Hello, I have been attempting to setup samba server on RHEL 7 and I haven't had luck so far. I am hoping to get some guidance on what I could be missing. I am using the link below as a guide.
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA My setup is made up of two IPA version 4.4 (Master master) with a trust relationship to Windows AD. Samba is running on a separate system (RHEL7.3) and fully to date. Windows domain would be ad.example.com and ipa domain is eng.example.com Below is my samba config at present. There is an ad group called eng that is mapped to an external group called eng_external on ipa. eng_external is a member of ipausers group [global] workgroup = ENG realm = ENG.EXAMPLE.COM dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab server string = Samba Server Version %v log file = /var/log/samba/log.%m log level = 5 max log size = 50 security = ads passdb backend = tdbsam strict locking = no load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [homes] comment = Home Directories path = /home browseable = yes writable = yes valid users = @ipausers [projects] comment = Projects path = /projects browseable = yes writable = yes valid users = @ipausers After restarting samba, an attempt to connect to samba from Windows result in the following samba logs? Do you notice any problem from the information that I have shared please? Would appreciate any pointer at this point [2017/01/17 10:17:55.905941, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/01/17 10:17:55.905980, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/01/17 10:17:55.906751, 5] ../source3/smbd/share_access.c:120(token_contains_name) lookup_name ipausers failed [2017/01/17 10:17:55.906789, 2] ../source3/smbd/service.c:427(create_connection_session_info) user 'will...@ad.example.com' (from session setup) not permitted to access this share (will...@ad.example.com) [2017/01/17 10:17:55.906818, 1] ../source3/smbd/service.c:560(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2017/01/17 10:17:55.906838, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:17:55.906871, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:17:55.906895, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:135 [2017/01/17 10:18:02.815184, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/01/17 10:18:02.815224, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2017/01/17 10:18:02.815242, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/01/17 10:18:02.815270, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2017/01/17 10:18:02.815304, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.815347, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.815375, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from 192.168.15.41 (192.168.15.41) [2017/01/17 10:18:02.815402, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID @ipausers is not in a valid format [2017/01/17 10:18:02.815421, 5] ../source3/auth/user_util.c:151(user_in_netgroup) looking for user will...@ad.example.com of domain eng.example.com in netgroup ipausers [2017/01/17 10:18:02.815774, 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/01/17 10:18:02.815814, 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/01/17 10:18:02.815835, 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/01/17 10:18:02.815852, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2017/01/17 10:18:02.815868, 5] ../source3/auth/token_util.c:639(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2017/01/17 10:18:02.815910, 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/01/17 10:18:02.823518, 5] ../source3/smbd/share_access.c:120(token_contains_name) lookup_name ipausers failed [2017/01/17 10:18:02.823553, 2] ../source3/smbd/service.c:427(create_connection_session_info) user 'will...@ad.example.com' (from session setup) not permitted to access this share (will...@ad.example.com) [2017/01/17 10:18:02.823577, 1] ../source3/smbd/service.c:560(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2017/01/17 10:18:02.823597, 5] ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.823629, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/lock/smbXsrv_tcon_global.tdb [2017/01/17 10:18:02.823654, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_tcon.c:135 Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project