I have a Samba server with ROLE_DOMAIN_MEMBER in the Active Directory. My main aim is to make a different permissions on share sub-folders on every single share. It can be done using Linux acl or Windows permissions GUI, but I prefer a Windows GUI. In this case users can do this by themselves. I already tried to change permissions using chmod, chown, acl, Windows GUI and Windows console GUI, and I can change permissions to sub-folder but it seems that it doesn't work and only groups added to samba-share worked for me and also for sub-folders valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" I print here all my smb.cfg and a single test share: [global] # No .tld workgroup = DOMAIN netbios name = samba4 server string = %h server (Samba, Ubuntu) # Active Directory System security = ads # With .tld realm = DOMAIN.LOCAL # Just a member server domain master = no local master = no preferred master = no dns proxy = no # Disable printing error log messages when CUPS is not installed. printcap name = /dev/null load printers = no printcap cache time = 0 #additional section obey pam restrictions = yes map to guest = bad user dns proxy = no vfs objects = acl_xattr map acl inherit = yes nt acl support = yes acl map full control = yes #acl compatibility = auto store dos attributes = yes map archive = no map hidden = no map read only = no map system = no # Works both in samba 3.2 and 3.6. #idmap backend = tdb # no .tld idmap config * : backend = tdb idmap config * : range = 10000-99999 winbind enum users = yes winbind enum groups = yes # This way users log in with username instead of username@example.com winbind use default domain = yes # Inherit groups in groups winbind nested groups = yes winbind refresh tickets = yes winbind offline logon = true #winbind separator = \ # Becomes /home/example/username template homedir = /home/%D/%U #logon drive = H: #logon home = \\smb\%U # No shell access template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes #password server = dc01.domain.local, dc02.domain.local password server = * encrypt passwords = yes unix password sync = yes pam password change = yes smb passwd file = /etc/samba/smbpasswd os level = 20 restrict anonymous = 2 log file = /var/log/samba/samba.log log level = 3 #logging = syslog@1 /var/log/samba/log.%m vfs objects = full_audit full_audit:success = mkdir rmdir unlink pwrite full_audit:prefix = %u|%I|%m|%S full_audit:failure = none full_audit:facility = local5 full_audit:priority = notice recycle:repository = /home/recycle/ recycle:keeptree = yes recycle:versions = yes max log size = 100000 panic action = /usr/share/samba/panic-action %d guest ok = yes [test$] path = /FS/test$ browseable = yes read only = no inherit acls = yes inherit permissions = yes create mask = 700 directory mask = 700 valid users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" admin users = "+DOMAIN.LOCAL\IT" # "+DOMAIN.LOCAL\adm" # "+DOMAIN.LOCAL\DR" # "DOMAIN.LOCAL\PRINTERS" ┌─[root@samba4]─[/FS] └──╼ #ls -ld test\$/ drwxrwx---+ 6 root root 4096 Jun 25 15:44 test$/ ACL configuration: cat /boot/config-4.4.0-87-generic | grep _ACL CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_F2FS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_HFSPLUS_FS_POSIX_ACL=y CONFIG_JFFS2_FS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CEPH_FS_POSIX_ACL=y CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y My fstab: UUID=4ec48dfe-c45d-124b-8145-09fe59cfad9b /FS ext4 relatime,acl,user_xattr,errors=remount-ro 0 1 In samba.log I see a problem with acl permissions while I try to change permissions to test directory. set_nt_acl: failed to set file acl on file test (Operation not permitted). Also I change permission on test directory to 777 and delete options "create mask", "directory mask", "admin users". Now I can't even add a new user to file permission.

