Samba Share not accessible with AD user
I try to install a samba server for active directory authentication and shares.
I managed to configure kerberos (kinit klist works)
I configured smb.conf.
wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successful
Modifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.
I now wanted to create a share. One with [homes] and one with access for an AD group.
If i now connect to the share from a win7 computer I get prompted user/password.
If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.
If i use the AD credentials, i only get access denied.
I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.
If i enable logging level 10 I see that the computer is trying to authenticate, but fails.
What am I missing?
[Update]
I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.
I did use
idmap uid = 10000-20000<br>
idmap gid = 10000-20000
from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
I replaced these two lines with
idmap config * : range = 10000-20000
and now the share is working.
Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?
If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.
windows-7 samba shared-folders kerberos
add a comment |
I try to install a samba server for active directory authentication and shares.
I managed to configure kerberos (kinit klist works)
I configured smb.conf.
wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successful
Modifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.
I now wanted to create a share. One with [homes] and one with access for an AD group.
If i now connect to the share from a win7 computer I get prompted user/password.
If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.
If i use the AD credentials, i only get access denied.
I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.
If i enable logging level 10 I see that the computer is trying to authenticate, but fails.
What am I missing?
[Update]
I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.
I did use
idmap uid = 10000-20000<br>
idmap gid = 10000-20000
from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
I replaced these two lines with
idmap config * : range = 10000-20000
and now the share is working.
Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?
If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.
windows-7 samba shared-folders kerberos
add a comment |
I try to install a samba server for active directory authentication and shares.
I managed to configure kerberos (kinit klist works)
I configured smb.conf.
wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successful
Modifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.
I now wanted to create a share. One with [homes] and one with access for an AD group.
If i now connect to the share from a win7 computer I get prompted user/password.
If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.
If i use the AD credentials, i only get access denied.
I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.
If i enable logging level 10 I see that the computer is trying to authenticate, but fails.
What am I missing?
[Update]
I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.
I did use
idmap uid = 10000-20000<br>
idmap gid = 10000-20000
from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
I replaced these two lines with
idmap config * : range = 10000-20000
and now the share is working.
Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?
If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.
windows-7 samba shared-folders kerberos
I try to install a samba server for active directory authentication and shares.
I managed to configure kerberos (kinit klist works)
I configured smb.conf.
wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successful
Modifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.
I now wanted to create a share. One with [homes] and one with access for an AD group.
If i now connect to the share from a win7 computer I get prompted user/password.
If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.
If i use the AD credentials, i only get access denied.
I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.
If i enable logging level 10 I see that the computer is trying to authenticate, but fails.
What am I missing?
[Update]
I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.
I did use
idmap uid = 10000-20000<br>
idmap gid = 10000-20000
from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
I replaced these two lines with
idmap config * : range = 10000-20000
and now the share is working.
Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?
If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.
windows-7 samba shared-folders kerberos
windows-7 samba shared-folders kerberos
edited Dec 16 '16 at 8:11
user308164
asked Jul 13 '14 at 14:14
user305136
1613
1613
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case
someone has the same trouble as I had, here are my config files that
now work. I replaced the Windowsserver with SERVER and the domain with
DOMAIN.LOCAL
krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = SERVER.DOMAIN.LOCAL:88
admin_server = SERVER.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
smb.conf:
[global]
security = ADS
realm = DOMAIN.LOCAL
workgroup = DOMAIN
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
valid users = @domänen-benutzer
[homes]
comment = Userdirectory
browseable = no
valid users = %S, DOMAIN.LOCAL%S
writeable = yes
create mode = 0600
directory mode = 0700
[home]
comment = Userdata
path = /data/home/%U
browsable = no
valid users = %U
writeable = yes
create mode = 0600
directory mode = 0700
[Data]
comment = Data
path = /data/H
writeable = yes
valid users = @domänen-benutzer
create mode = 0660
directory mode = 770
It's working now.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f497245%2fsamba-share-not-accessible-with-ad-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case
someone has the same trouble as I had, here are my config files that
now work. I replaced the Windowsserver with SERVER and the domain with
DOMAIN.LOCAL
krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = SERVER.DOMAIN.LOCAL:88
admin_server = SERVER.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
smb.conf:
[global]
security = ADS
realm = DOMAIN.LOCAL
workgroup = DOMAIN
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
valid users = @domänen-benutzer
[homes]
comment = Userdirectory
browseable = no
valid users = %S, DOMAIN.LOCAL%S
writeable = yes
create mode = 0600
directory mode = 0700
[home]
comment = Userdata
path = /data/home/%U
browsable = no
valid users = %U
writeable = yes
create mode = 0600
directory mode = 0700
[Data]
comment = Data
path = /data/H
writeable = yes
valid users = @domänen-benutzer
create mode = 0660
directory mode = 770
It's working now.
