Hi All

I have been racking my brains for the past 15 hours or so trying to know why my AD users can't actually login to the share which i have assigned.

This is my smb.conf below:

When i do wbinfo -u or wbinfo -g i can see the usernames and groups in my AD.

Also when i do : id username it actually gives me the information for that user in my domain.

I have done net ads login -U and joined the domain.

I have set the pam auth modifications and the krb5 and nsswitch.conf files.

So i do not get why i can't have the user i have assigned to that share access it?

I can only imagine i have something wrong in my smb.conf?

Please any helps would be appreciated.

Thanks

When you say "log in to the share", are you talking about browsing the share in Windows Explorer?

Are you logged in to the Windows workstation as "user1"?

What are the actual permissions on /var/www/html/cmsmadesimple?

Edit: Have you tried changing "valid users = user1" to "valid users = EXAMPLE\user1" on the Admin share?

Also, unless a line got truncated, your idmap range setting is invalid.

When i say login yeah i mean actually set a UNC path or map that share to the Windows PC. I am logged in as "user1". Permissions of /var/www/html/cmsmadesimple are 777.

I have tried access the Research Folder also and tried changing the grp to "domain users" along with doing chmod 777 but it still comes up asking for login details and when i enter them it says they are wrong - which i know they are not.

Thanks

Yes I have. I tried with EXAMPLE\user1 and just user1 as i thought because i have "winbind use default domain = yes" set it might ignore the EXAMPLE ? as when i say "id user1" on the CLI it comes up with the details instead of having to actually enter EXAMPLE+user1.

I have also tried Removing the idmap option as it is apparently depreciated still with no luck.

You do need an idmap range option. Samba will default to using tdb if you don't specify an idmap backend, but you always have to specify a valid range. "10000 - 9999" is invalid, as the last number must always be greater than the first.

When I asked about permissions I was primarily thinking of ownership, but 777 should make that irrelevant.

When you run id user1, does it map to a valid Unix ID or do you get something like 4,294,967,295?

Thanks for clearing that up

When i do id user1 it lists all of the groups that user is associated with within AD. I'm wondering do i have to map an AD member group to a linux user or something?

modified and shortened example:

[root@ROM samba]# id user1
uid=10000(user1) gid=10000(domain users) groups=10000(domain users)

That's exactly what the idmap function does, and is why you get a Unix User ID when you run the id command on an AD user:

This is proof of a working idmap configuration. It also proves that the "winbind use default domain" option is active, as you didn't have to type id EXAMPLE\\user1 to obtain the Unix ID of a user from the AD domain.

You should try changing the owner of a file to be a domain user, just to verify that both nsswitch and PAM are indeed working properly:If the result is a file owned by the domain user "user1", all is well.

I looked through your smb.conf once more, and noticed the "valid users = any" setting. I can't remember having seen any references to "any" as a valid parameter on the Samba Wiki pages. Have you tried commenting out that setting?

It's often a good idea to start off with a bare minimum of settings, and then add the required settings one by one to see if anything breaks. For instance, the "client", "encrypt passwords" and "restrict anonymous" settings should be superfluous, so you could try commenting out those as well.

Do the settings reported by testparm match your intended settings in smb.conf?

I have tried commenting the "any" part out and also the "client" and "restrict anonymous" but still not letting me in.
All seems ok when trying testparm?


When touching the file and chowning it - it did work and the ownership changed to that user although i didn't have to put EXAMPLE just chown user1

I really do not get why i can't login - i stumped lol.

NOTE: I can actually login via SSH to the linux box with my AD username and password and get a bash prompt, i just can't login to the shares of samba.

I have also tried the following:
CMSUSERS is the local group with access to the cmasmadesimple directory. When adding the Domain Users to link to CMSUSERS i thought this would work? Not sure if this is something else?

Thanks for the help so far!

You don't by any chance have a local Linux user called "user1" as well? (cat /etc/passwd | grep user1) If you do try to specify the domain name (chown EXAMPLE\\user1 somefile), does it still work?

Here's a minimal smb.conf, you could try that and see if it works:Open a terminal and have tail -f /var/log/samba/samba.log running while you try to access a shared folder. Perhaps that will provide some clues.

This does actually work! haha i don't believe it!

I changed it to this:
and i can login with my username now. Thanks!

May i ask is there a way i can associate "domin users" AD group with a local group?

Nevermind! my net groupmap has worked - i tried to create a file and it showed the following:

Thanks very much for your help!!

I do have one other query please:

When allowing people to access the share it allows them and i can write to that share but if i go into a directory further into that share it will not allow me to write. I also keep seeing this too:

DENY_WRITE 0x20196 WRONLY EXCLUSIVE+BATCH

Any helps with this would be great.

Thanks

For anyone having the same issue i set this in the smb.conf:

As for the sub folder issue i just added force group = "users" to the share and bingo i had write access.

The permissions of the linux box for the group was different, as the user i was logging in with was part of "domain users"

Thanks