I have shared my home folder over samba as follows: when i try to create folders from windows I get error "cant create" but folder is created. But permissions are all messed up. file is also created but permissions are messed up. As a result I am not able to open/edit these files or folders from windows. $ ls -lZ total 48 d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder' d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder (2)' d-------w-. 2 sar sar system_u:object_r:samba_share_t:s0 4096 May 27 02:01 'New folder (3)' --------w-. 1 sar sar system_u:object_r:samba_share_t:s0 0 May 27 02:01 'New Text Document.txt' setup process: # setsebool samba_enable_home_dirs=1 # chcon -R -t samba_share_t /home/sar cfg: [global] workgroup = mywg security = user server string = Samba Server %v netbios name = myserver map to guest = bad user passdb backend = tdbsam # interfaces = 192.168.xx.xx/255.255.255.0 # bind interfaces only = yes # Debug logging information #log level 0 none, 3=HUGE log level = 1 log file = /var/log/samba/%m.samba.log max log size = 50 debug timestamp = yes # security setup server min protocol = SMB3 # server max protocol = SMB3 # SMB3_00: Windows 8, SMB3_02: Windows 8.1, SMB3_10: early Windows 10, SMB3_11: Windows 10 default is SMB3_11 ntlm auth = yes lanman auth = no printing = cups printcap name = cups load printers = yes cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = yes path = /home/%S create mask = 0644 #0002 directory mask = 0755 #002 I want users to be able to create, add/edit files and folders in their home folders freely. which should not be be accessible to others.

Samba users cannot change their own passwords. The password can only be changed using root account using the command smbpasswd -a But I want users be able to change their passwords by their own. When password is tried to changed using a non-root account I get the below error message. $ smbpasswd Old SMB password: New SMB password: Retype new SMB password: Could not connect to machine 127.0.0.1: NT_STATUS_LOGON_FAILURE Failed to change password for user1 Any reasons for this? How can I fix this?

Is there a way to unambiguously get the running config of a samba daemon? I can't find any reference to it in the manual. Of course you run testparm, but that would only show the validity of the explicit configuration; I would also like to the see the implicit config which is loaded

I have created a SAMBA AD Server, with a SAMBA member as File Server. I manage it with a Windows client through RSAT. After creating the resources in smb.conf, assigning the setgid to its corresponding folder so that everything created in it is from the same group, the following happens. When a user logs in with a Windows client and accesses the resource that has permissions, and creates a file in it, the group that assigns said file is not the one in the group, indicated by setgid... does anyone know why this happens? I have tried with specifications such as 'force group' and several in smb.conf but it has no influence.

given today's date, running **windows 10 or later** and connecting to a **RHEL 8.8 or newer** Linux system which currently has samba-4.17.5-3.el8_8 what is a ***best practice*** for parameters one should have in /etc/samba/smb.conf to ensure the **most secure and reliable connection** over that protocol? Below is what I am using. Can anyone modify or add to it to make it better? I am doing a simple samba setup with security=user and passdb backend = tdbsam withsimple local passwords created with smbpasswd -a. If you have a smb.conf template to share that involves windows domain joining and Active Directory and other more complicated things that would be cool too. I am showing the two basic shares (home and data) that I almost always do, if there are parameters that should also be there to improve security? note: not concerned all that much with the logging part, but appreciated if you can improve on it or provide explanation such that an admin could read and make a rationale decision on how to configure. # /etc/samba/smb.conf template, RHEL 8.8 [global] workgroup = SAMBA security = user passdb backend = tdbsam printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes log level = 0 vfs:10 log file = /var/log/samba/sambavfs.log max log size = 0 smb encrypt = required client min protocol = SMB3 client max protocol = SMB3 client signing = mandatory server signing = mandatory [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes vfs objects = extd_audit [data] comment = data inherit acls = Yes read only = No path = /data directory mask = 770 create mask = 660 vfs objects = extd_audit **NOTE:** just also found out that **FIPS=1** in GRUB_CMDLINE_LINUX in /etc/default/grub (or doing fips-mode-setup --enable which is available in RHEL-8) kills a samba connection from windows. See https://access.redhat.com/discussions/7022626 . This was not the case in RHEL-7.9 when doing FIPS=1.

- RHEL-8.10 to be specific - samba-4.19 - security = user in /etc/samba/smb.conf [global] - passdb backend = tdbsam in /etc/samba/smb.conf [global] smbpasswd -a is done so there is an independent password for samba connections. When a Linux user's password in /etc/passwd is **expired**, is there a way to also make the samba password expired for the given user? At the very least dissallow the samba connection for the given user when their Linux account password is expired? scenario: the /etc/passwd password is set to expire in 90 days, per PASS_MAX_DAYS in /etc/login.defs and as shown by passwd -S . When a user has gone more than 90 days and the time to change their Linux password has come and gone and they are effectively locked out of Linux, I am observing (with a test account) that samba access to shared folders is still available because their windowsNT password is on a different expiration cycle, and they can still access samba shares of the Linux server. I want /etc/passwd expiration to also expire the samba password on the linux server if possible. Ideally make PASS_MAX_DAYS also apply to the samba password and force the user to update, is this possible? This is basic stuff today for the /etc/passwd password, but it seems like samba fell through the cracks on this.

