Samba Share not accessible with AD user












3














I try to install a samba server for active directory authentication and shares.



I managed to configure kerberos (kinit klist works)
I configured smb.conf.



wbinfo -u<br>
wbinfo -g<br>
getent group *showing all domain groups)<br>
getent users (showing all domain users)<br>
net join was successful


Modifing nsswitch and common-session did work as well.
I can log into the machine using AD credentials, locally and over ssh.
Even adding domain administrator group to sudoer worked.
So I assume the authentication is configured correctly.



I now wanted to create a share. One with [homes] and one with access for an AD group.



If i now connect to the share from a win7 computer I get prompted user/password.
If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.



If i use the AD credentials, i only get access denied.



I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.



If i enable logging level 10 I see that the computer is trying to authenticate, but fails.



What am I missing?



[Update]

I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.



I did use



idmap uid = 10000-20000<br>
idmap gid = 10000-20000


from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
I replaced these two lines with



idmap config * : range = 10000-20000


and now the share is working.



Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?



If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.










share|improve this question





























    3














    I try to install a samba server for active directory authentication and shares.



    I managed to configure kerberos (kinit klist works)
    I configured smb.conf.



    wbinfo -u<br>
    wbinfo -g<br>
    getent group *showing all domain groups)<br>
    getent users (showing all domain users)<br>
    net join was successful


    Modifing nsswitch and common-session did work as well.
    I can log into the machine using AD credentials, locally and over ssh.
    Even adding domain administrator group to sudoer worked.
    So I assume the authentication is configured correctly.



    I now wanted to create a share. One with [homes] and one with access for an AD group.



    If i now connect to the share from a win7 computer I get prompted user/password.
    If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.



    If i use the AD credentials, i only get access denied.



    I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.



    If i enable logging level 10 I see that the computer is trying to authenticate, but fails.



    What am I missing?



    [Update]

    I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.



    I did use



    idmap uid = 10000-20000<br>
    idmap gid = 10000-20000


    from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
    I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
    I replaced these two lines with



    idmap config * : range = 10000-20000


    and now the share is working.



    Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?



    If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.










    share|improve this question



























      3












      3








      3







      I try to install a samba server for active directory authentication and shares.



      I managed to configure kerberos (kinit klist works)
      I configured smb.conf.



      wbinfo -u<br>
      wbinfo -g<br>
      getent group *showing all domain groups)<br>
      getent users (showing all domain users)<br>
      net join was successful


      Modifing nsswitch and common-session did work as well.
      I can log into the machine using AD credentials, locally and over ssh.
      Even adding domain administrator group to sudoer worked.
      So I assume the authentication is configured correctly.



      I now wanted to create a share. One with [homes] and one with access for an AD group.



      If i now connect to the share from a win7 computer I get prompted user/password.
      If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.



      If i use the AD credentials, i only get access denied.



      I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.



      If i enable logging level 10 I see that the computer is trying to authenticate, but fails.



      What am I missing?



      [Update]

      I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.



      I did use



      idmap uid = 10000-20000<br>
      idmap gid = 10000-20000


      from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
      I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
      I replaced these two lines with



      idmap config * : range = 10000-20000


      and now the share is working.



      Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?



      If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.










      share|improve this question















      I try to install a samba server for active directory authentication and shares.



      I managed to configure kerberos (kinit klist works)
      I configured smb.conf.



      wbinfo -u<br>
      wbinfo -g<br>
      getent group *showing all domain groups)<br>
      getent users (showing all domain users)<br>
      net join was successful


      Modifing nsswitch and common-session did work as well.
      I can log into the machine using AD credentials, locally and over ssh.
      Even adding domain administrator group to sudoer worked.
      So I assume the authentication is configured correctly.



      I now wanted to create a share. One with [homes] and one with access for an AD group.



      If i now connect to the share from a win7 computer I get prompted user/password.
      If I enter the data from the initial local account, that was created during the installation process, I see both shares. The public one and the home directory of the local user.



      If i use the AD credentials, i only get access denied.



      I even tried to enable guest access and deactivation any access control. But nothing changes. The local user can connect, but the AD user doesn't even get to see the shares.



      If i enable logging level 10 I see that the computer is trying to authenticate, but fails.



      What am I missing?



      [Update]

      I found the problem. I don't really understand why that caused that effect, but now the share is working nearly as i want it to.



      I did use



      idmap uid = 10000-20000<br>
      idmap gid = 10000-20000


      from the tutorial at http://wiki.ubuntuusers.de/Samba_Winbind
      I didn't think the warning, that these lines are deprecated will cause problems, as deprecation normally means still supported. That's true for local login. But shares get broken.
      I replaced these two lines with



      idmap config * : range = 10000-20000


      and now the share is working.



      Only problem left is, in order to connect to the [homes] share I need to use COMPUTERNAMEUSERNAME, but I wanted homes to work with DOMAINUSERNAME?



      If anyone knows how to change that it would appreciate it, but as I can just use a normal home share with username subdirectory, I don't consider that a real problem.







      windows-7 samba shared-folders kerberos






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 16 '16 at 8:11







      user308164

















      asked Jul 13 '14 at 14:14









      user305136

      1613




      1613






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Answer of user305136 taken from the question:




          Sometimes you ask and find the solution the next day. In the case
          someone has the same trouble as I had, here are my config files that
          now work. I replaced the Windowsserver with SERVER and the domain with
          DOMAIN.LOCAL



          krb5.conf:
          [logging]
          default = FILE:/var/log/krb5.log
          [libdefaults]
          ticket_lifetime = 24000
          clock_skew = 300
          default_realm = DOMAIN.LOCAL
          dns_lookup_realm = true
          dns_lookup_kdc = true

          [realms]
          DOMAIN.LOCAL = {
          kdc = SERVER.DOMAIN.LOCAL:88
          admin_server = SERVER.DOMAIN.LOCAL
          default_domain = DOMAIN.LOCAL
          }

          [domain_realm]
          .domain.local = DOMAIN.LOCAL
          domain.local = DOMAIN.LOCAL
          .DOMAIN.LOCAL = DOMAIN.LOCAL
          DOMAIN.LOCAL = DOMAIN.LOCAL

          smb.conf:
          [global]
          security = ADS
          realm = DOMAIN.LOCAL
          workgroup = DOMAIN
          idmap config * : range = 10000-20000
          server string = Linuxserver
          winbind enum users = yes
          winbind enum groups = yes
          winbind cache time = 10
          winbind use default domain = yes
          winbind nested groups = yes
          template homedir = /home/%U
          template shell = /bin/bash
          client use spnego = yes
          ntlm auth = yes
          lanman auth = no
          client ntlmv2 auth = yes
          encrypt passwords = yes
          restrict anonymous = 2
          domain master = no
          local master = no
          preferred master = no
          os level = 0
          map to guest = bad user
          guest account = nobody
          unix extensions = yes
          valid users = @domänen-benutzer
          [homes]
          comment = Userdirectory
          browseable = no
          valid users = %S, DOMAIN.LOCAL%S
          writeable = yes
          create mode = 0600
          directory mode = 0700
          [home]
          comment = Userdata
          path = /data/home/%U
          browsable = no
          valid users = %U
          writeable = yes
          create mode = 0600
          directory mode = 0700
          [Data]
          comment = Data
          path = /data/H
          writeable = yes
          valid users = @domänen-benutzer
          create mode = 0660
          directory mode = 770


          It's working now.







          share|improve this answer























            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "89"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f497245%2fsamba-share-not-accessible-with-ad-user%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            Answer of user305136 taken from the question:




            Sometimes you ask and find the solution the next day. In the case
            someone has the same trouble as I had, here are my config files that
            now work. I replaced the Windowsserver with SERVER and the domain with
            DOMAIN.LOCAL



            krb5.conf:
            [logging]
            default = FILE:/var/log/krb5.log
            [libdefaults]
            ticket_lifetime = 24000
            clock_skew = 300
            default_realm = DOMAIN.LOCAL
            dns_lookup_realm = true
            dns_lookup_kdc = true

            [realms]
            DOMAIN.LOCAL = {
            kdc = SERVER.DOMAIN.LOCAL:88
            admin_server = SERVER.DOMAIN.LOCAL
            default_domain = DOMAIN.LOCAL
            }

            [domain_realm]
            .domain.local = DOMAIN.LOCAL
            domain.local = DOMAIN.LOCAL
            .DOMAIN.LOCAL = DOMAIN.LOCAL
            DOMAIN.LOCAL = DOMAIN.LOCAL

            smb.conf:
            [global]
            security = ADS
            realm = DOMAIN.LOCAL
            workgroup = DOMAIN
            idmap config * : range = 10000-20000
            server string = Linuxserver
            winbind enum users = yes
            winbind enum groups = yes
            winbind cache time = 10
            winbind use default domain = yes
            winbind nested groups = yes
            template homedir = /home/%U
            template shell = /bin/bash
            client use spnego = yes
            ntlm auth = yes
            lanman auth = no
            client ntlmv2 auth = yes
            encrypt passwords = yes
            restrict anonymous = 2
            domain master = no
            local master = no
            preferred master = no
            os level = 0
            map to guest = bad user
            guest account = nobody
            unix extensions = yes
            valid users = @domänen-benutzer
            [homes]
            comment = Userdirectory
            browseable = no
            valid users = %S, DOMAIN.LOCAL%S
            writeable = yes
            create mode = 0600
            directory mode = 0700
            [home]
            comment = Userdata
            path = /data/home/%U
            browsable = no
            valid users = %U
            writeable = yes
            create mode = 0600
            directory mode = 0700
            [Data]
            comment = Data
            path = /data/H
            writeable = yes
            valid users = @domänen-benutzer
            create mode = 0660
            directory mode = 770


            It's working now.







            share|improve this answer




























              0














              Answer of user305136 taken from the question:




              Sometimes you ask and find the solution the next day. In the case
              someone has the same trouble as I had, here are my config files that
              now work. I replaced the Windowsserver with SERVER and the domain with
              DOMAIN.LOCAL



              krb5.conf:
              [logging]
              default = FILE:/var/log/krb5.log
              [libdefaults]
              ticket_lifetime = 24000
              clock_skew = 300
              default_realm = DOMAIN.LOCAL
              dns_lookup_realm = true
              dns_lookup_kdc = true

              [realms]
              DOMAIN.LOCAL = {
              kdc = SERVER.DOMAIN.LOCAL:88
              admin_server = SERVER.DOMAIN.LOCAL
              default_domain = DOMAIN.LOCAL
              }

              [domain_realm]
              .domain.local = DOMAIN.LOCAL
              domain.local = DOMAIN.LOCAL
              .DOMAIN.LOCAL = DOMAIN.LOCAL
              DOMAIN.LOCAL = DOMAIN.LOCAL

              smb.conf:
              [global]
              security = ADS
              realm = DOMAIN.LOCAL
              workgroup = DOMAIN
              idmap config * : range = 10000-20000
              server string = Linuxserver
              winbind enum users = yes
              winbind enum groups = yes
              winbind cache time = 10
              winbind use default domain = yes
              winbind nested groups = yes
              template homedir = /home/%U
              template shell = /bin/bash
              client use spnego = yes
              ntlm auth = yes
              lanman auth = no
              client ntlmv2 auth = yes
              encrypt passwords = yes
              restrict anonymous = 2
              domain master = no
              local master = no
              preferred master = no
              os level = 0
              map to guest = bad user
              guest account = nobody
              unix extensions = yes
              valid users = @domänen-benutzer
              [homes]
              comment = Userdirectory
              browseable = no
              valid users = %S, DOMAIN.LOCAL%S
              writeable = yes
              create mode = 0600
              directory mode = 0700
              [home]
              comment = Userdata
              path = /data/home/%U
              browsable = no
              valid users = %U
              writeable = yes
              create mode = 0600
              directory mode = 0700
              [Data]
              comment = Data
              path = /data/H
              writeable = yes
              valid users = @domänen-benutzer
              create mode = 0660
              directory mode = 770


              It's working now.







              share|improve this answer


























                0












                0








                0






                Answer of user305136 taken from the question:




                Sometimes you ask and find the solution the next day. In the case
                someone has the same trouble as I had, here are my config files that
                now work. I replaced the Windowsserver with SERVER and the domain with
                DOMAIN.LOCAL



                krb5.conf:
                [logging]
                default = FILE:/var/log/krb5.log
                [libdefaults]
                ticket_lifetime = 24000
                clock_skew = 300
                default_realm = DOMAIN.LOCAL
                dns_lookup_realm = true
                dns_lookup_kdc = true

                [realms]
                DOMAIN.LOCAL = {
                kdc = SERVER.DOMAIN.LOCAL:88
                admin_server = SERVER.DOMAIN.LOCAL
                default_domain = DOMAIN.LOCAL
                }

