Hello,
(sorry for my english, i’m french and i don’t speak english very well…)
I have try to make a samba sharing in the linux server. My mission is to link the SAMBA server with a Windows AD (Windows server 2016 AD)
My configuration :
— Network 192.168.0.0/24
— 1 Server AD+DNS Windows server 2016 (192.168.0.200)
— 1 Server redundancy AD+DNS (192.168.0.201)
— 1 Server Linux with DHCP server, nginx/mariadb server and SAMBA ! CentOS 7 (192.168.202)
— 1 Client Windows 10 in the AD Domaine(192.168.0.2)
— My AD domaine is : SENSAS.local (it’s a pun in french, SENSAS, SENSAS’ionel ^^)
All windows have acces to the list of folden sharing by SAMBA, but i can’t open it ! (error of accés)
for all seting of my CentOS7 :
resolv (DNS) :
Code: Select all
[root@centos7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 192.168.0.200
nameserver 192.168.0.201
nameserver 192.168.48.2
conf SAMBA :
Code: Select all
[root@centos7 ~]# cat /etc/samba/smb.conf
# Global parameters
[global]
load printers = No
printcap name = /dev/null
realm = SENSAS.LOCAL
security = ADS
workgroup = SENSAS
idmap config * : backend = tdb
cups options = raw
[data]
create mask = 0775
directory mask = 0775
path = /srv/samba/anonymous
read only = No
valid users = @"Patate@SENSAS.LOCAL"
[root@centos7 ~]#
testparam
Code: Select all
[root@centos7 ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[data]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
load printers = No
printcap name = /dev/null
realm = SENSAS.LOCAL
security = ADS
workgroup = SENSAS
idmap config * : backend = tdb
cups options = raw
[data]
create mask = 0775
directory mask = 0775
path = /srv/samba/anonymous
read only = No
valid users = @Patate@SENSAS.LOCAL
[root@centos7 ~]#link of Linux with the Windows AD:
Code: Select all
[root@centos7 ~]# realm join --verbose SENSAS.local --user=administrateur
The server is well in the OU of the Windows AD !
Test Kerberos connexion to the AD Windows (is OK) :
Code: Select all
[root@centos7 ~]# kinit administrateur@SENSAS.LOCAL
Password for administrateur@SENSAS.LOCAL:
[root@centos7 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: administrateur@SENSAS.LOCAL
Valid starting Expires Service principal
29/09/2018 10:04:20 29/09/2018 20:04:20 krbtgt/SENSAS.LOCAL@SENSAS.LOCAL
renew until 06/10/2018 10:04:17
[root@centos7 ~]# kdestroy
[root@centos7 ~]#
for the privilege of my folden in the server:
Code: Select all
[root@centos7 ~]# mkdir -p /srv/samba/anonymous
[root@centos7 ~]# chmod -R 0775 /srv/samba/anonymous
[root@centos7 ~]# chown -R nobody:nobody /srv/samba/anonymous
[root@centos7 ~]# chcon -t samba_share_t /srv/samba/anonymous
SElinux is off for the test:
I restart the smb/nmb service with this :
Code: Select all
[root@centos7 ~]# systemctl restart smb nmb
[root@centos7 ~]# systemctl enable smb nmb
for the firewall :
Code: Select all
[root@centos7 ~]# firewall-cmd --add-service=samba --permanent
[root@centos7 ~]# firewall-cmd --reload
In the OU (Patate) I have two users (Patate and banane):
https://prnt.sc/l03d6j
so if you can help me, it will be great !
Thanks in advance,
Best regard
Thomas
Hello All,
I have been learning Linux and working with Fedora Server for a little bit now. I have gotten some great help here and am now where I think 75% of Linux admins are… making that dang share work properly.
I have Fedora Server 26 and I also installed Webmin. Everything looks like its working perfect and I can access the folder and read from it, but I cannot write to it. I’ve been messing with this since last week and am ready to ask for help again. 
Samba Config:
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run ‘testparm’ to verify the config is correct after
# you modified it.
[global]
realm = css.local
security = domain
guest ok = yes
map to guest = Bad User
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
[veeam]
path = /home/veeam
public = yes
writeable = yes
comment = Veeam Backups
valid users = veeam
testparm (reading online, it appears that error is a bug but I really am not sure):
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section «[homes]»
Processing section «[printers]»
Processing section «[print$]»
Processing section «[veeam]»
Loaded services file OK.
idmap range not specified for domain ‘*’
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
and ls:
drwxrwxrwx. 2 root root 6 Nov 1 10:42 /home/veeam
ANY help or suggestions are greatly appreciated. Thank you in advance for your time and knowledge!!
I have the following setup:
- A Samba server PDC acting as the Primary Domain Controller of a NT domain MYDOMAIN (not Active Directory!)
- A Windows 10 pro PC Win10 which is also a member of that domain
- A (new) second Samba server MS1 which is supposed to be a member of that domain. It was added to that domain using the «/usr/bin/net join -U Administrator%Password» command and there was no error.
- There are no Windows servers involved.
- This is not a test installation but a production environment in a small company, so there are other Windows 10 PCs accessing PDC and simply changing the PDC configuration is not an option. (I’m what amounts for the network administrator for that company.)
- Samba version on both servers is 4.7.6-Ubuntu
With a given domain user account MYUSER I can log on fine to Win10. From there I can also access all the shares of PDC.
But the problem is: I cannot access any shares of MS1.
Windows explorer shows a logon dialog for the share and when I supply MYUSER and the password (again) it says «Access is denied».
On the command line «net use \MS1ShareName» results in the error «The password is invalid for \MS1ShareName», followed by a prompt for username and password for MS1. Entering MYUSER and the password the results in «System error 5 has occurred. Access is denied.»
In the log on MS1 for the IP of Win10 I find the following entry:
[2021/12/09 13:57:41.755023, 0] ../source3/auth/auth_util.c:1259(check_account)
check_account: Failed to convert SID S-1-5-21-2503006329-1497337827-313999797-1274
to a UID (dom_user[MYDOMAINMYUSER])
Google found no match for this error message.
testparm on MS1 gives me the following output:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[homes]"
NOTE: Service homes is flagged unavailable.
Processing section "[ShareName]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
I tried to add an entry for idmap range but it did not make any difference.
I also tried to add MYUSER as a Linux user on MS1 with the same password as in the domain. It did not make any difference.
I’m at a loss on how to investigate this further. Which logs to look into and which configuration options to check.
Google turned up lots of hits but all of them were referring to an Active Directory installation. Unfortunately «simply» updating to ADS is not possible at the moment as that would possibly break other services.