I have a Samba share on my Fedora Linux box. I was able to connect to it just fine when I was on Fedora 30, but after the upgrade to Fedora 31 it stopped working. > Fedora 31 > > Samba version: 4.11.2 > > Firewalld version: 0.7.2-1.fc31 I've tried each of the following methods to open up the firewall for Samba. I know you should only have to do one or the other, but neither method is working. firewall-cmd --add-service=samba --permanent firewall-cmd --reload and: firewall-cmd --permanent --add-port=139/tcp firewall-cmd --permanent --add-port=445/tcp firewall-cmd --permanent --add-port=137/udp firewall-cmd --permanent --add-port=138/udp firewall-cmd --reload These rules are applied to the default "public" zone, but somehow this isn't working. I know it's the firewall because if I stop the firewall I am able to browse and use my Samba share without any issues. Any ideas as to what is going on with my firewall?

Can someone post an /etc/samba/smb.conf file that has configuring that will provide **reasonable** logging and audit information into a log file? My efforts thus far, in RHEL 8.9, have amounted to 98% stuff I do not wish to see and the 2% I do see falls short of being interpret-able. Is it possible to have **just** the following information in a samba log file? - date & time of any initial connection over the network, from a win10 client connecting to the linux samba server, and if successful or not - ip address of the client connection and the windowsNT user name, for both a successful and an unsuccessful connection - then for a successful connections into the samba server, log the folder tree traversal of the user for both successful and unsuccessful attempts to what they try to access - same for file accesses: log creations, deletions, save or modify attempts and permission changes on files & folders

the default /etc/samba/smb.conf has [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No my account as specified in /etc/passwd is /home/ron with account name ron and as such when I connect to linux from windows I see a ron folder that only I can access, and that goes to **/home/ron**. Instead, I want that samba ron folder that shows up in Microsoft Windows when connecting to my samba server, to go to **/data/users/ron** instead. How can I do that [in RHEL 8.9] ?

I have inotifywait(version 3.14) on Linux to monitor a folder that is shared with Samba Version 4.3.9-Ubuntu. It works if I copy a file from Linux machine to samba share(that is on different machine, under Linux as well). But if I copy a file from Windows machine inotify won't detect anything. Spaces or no spaces, recursive or not result is the same. printDir="/media/smb_share/temp/monitor" inotifywait -m -r -e modify -e create "$printDir" | while read line do echo "$line" done Does anyone have any ideas of how to solve it?

I'm trying to mount a NFSv4 share but the mount command cannot get permissions to mount the share. When I try to mount a share I receive the message:

mount.nfs4: mount(2): Permission denied

And if I try to kinit the nfs principal with: kinit -k -t /etc/krb5.keytab nfs/nfshost.domain.com@DOMAIN.COM it returns:

kinit: Client 'nfs/nfshost.domain.com@DOMAIN.COM' not found in Kerberos database while getting initial credentials

Here's all the details on how I'm trying to configure and test the service. All hosts are Debian 12: in the NFS server: /etc/hosts file

127.0.0.1	localhost
172.17.0.10	nfshost.domain.com nfshost
...

/etc/krb5.conf file

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_realm = DOMAIN.COM
  default_keytab_name = FILE:/etc/krb5.keytab
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
  allow_weak_crypto = 0

[realms]
  DOMAIN.COM = {
  kdc = 172.17.0.20
  master_kdc = 172.17.0.20
  default_domain = domain.com
  admin_server = 172.17.0.20
  }

[domain_realm]
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM

/etc/exports file

/exports         172.17.0.0/16(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
/exports/users   172.17.0.0/16(rw,sync,no_subtree_check,sec=krb5)

/etc/idmapd.conf file

[General]
Verbosity = 0
Domain = domain.com

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = nsswitch

/etc/default/nfs-kernel-server file

RPCNFSDCOUNT=8
RPCNFSDPRIORITY=0
RPCMOUNTDOPTS="--manage-gids"
NEED_SVCGSSD="yes"
RPCSVCGSSDOPTS=""