add a comment |
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case
someone has the same trouble as I had, here are my config files that
now work. I replaced the Windowsserver with SERVER and the domain with
DOMAIN.LOCAL
krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = SERVER.DOMAIN.LOCAL:88
admin_server = SERVER.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
smb.conf:
[global]
security = ADS
realm = DOMAIN.LOCAL
workgroup = DOMAIN
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
valid users = @domänen-benutzer
[homes]
comment = Userdirectory
browseable = no
valid users = %S, DOMAIN.LOCAL%S
writeable = yes
create mode = 0600
directory mode = 0700
[home]
comment = Userdata
path = /data/home/%U
browsable = no
valid users = %U
writeable = yes
create mode = 0600
directory mode = 0700
[Data]
comment = Data
path = /data/H
writeable = yes
valid users = @domänen-benutzer
create mode = 0660
directory mode = 770
It's working now.
add a comment |
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case
someone has the same trouble as I had, here are my config files that
now work. I replaced the Windowsserver with SERVER and the domain with
DOMAIN.LOCAL
krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = SERVER.DOMAIN.LOCAL:88
admin_server = SERVER.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
smb.conf:
[global]
security = ADS
realm = DOMAIN.LOCAL
workgroup = DOMAIN
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
valid users = @domänen-benutzer
[homes]
comment = Userdirectory
browseable = no
valid users = %S, DOMAIN.LOCAL%S
writeable = yes
create mode = 0600
directory mode = 0700
[home]
comment = Userdata
path = /data/home/%U
browsable = no
valid users = %U
writeable = yes
create mode = 0600
directory mode = 0700
[Data]
comment = Data
path = /data/H
writeable = yes
valid users = @domänen-benutzer
create mode = 0660
directory mode = 770
It's working now.
Answer of user305136 taken from the question:
Sometimes you ask and find the solution the next day. In the case
someone has the same trouble as I had, here are my config files that
now work. I replaced the Windowsserver with SERVER and the domain with
DOMAIN.LOCAL
krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DOMAIN.LOCAL = {
kdc = SERVER.DOMAIN.LOCAL:88
admin_server = SERVER.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
smb.conf:
[global]
security = ADS
realm = DOMAIN.LOCAL
workgroup = DOMAIN
idmap config * : range = 10000-20000
server string = Linuxserver
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
winbind use default domain = yes
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
ntlm auth = yes
lanman auth = no
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
map to guest = bad user
guest account = nobody
unix extensions = yes
valid users = @domänen-benutzer
[homes]
comment = Userdirectory
browseable = no
valid users = %S, DOMAIN.LOCAL%S
writeable = yes
create mode = 0600
directory mode = 0700
[home]
comment = Userdata
path = /data/home/%U
browsable = no
valid users = %U
writeable = yes
create mode = 0600
directory mode = 0700
[Data]
comment = Data
path = /data/H
writeable = yes
valid users = @domänen-benutzer
create mode = 0660
directory mode = 770
It's working now.
answered Dec 16 '16 at 5:17
community wiki
bummi
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f497245%2fsamba-share-not-accessible-with-ad-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown