F5F Stay Refreshed Software Operating Systems Samba encountering issues mapping to AD database

Samba encountering issues mapping to AD database

Samba encountering issues mapping to AD database

A
AhBilly
Member
Find
114
08-09-2016, 03:38 AM
#1
I've been puzzling over this issue for some time and attempted modifying nearly every line in the smb.conf file to test. The challenge is that only the "Domain Users" group is permitted access to the Samba shares. Changing it to "Domain Admins" gives me access, but reverting to "Domain Users" restores it. If you have any advice or noticed something I missed, please let me know. If you forgot anything, that would be helpful too. Server version: Ubuntu Server 16.04 x64. I've reviewed the samba logs and found nothing—just a simple message: smb.conf [global] realm = DOMAIN.LOCAL server string = %h server (Samba, Ubuntu) security = ADS workgroup = DOMAIN map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n

*Retype\snew\s*\spassword:* %n

*password\supdated\ssuccess$ unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m log level = 3 max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb idmap config * :range = 102000-109999 allow trusted domains = Yes #idmap config for domain idmap config DOMAIN:backend = rid idmap config DOMAINConfusedchema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 idmap config DOMAIN:default = yes idmap config DOMAIN:readonly = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes encrypt passwords = true # Use settings from AD for login shell and home directory winbind nss info = rfc2307
Reply
Reply
A
AhBilly
08-09-2016, 03:38 AM #1

I've been puzzling over this issue for some time and attempted modifying nearly every line in the smb.conf file to test. The challenge is that only the "Domain Users" group is permitted access to the Samba shares. Changing it to "Domain Admins" gives me access, but reverting to "Domain Users" restores it. If you have any advice or noticed something I missed, please let me know. If you forgot anything, that would be helpful too. Server version: Ubuntu Server 16.04 x64. I've reviewed the samba logs and found nothing—just a simple message: smb.conf [global] realm = DOMAIN.LOCAL server string = %h server (Samba, Ubuntu) security = ADS workgroup = DOMAIN map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n

*Retype\snew\s*\spassword:* %n

*password\supdated\ssuccess$ unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m log level = 3 max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb idmap config * :range = 102000-109999 allow trusted domains = Yes #idmap config for domain idmap config DOMAIN:backend = rid idmap config DOMAINConfusedchema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 idmap config DOMAIN:default = yes idmap config DOMAIN:readonly = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind refresh tickets = yes encrypt passwords = true # Use settings from AD for login shell and home directory winbind nss info = rfc2307

Reply
Reply
C
cowcow4321
Senior Member
Find
623
08-09-2016, 03:49 AM
#2
I believe I may have resolved the issue but I'm still uncertain. After some investigation, I found this command: sudo net sam rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U Administrator. I made a few adjustments to smb.conf and added the line "winbind separator = +". I also changed the 'valid users' section to "valid users = @"DOMAIN+Domain Admins"". Referenced these guides for setting up SAMBA on the server before applying these changes: https://www.server-world.info/en/note?os...=samba&f=4 and https://jimshaver.net/2016/05/30/setting...untu-16-04. I'm not entirely confident about the correctness, but I hope this helps.
Reply
Reply
C
cowcow4321
08-09-2016, 03:49 AM #2

I believe I may have resolved the issue but I'm still uncertain. After some investigation, I found this command: sudo net sam rights grant "DOMAIN\Domain Admins" SeDiskOperatorPrivilege -U Administrator. I made a few adjustments to smb.conf and added the line "winbind separator = +". I also changed the 'valid users' section to "valid users = @"DOMAIN+Domain Admins"". Referenced these guides for setting up SAMBA on the server before applying these changes: https://www.server-world.info/en/note?os...=samba&f=4 and https://jimshaver.net/2016/05/30/setting...untu-16-04. I'm not entirely confident about the correctness, but I hope this helps.

Reply
Reply