/etc/default/nfs-common file

NEED_STATD=no
STATDOPTS=
NEED_IDMAPD=yes
NEED_GSSD=yes

Commands to add the NFS server entry into the domain (AD Samba)

# kdestroy
# kinit administrator
# msktutil delete --computer-name NFSHOST --server 172.17.0.20
# msktutil -c -b "CN=COMPUTERS" -s HOST/nfshost.domain.com -h nfshost -k /etc/krb5.keytab --computer-name NFSHOST --server 172.17.0.20 --dont-expire-password --verbose --enctypes 28

in AD (Samba at 172.17.0.20): add the following SPN's to the NFS server host added:

# samba-tool spn add nfs/nfshost NFSHOST$
# samba-tool spn add nfs/nfshost.domain.com NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost NFSHOST$
# samba-tool spn add RestrictedKrbHost/nfshost.domain.com NFSHOST$

Check the NFS server host entry with samba-tool computer show nfshost:

dn: CN=NFSHOST,CN=Computers,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: NFSHOST
instanceType: 4
whenCreated: 20230901104446.0Z
uSNCreated: 202585
name: NFSHOST
objectGUID: 305c91e0-328d-47f4-ab30-7a4c0ea951dc
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133380386868301530
primaryGroupID: 515
objectSid: S-1-5-21-2898533208-202842514-1397044296-107323
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: NFSHOST$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=com
isCriticalSystemObject: FALSE
dNSHostName: nfshost.domain.com
msDS-SupportedEncryptionTypes: 28
userAccountControl: 69632
servicePrincipalName: HOST/nfshost.domain.com
servicePrincipalName: host/nfshost
servicePrincipalName: nfs/nfshost
servicePrincipalName: nfs/nfshost.domain.com
servicePrincipalName: RestrictedKrbHost/nfshost
servicePrincipalName: RestrictedKrbHost/nfshost.domain.com
whenChanged: 20230901104626.0Z
uSNChanged: 202594
distinguishedName: CN=NFSHOST,CN=Computers,DC=domain,DC=com

Generate the NFS host keytab:

# samba-tool domain exportkeytab --principal=nfs/nfshost.domain.com keytab.NFSHOST-nfs

Back in the NFS server: Retrieve the generated keytab from the AD:

scp root@172.17.0.20:/root/keytab.NFSHOST-nfs .

Merge it into the /etc/krb5.keytab file:

# ktutil
   rkt /etc/krb5.keytab
   rkt /root/keytab.NFSHOST-nfs
   wkt /etc/krb5.keytab
   quit

# chmod 600 /etc/krb5.keytab
# chown root:root /etc/krb5.keytab

Check if the SPN's are there: klist -kte /etc/krb5.keytab | grep nfs/nfshost.domain.com returns several of:

1 01/09/2023 07:59:33 nfs/nfshost.domain.com@DOMAIN.COM (aes256-cts-hmac-sha1-96) 
1 01/09/2023 07:59:33 nfs/nfshost.domain.com@DOMAIN.COM (aes128-cts-hmac-sha1-96)

Restart some services

exportfs -rav
/etc/init.d/nfs-kernel-server restart
/etc/init.d/nfs-common restart
mount --bind /home/users /exports/users

Clocks between AD and the NFS server are in sync. Hosts in the same VLAN, no firewall between both and no firewall inside anyone. To the tests: Try to mount a share (still in the NFS server) mount -t nfs4 nfshost.domain.com:/users /mnt -o sec=krb5 -v returns:

mount.nfs4: timeout set for Fri Sep  1 08:03:22 2023
mount.nfs4: trying text-based options 'sec=krb5,vers=4,addr=172.17.0.10,clientaddr=172.17.0.10'
mount.nfs4: mount(2): Permission denied
mount.nfs4: access denied by server while mounting nfshost.domain.com:/users

Try to kinit the nfs principal: kinit -k -t /etc/krb5.keytab nfs/nfshost.domain.com@DOMAIN.COM returns:

kinit: Client 'nfs/nfshost.domain.com@DOMAIN.COM' not found in Kerberos database while getting initial credentials

/var/log/syslog file have several of:

Sep  1 08:03:25 nfshost rpc.gssd: ERROR: No credentials found for connection to server nfshost.domain.com

What I'm missing to correctly configure this NFS service?

