m.log log level = 2 [Share1] path = /path/to/share1 read only = no This instead is the member server's smb.conf: [global] security = ADS workgroup = MYAD realm = MYAD.MYDOMAIN.IT username map = /etc/samba/user.map vfs objects = acl_xattr map acl inherit = yes winbind nss info = rfc2307 log file = /var/log/samba/%m.log log level = 5 winbind:10 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYAD:backend = rid idmap config MYAD:range = 10000-9999999 min domain uid = 0 acl_xattr:ignore system acls = yes [Share1] path = /path/to/Share1 read only = no I've increased the logging, especially winbind's, but I'm not able to see anything helpful. Where should I look now? Thanks, Antonio The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.