Samba Share not accessible with AD user
I try to install a samba server for active directory authentication and shares.
I managed to configure kerberos (kinit klist works)
I configured smb.conf.
wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successfulModifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.
I now wanted to create a share. One with [homes] and one with access for an AD group.
If i now connect to the share from a win7 computer I get prompted user/password. If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.
If i use the AD credentials, i only get access denied.
I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.
If i enable logging level 10 I see that the computer is trying to authenticate, but fails.
What am I missing?
[Update]
I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.
I did use
idmap uid = 10000-20000<br>
idmap gid = 10000-20000from the tutorial at I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken. I replaced these two lines with
idmap config * : range = 10000-20000and now the share is working.
Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAME\USERNAME, but I wanted homes to work with DOMAIN\USERNAME?
If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.
1 Answer
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case someone has the same trouble as I had, here are my config files that now work. I replaced the Windowsserver with SERVER and the domain with DOMAIN.LOCAL
krb5.conf: [logging] default = FILE:/var/log/krb5.log [libdefaults] ticket_lifetime = 24000 clock_skew = 300 default_realm = DOMAIN.LOCAL dns_lookup_realm = true dns_lookup_kdc = true [realms] DOMAIN.LOCAL = { kdc = SERVER.DOMAIN.LOCAL:88 admin_server = SERVER.DOMAIN.LOCAL default_domain = DOMAIN.LOCAL } [domain_realm] .domain.local = DOMAIN.LOCAL domain.local = DOMAIN.LOCAL .DOMAIN.LOCAL = DOMAIN.LOCAL DOMAIN.LOCAL = DOMAIN.LOCAL smb.conf: [global] security = ADS realm = DOMAIN.LOCAL workgroup = DOMAIN idmap config * : range = 10000-20000 server string = Linuxserver winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind use default domain = yes winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes ntlm auth = yes lanman auth = no client ntlmv2 auth = yes encrypt passwords = yes restrict anonymous = 2 domain master = no local master = no preferred master = no os level = 0 map to guest = bad user guest account = nobody unix extensions = yes valid users = @domänen-benutzer [homes] comment = Userdirectory browseable = no valid users = %S, DOMAIN.LOCAL\%S writeable = yes create mode = 0600 directory mode = 0700 [home] comment = Userdata path = /data/home/%U browsable = no valid users = %U writeable = yes create mode = 0600 directory mode = 0700 [Data] comment = Data path = /data/H writeable = yes valid users = @domänen-benutzer create mode = 0660 directory mode = 770It's working now.