My system:

# cat /etc/*release*
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/ "
SUPPORT_URL="https://www.debian.org/support "
BUG_REPORT_URL="https://bugs.debian.org/ "

# smbd -V
Version 4.13.13-Debian

My problem: I have a number of users that are defined in openldap (OpenLDAP 2.4.57+dfsg-3+deb11u1) on a server vogon, and a samba server on another system, knox. When I connect to samba with an existing user jan, it works fine:

# smbclient //knox/homes -U jan -W ZOMBIE   
Enter ZOMBIE\jan's password: 
Try "help" to get a list of possible commands.
smb: \> pwd
Current directory is \\knox\homes\
smb: \>

However, when I create a new user, zzuser in LDAP, I get:

# smbclient //knox/homes -U zzuser -W ZOMBIE
Enter ZOMBIE\zzuser's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

and in /var/log/samba/log.192.168.50.109:

...
[2023/04/11 10:06:56.594913,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2023/04/11 10:06:56.594949,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=comind,dc=io], filter => [(&(uid=zzuser)(objectclass=sambaSamAccount))], scope => 
[2023/04/11 10:06:56.595600,  4, pid=1089697, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1563(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [zzuser] count=0
[2023/04/11 10:06:56.595645,  4, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2023/04/11 10:06:56.595656,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:398(check_sam_security)
  check_sam_security: Couldn't find user 'zzuser' in passdb.
[2023/04/11 10:06:56.595665,  5, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:258(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595676,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:344(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [zzuser] -> [zzuser] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595704,  2, pid=1089697, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [ZOMBIE]\[zzuser] at [Tue, 11 Apr 2023 10:06:56.595692 UTC] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [JAN] remote host [ipv4:192.168.50.106:60046] mapped to [ZOMBIE]\[zzuser]. local host [ipv4:192.168.50.7:445] 
  {"timestamp": "2023-04-11T10:06:56.595778+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:192.168.50.7:445", "remoteAddress": "ipv4:192.168.50.106:60046", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "ZOMBIE", "clientAccount": "zzuser", "workstation": "JAN", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "zzuser", "mappedDomain": "ZOMBIE", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5241}}
[2023/04/11 10:06:56.595822,  5, pid=1089697, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:210(auth3_check_password_send)
  auth3_check_password_send: Checking NTLMSSP password for ZOMBIE\zzuser failed: NT_STATUS_NO_SUCH_USER, authoritative=1
[2023/04/11 10:06:56.595832,  3, pid=1089697, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:2295(do_map_to_guest_server_info)
  No such user zzuser [ZOMBIE] - using guest account
...

This contrasts with the fact that zzuser is well known by the system:

# id zzuser
uid=1104(zzuser) gid=100(users) groups=100(users)
# echo ~zzuser
/knox/home/zzuser
# su - zzuser
zzuser@knox:~$ passwd
Current Password: 
New password: 
Retype new password: 
passwd: password updated successfully

On the other hand:

zzuser@knox:~$ smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Bad SMB2 signature for message
 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
 58 95 CD A8 66 08 74 38   19 A3 59 52 1E BE 15 28   X...f.t8 ..YR...(
Could not connect to machine 127.0.0.1: NT_STATUS_ACCESS_DENIED

And as root:

# smbpasswd zzuser
New SMB password:
Retype new SMB password:
Failed to find entry for user zzuser.

So what is going on here? I seem to recall that I added user jan to samba in the past, and that may be the difference, but if samba requires that in order to function, then the whole point of using LDAP vanishes.

Suppose that you have: - a Linux machine (A) running a Samba AD DC, - a Windows machine (B), with a shared folder \\B\shared_folder. I would like to know if there is an entry in the directory for this shared folder. If so, how can I search for it using for example the ldapsearch command-line tool? I would like to visualize what information about that shared folder are stored in the directory. Can I get a list of the shared directories in the network from the directory?

