× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

adbindproxy not working

Showing results for 
Search instead for 
Do you mean 
Reply
Participant III
Posts: 10
Registered: ‎10-28-2016
#1 of 6 1,047

adbindproxy not working

Hello

 

Today I installed the latest CentOS 7 and the latest Centrify Express. I then installed the latest Adbindporxy using the link below

 

http://community.centrify.com/t5/TechBlog/Server-Suite-2016-Samba-with-adbindproxy/ba-p/24052

 

I am to browse to the samba-test share that was created during the above link through windows explorer. however when I double try to enter the share I get a message stating I do not have permissions. 

 

My smb.conf is as follows. Its pretty much the default file and any modifications were done during the installation of adbindproxy.

 

Thanks

 

 

 

 

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
security = ADS
realm = BANDS.BROTHERSANDSISTERS.CO.UK
workgroup = BANDS
netbios name = bass11

auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab


#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
# client use spnego principal = true

#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
# send spnego principal = Yes

# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = auto

client ntlmv2 auth = yes
client use spnego = yes


template shell = /bin/bash

winbind use default domain = Yes

winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes

idmap cache time = 0

# ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0

[samba-test]
path = /samba-test
public = yes

# if set public = No, we should set parameter valid users .
# and when the user or group is in AD , the setting syntaxes is:
# valid users = BANDS\user +BANDS\group

writable = yes

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775

Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#2 of 6 1,044

Re: adbindproxy not working

What are the filesystem permissions on /samba-test?

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 10
Registered: ‎10-28-2016
#3 of 6 1,042

Re: adbindproxy not working

Hi Roberston

The current permissions are as below, thanks


[root@BASS11 ~]# getfacl /samba-test/
getfacl: Removing leading '/' from absolute path names
# file: samba-test/
# owner: root
# group: sec-users
user::rwx
group::rwx
group:sec-users:rwx
mask::rwx
other::---

Centrify Guru I
Posts: 1,790
Registered: ‎07-26-2012
#4 of 6 1,039

Re: adbindproxy not working

Looks like share permissions (public) are inconsistent with filesystem permissions

 

Is the AD user in question (accessing from Windows) part of sec-users?

Can you run "adquery group sec-users" and paste the output? 

If there's no output or you get (sec-users is not a zone group), then if it's local (/etc/group), then the AD user must be part of that group.

 

To retest by logging off/back in and trying to map the drive BY short name or FQDN.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 10
Registered: ‎10-28-2016
#5 of 6 1,037

Re: adbindproxy not working

Hi Robertson

yes the AD user is part of sec-users. Below is the out put. There is no FQDN at the moment, I will update DNS now

Thanks

[root@BASS11 ~]# getfacl /samba-test/
getfacl: Removing leading '/' from absolute path names
# file: samba-test/
# owner: root
# group: sec-users
user::rwx
group::rwx
group:sec-users:rwx
mask::rwx
other::---

Highlighted
Participant III
Posts: 10
Registered: ‎10-28-2016
#6 of 6 1,036

Re: adbindproxy not working

sorry here is the correct output

[root@BASS11 ~]# adquery group sec-users
sec-users:x:125830770:aaron,abdul,al,alex,ali,alison,amanda,amy,andy,andy.e,anne -sophie,bands,carlos,caroline,chris,chris.g,chris.p,christian,dan,dan.f,didz,ed, editsuite1,fcp,finance_scan,freelance,gonza,hannah.w,harriet,jamie,jemma,jen,jez ,jonny.h,jonty,jorge,jules,kate,katie,kevin,kirsty,lance,laura.g.e,lloyd,lois,lo uise,manu,marcio,mark.m,matilda,matt,max,mirry,nadine,natalie,nicola,olly,paul,p hil,phoebe,rebecca,reception,rena,richard.h,robbie,rory,scan,seb,steve,tayjan,ti m,toby,tom.c,tracy,wande,wayne,wds,will