Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3097
  • Last Modified:

PBIS & Samba Server

Afternoon Experts Exchange,

I have currently deployed a Linux Samba server that is integrated with AD using PBIS. The permissions on the shares are working correctly and I can assign AD users permissions to access the shares.

However when a user attempts to access //server/ or //server/share their AD credentials are rejected with the response 'The specified network password is not correct'.

The only account able to access these shares for testing is the account that was originally used to configure the server and also bears the same username\password at the root user on the Linux box. This account adheres to the permissions set on the \\server\share level\ and can be denied access using the AD username and password.

How do I grant access to the \\server\ location of the server to all users whilst retaining the AD permissions at the \\server\share level.

Plokij5006
0
plokij5006
Asked:
plokij5006
  • 2
1 Solution
 
Cris HannaCommented:
Are you just entering username\password   or have you tried netbiosdomainname\username?
0
 
plokij5006Author Commented:
Windows by default would use DOMAIN\Username when connecting onto the shares and we have also manually used the realm as part of the log in.
0
 
Daniel HelgenbergerCommented:
Hello plokij5006,

please keep in mind PBIS uses Kerberos tickets by default for authentication and the interop install needs to be executed on every samba server once. Also, you can set a default domain:

sambasever$  /opt/pbis/bin/samba-interop-install --install

Open in new window


/opt/pbis/bin/samba-interop-install
Usage: /opt/pbis/bin/samba-interop-install {options} [smbd path]

Installs interop libraries into directories used by Samba and copies the
machine password from the PowerBroker Identity Services' database to Samba's.

Options are:
    --help               Show this help message
    --install            Configure smbd to use interop libraries
    --uninstall          Deconfigure smbd's use of interop libraries
    --check-version      Ensure the version of smbd is supported
    --loglevel {level}   Set the logging to error (default), warning, info,
                         verbose, or debug

One of the options, --install, --uninstall, or --check-version must be passed.

The last argument is the path to smbd. If not specified, it will be
automatically detected.

here a valid line from your share definition in smb.conf:
[global]
	security = ADS
        workgroup = MYDOM
        realm = MYDOM.COM
        machine password timeout = 0
...
[myshare]
...
valid users = @"MYDOM\domain users", @@"MYDOM\domain admins"
write list = @"MYDOM\domain users"
read list = @"MYDOM\domain users", @"MYDOM\domain guests"
...

Open in new window


Set the default domain for users without kerberos ticket with:
/opt/pbis/bin/config AssumeDefaultDomain true

Open in new window

0
 
plokij5006Author Commented:
Thanks Daniel,

The default domain was not set for users without kerberos, once this parameter was set we could access the server with domain accounts.

Once again you have a been a great help and I really appreciate it.

Kind regards,

Andrew
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now