Cannot browse a samba share using Active Directory user account

Discussion in 'Server Operation' started by Sean Montgomery, Aug 5, 2016.

  1. Sean Montgomery

    Sean Montgomery New Member

    I've been struggling for some time now trying to browse a samba share using my Windows Active Directory Domain user account. The scenario is:

    Windows 2012 Active Directory Domain Controller
    Domain is currently only running at Windows Server 2003 functional level
    Fresh install of Ubuntu 16.04 LTS
    Fresh install of Samba - Version 4.3.9-Ubuntu "apt-get install ntp krb5-user samba cifs-utils smbclient winbind"

    I've successfully joined the Ubuntu server to my AD domain and and can successfully see the Ubuntu server in the computers OU in AD, it also has a DNS record in the domain. wbinfo -u also successfully shows all of my active directory users and wbinfo -g also shows the AD groups. When i try to browse either the samba share from my windows machine it prompts with "access is denied". This is the first time i've tried to setup samba joined to a domain and passthru authentication can anybody help?

    krb5.conf is as follows:
    ticket_lifetime = 24h
    default_realm = TESTDOMAIN.CO.UK
    forwardable = true

    kdc = TESTDC
    admin_server = TESTDC

    [domain_realm] = TESTDOMAIN.CO.UK = TESTDOMAIN.CO.UK

    profile = /etc/krb5kdc/kdc.conf

    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false

    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log


    /etc/nsswitch.conf is as follows

    passwd: compat winbind
    group: compat winbind
    shadow: compat winbind
    gshadow: files

    hosts: files dns
    networks: files

    protocols: db files
    services: db files
    ethers: db files
    rpc: db files

    netgroup: nis

    smb.conf is as follows

    # No .tld
    workgroup = TESTDOMAIN.CO.UK
    # Active Directory System
    security = ads
    # With .tld
    realm = TESTDOMAIN.CO.UK
    # Just a member server
    domain master = no
    local master = no
    preferred master = no
    # Disable printing error log messages when CUPS is not installed.
    printcap name = /etc/printcap
    load printers = no
    # Works both in samba 3.2 and 3.6.
    idmap backend = tdb
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    # no .tld
    idmap config TESTDOMAIN:backend = rid
    idmap config TESTDOMAIN:range = 10000-9999
    winbind enum users = yes
    winbind enum groups = yes
    # This way users log in with username instead of [email protected]
    winbind use default domain = yes
    # Inherit groups in groups
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true
    # Becomes /home/example/username
    template homedir = /home/%D/%U
    # No shell access
    template shell = /bin/false
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/samba.log
    log level = 2

    comment = Windows Share
    path = /usr/windows
    valid users = "@TESTDOMAIN.CO.UK\Domain Users"
    force group = "domain users"
    writable = yes
    read only = no
    force create mode = 0660
    create mask = 0777
    directory mask = 0777
    force directory mode = 0770
    access based share enum = yes
    hide unreadable = yes

    Please help i'm all out of ideas and i really need this to works :(

    Thank you

Share This Page