Cannot Access SMB Shares with Active Directory Users

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Cannot Access SMB Shares with Active Directory Users

      Hi

      I have a fresh OMV installation and got the Windows 2012 Active Directory successfully integrated as per this thread. I can see all the users and groups from AD and can assign shares with ACL for AD users.

      However, I cannot access the SMB shares from windows 10 clients (who are also the members of the same domain). Tried accessing using \\[omv]\share and it says "We can't sign you in with this credential because your domain isn't available."


      This is my smb.conf file

      Source Code

      1. #======================= Global Settings =======================
      2. [global]
      3. workgroup = IDSRU
      4. server string = %h server
      5. dns proxy = no
      6. log level = 2
      7. log file = /var/log/samba/log.%m
      8. max log size = 1000
      9. logging = syslog
      10. panic action = /usr/share/samba/panic-action %d
      11. encrypt passwords = true
      12. passdb backend = tdbsam
      13. obey pam restrictions = no
      14. unix password sync = no
      15. passwd program = /usr/bin/passwd %u
      16. passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
      17. pam password change = yes
      18. socket options = TCP_NODELAY IPTOS_LOWDELAY
      19. guest account = nobody
      20. load printers = no
      21. disable spoolss = yes
      22. printing = bsd
      23. printcap name = /dev/null
      24. unix extensions = yes
      25. wide links = no
      26. create mask = 0777
      27. directory mask = 0777
      28. use sendfile = yes
      29. aio read size = 16384
      30. aio write size = 16384
      31. local master = yes
      32. time server = no
      33. wins support = no
      34. security = ads
      35. realm = IDSRU.NET
      36. client signing = yes
      37. client use spnego = yes
      38. kerberos method = secrets and keytab
      39. obey pam restrictions = yes
      40. protocol = SMB3
      41. netbios name = domsvr2
      42. password server = *
      43. encrypt passwords = yes
      44. winbind enum users = yes
      45. winbind enum groups = yes
      46. winbind use default domain = no
      47. idmap config SATAN : backend = rid
      48. idmap config SATAN : range = 1000-999999999999
      49. Idmap config *:backend = tdb
      50. idmap config *:range = 85000-86000
      51. template shell = /bin/sh
      52. lanman auth = no
      53. ntlm auth = yes
      54. client lanman auth = no
      55. client plaintext auth = No
      56. client NTLMv2 auth = Yes
      57. winbind refresh tickets = yes
      58. log level = 3
      59. syslog =3
      60. #======================= Share Definitions =======================
      61. [BS-Lab]
      62. path = /srv/dev-disk-by-label-IDSA/BS-Lab
      63. guest ok = no
      64. read only = no
      65. browseable = yes
      66. inherit acls = yes
      67. inherit permissions = no
      68. ea support = no
      69. store dos attributes = no
      70. vfs objects =
      71. printable = no
      72. create mask = 0664
      73. force create mode = 0664
      74. directory mask = 0775
      75. force directory mode = 0775
      76. hide special files = yes
      77. follow symlinks = yes
      78. hide dot files = yes
      79. valid users = "lee"
      80. invalid users =
      81. read list =
      82. write list = "lee"
      Display All
      Can someone kindly help me

      Thanks so much in advance
    • Please don't post the same thing in multiple forums. If you got an error posting, read problem #4 - Solutions to common problems
      omv 4.1.23 arrakis | 64 bit | 4.15 proxmox kernel | omvextrasorg 4.1.15
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • Hi Lee,

      I am having the same issue with my AD implementation. The line above that you have, where did you inject that?

      I've tried the line at the CLI and while it attempts to join, I get:

      Failed to join domain: failed to lookup DC info for domain 'DOMAIN.LOCAL' over rpc: an internal error has occurred.

      Funny thing is, when I run realm join -U username domain.local --verbose it tells me domain.local was successfully discovered and that I am already joined to the domain.

      I thought it might be a case sensitivity thing with the domain name as the net ads join command returns a domain as all uppercase but the realm command returns the same information in either case.... all upper or all lower.

      Any thoughts?

      The post was edited 1 time, last by hdokes ().

    • Mean while..... back at the ranch.....

      So.... we have tasted success.... and it was good! It took a damn long time to find the answer, but relative to post #8 above, the error when using Lee's net command stated it could not do a look up over rpc. So.... we issued a slightly different command:

      net rpc join -k

      and viola! We can now authenticate maps on a net share through omv to the AD controller. I will add that it wasn't quite that simple, we also had to insure that the user for that mapping had to have ownership of the share folder. Something that could not be given in omv since ACL is not supported on nilfs2. We can only hope they get it in there some time in the near future.

      In the mean time, a simple chown to the folder was all that was required to complete the connection. Hopefully we could actually incorporate this into the future nilfs2 plugin as we move in that direction given we get there before nilfs2 supports ACLs.

      Ooooh this could be fun! 8)

      The post was edited 1 time, last by hdokes ().