On Mon, 4 Sep 2023 15:47:59 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Mon, 4 Sep 2023 16:39:39 +0200
> basti via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> > I have setup a Samba AD-DC qand a member server. all debian12.
> >
> > When I try to connect from windows client to dc1 all is fine.
> > The same machine can't connect to member server.
> >
> > [global]
> > workgroup = NET
> > security = ADS
> > realm = NET.EXAMPLE.DE
> >
> > log file = /var/log/samba/%m.log
> > log level = 1
> >
> > winbind refresh tickets = Yes
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > #dedicated keytab file = /etc/krb5.keytab
> > #kerberos method = secrets and keytab
> >
> > winbind use default domain = yes
> >
> > # Default ID mapping configuration for local BUILTIN accounts
> > # and groups on a domain member. The default (*) domain:
> > # - must not overlap with any domain ID mapping configuration!
> > # - must use an read-write-enabled back end, such as tdb.
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > # idmap config for the NET domain
> > idmap config NET:backend = ad
> > idmap config NET:schema_mode = rfc2307
> > idmap config NET:range = 10000-999999
> > idmap config NET:unix_nss_info = yes
> >
> > # fix dfs error's in log ?
> > host msdfs = no
> >
> > dns proxy = no
> > log file = /var/log/samba/log.%m
> > max log size = 10000
> > panic action = /usr/share/samba/panic-action %d
> >
> > map to guest = bad user
> >
> > #======================= Share Definitions ======================>
> ....
> >
> > root at fs:~# smbclient -N -L \\localhost
> >
> > Sharename Type Comment
> > --------- ---- -------
> > praxis Disk
> > dagmar Disk
> > thomas Disk
> > iustest Disk
> > IPC$ IPC IPC Service (Samba 4.17.10-Debian)
> > SMB1 disabled -- no workgroup available
> > root at fs:~#
> >
> > wbinfo -u works
> > getent passwd username works
> >
> > smbclient from a other linux machine works.
> >
> >
> > root at fs:~# net rpc rights list -U Administrator -S fs
> > Password for [NET\Administrator]:
> > Could not connect to server fs
> > The username or password was not correct.
> > Connection failed: NT_STATUS_LOGON_FAILURE
> > root at fs:~#
> >
> >
> >
> > Sep 04 16:32:22 fs smbd[713]: [2023/09/04 16:32:22.778684, 0]
> > ../../source3/auth/auth_util.c:1927(check_account)
> > Sep 04 16:32:22 fs smbd[713]: check_account: Failed to convert
> > SID S-1-5-21-2233635944-4000802713-2790315286-500 to a UID
> > (dom_user[NET\administrator])
> >
> >
> > Windows say: error 0x8004005
> >
> > smbclient from test linux to fs works also.
> >
> >
> > I have no idea anymore whats is wrong here.
> >
>
> Try adding 'min domain uid = 0' to '[global]' on the member
server,
> restart Samba or reload the config. The RID '500' is Administrators
> RID.
>
> Rowland
>
I also just realised that you need these lines in '[global]':
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
And /etc/samba/user.map should contain just this:
!root = NET\Administrator
Rowland