                [domain_realm]
                .domain.local = DOMAIN.LOCAL
                domain.local = DOMAIN.LOCAL
                .DOMAIN.LOCAL = DOMAIN.LOCAL
                DOMAIN.LOCAL = DOMAIN.LOCAL

                smb.conf:
                [global]
                security = ADS
                realm = DOMAIN.LOCAL
                workgroup = DOMAIN
                idmap config * : range = 10000-20000
                server string = Linuxserver
                winbind enum users = yes
                winbind enum groups = yes
                winbind cache time = 10
                winbind use default domain = yes
                winbind nested groups = yes
                template homedir = /home/%U
                template shell = /bin/bash
                client use spnego = yes
                ntlm auth = yes
                lanman auth = no
                client ntlmv2 auth = yes
                encrypt passwords = yes
                restrict anonymous = 2
                domain master = no
                local master = no
                preferred master = no
                os level = 0
                map to guest = bad user
                guest account = nobody
                unix extensions = yes
                valid users = @domänen-benutzer
                [homes]
                comment = Userdirectory
                browseable = no
                valid users = %S, DOMAIN.LOCAL%S
                writeable = yes
                create mode = 0600
                directory mode = 0700
                [home]
                comment = Userdata
                path = /data/home/%U
                browsable = no
                valid users = %U
                writeable = yes
                create mode = 0600
                directory mode = 0700
                [Data]
                comment = Data
                path = /data/H
                writeable = yes
                valid users = @domänen-benutzer
                create mode = 0660
                directory mode = 770


                It's working now.







                share|improve this answer














                Answer of user305136 taken from the question:




                Sometimes you ask and find the solution the next day. In the case
                someone has the same trouble as I had, here are my config files that
                now work. I replaced the Windowsserver with SERVER and the domain with
                DOMAIN.LOCAL



                krb5.conf:
                [logging]
                default = FILE:/var/log/krb5.log
                [libdefaults]
                ticket_lifetime = 24000
                clock_skew = 300
                default_realm = DOMAIN.LOCAL
                dns_lookup_realm = true
                dns_lookup_kdc = true

                [realms]
                DOMAIN.LOCAL = {
                kdc = SERVER.DOMAIN.LOCAL:88
                admin_server = SERVER.DOMAIN.LOCAL
                default_domain = DOMAIN.LOCAL
                }

                [domain_realm]
                .domain.local = DOMAIN.LOCAL
                domain.local = DOMAIN.LOCAL
                .DOMAIN.LOCAL = DOMAIN.LOCAL
                DOMAIN.LOCAL = DOMAIN.LOCAL

                smb.conf:
                [global]
                security = ADS
                realm = DOMAIN.LOCAL
                workgroup = DOMAIN
                idmap config * : range = 10000-20000
                server string = Linuxserver
                winbind enum users = yes
                winbind enum groups = yes
                winbind cache time = 10
                winbind use default domain = yes
                winbind nested groups = yes
                template homedir = /home/%U
                template shell = /bin/bash
                client use spnego = yes
                ntlm auth = yes
                lanman auth = no
                client ntlmv2 auth = yes
                encrypt passwords = yes
                restrict anonymous = 2
                domain master = no
                local master = no
                preferred master = no
                os level = 0
                map to guest = bad user
                guest account = nobody
                unix extensions = yes
                valid users = @domänen-benutzer
                [homes]
                comment = Userdirectory
                browseable = no
                valid users = %S, DOMAIN.LOCAL%S
                writeable = yes
                create mode = 0600
                directory mode = 0700
                [home]
                comment = Userdata
                path = /data/home/%U
                browsable = no
                valid users = %U
                writeable = yes
                create mode = 0600
                directory mode = 0700
                [Data]
                comment = Data
                path = /data/H
                writeable = yes
                valid users = @domänen-benutzer
                create mode = 0660
                directory mode = 770


                It's working now.








                share|improve this answer














                share|improve this answer



                share|improve this answer








                answered Dec 16 '16 at 5:17


























                community wiki





                bummi































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Ask Ubuntu!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f497245%2fsamba-share-not-accessible-with-ad-user%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Mouse cursor on multiple screens with different PPI

                    Agildo Ribeiro

                    Sometime when accessing a menu: “Ubuntu 16.04 has experienced an internal error”