Is there a way to enable des-cbc-md5 ? I have opensuse Leap 15.3 and samba 4.15 and I need to accept Windows XP and Windows 7 clients. I read https://unix.stackexchange.com/questions/555000/samba-4-11-and-des-cbc-md5

These are lines containing smb mounts in my /etc/fstab //192.168.2.2/Company /home/myname/server/company cifs users,credentials=/home/myname/.smbcredentials,uid=1000,gid=1000,noauto 0 0 //192.168.2.2/Private /home/myname/server/private cifs users,credentials=/home/myname/.smbcredentials,uid=1000,gid=1000,noauto 0 0 The .smbcredentials-File contains a passwort with special chars, for example like: username=myname password=%t!f?ea-TGH The mount doesn't work, because of the special chars. Is there a way to escape the chars? I tried to enframe it with " or '- but it doesn't work.

I'm using Internal DNS (**SAMBA_INTERNAL**). But I have the following errors: systemctl status samba-ad-dc

samba-ad-dc.service - Samba Active Directory Domain Controller
     Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-11-25 17:35:00 -03; 12min ago
    Process: 526 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=0/SUCCESS)
   Main PID: 527 (samba)
      Tasks: 59 (limit: 2340)
     Memory: 216.4M
        CPU: 11.030s
     CGroup: /system.slice/samba-ad-dc.service
             ├─527 samba: root process        .
             ├─528 samba: tfork waiter process(529)
             ├─529 samba: task[s3fs] pre-fork master
             ├─530 samba: tfork waiter process(531)
             ├─531 samba: task[rpc] pre-fork master
             ├─532 samba: tfork waiter process(534)
             ├─533 samba: tfork waiter process(536)
             ├─534 samba: task[nbt] pre-fork master
             ├─535 samba: tfork waiter process(537)
             ├─536 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─537 samba: task[wrepl] pre-fork master
             ├─538 samba: tfork waiter process(539)
             ├─539 samba: task[ldap] pre-fork master
             ├─540 samba: tfork waiter process(542)
             ├─541 samba: tfork waiter process(546)
             ├─542 samba: task[cldap] pre-fork master
             ├─543 samba: tfork waiter process(544)
             ├─544 samba: task[kdc] pre-fork master
             ├─545 samba: tfork waiter process(548)
             ├─546 samba: task[rpc] pre-forked worker(0)
             ├─547 samba: tfork waiter process(551)
             ├─548 samba: task[drepl] pre-fork master
             ├─549 samba: tfork waiter process(554)
             ├─550 samba: tfork waiter process(553)
             ├─551 samba: task[rpc] pre-forked worker(1)
             ├─552 samba: tfork waiter process(560)
             ├─553 samba: task[kdc] pre-forked worker(0)
             ├─554 samba: task[winbindd] pre-fork master
             ├─555 samba: tfork waiter process(557)
             ├─556 samba: tfork waiter process(562)
             ├─557 samba: task[ntp_signd] pre-fork master
             ├─558 samba: tfork waiter process(566)
             ├─559 samba: tfork waiter process(564)
             ├─560 samba: task[rpc] pre-forked worker(2)
             ├─561 samba: tfork waiter process(565)
             ├─562 samba: task[kdc] pre-forked worker(1)
             ├─563 samba: tfork waiter process(568)
             ├─564 /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
             ├─565 samba: task[rpc] pre-forked worker(3)
             ├─566 samba: task[kcc] pre-fork master
             ├─567 samba: tfork waiter process(570)
             ├─568 samba: task[kdc] pre-forked worker(2)
             ├─569 samba: tfork waiter process(572)
             ├─570 samba: task[dnsupdate] pre-fork master
             ├─571 samba: tfork waiter process(573)
             ├─572 samba: task[kdc] pre-forked worker(3)
             ├─573 samba: task[dns] pre-fork master
             ├─580 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─581 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
             ├─582 winbindd: domain child [SAMDOM]
             ├─583 winbindd: idmap child         .
             ├─606 samba: tfork waiter process(607)
             ├─607 samba: task[ldap] pre-forked worker(0)
             ├─608 samba: tfork waiter process(609)
             ├─609 samba: task[ldap] pre-forked worker(1)
             ├─610 samba: tfork waiter process(611)
             ├─611 samba: task[ldap] pre-forked worker(2)
             ├─612 samba: tfork waiter process(613)
             └─613 samba: task[ldap] pre-forked worker(3)

nov 25 17:45:02 DC1 samba: [2022/11/25 17:45:02.945099,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 25 17:45:02 DC1 samba:   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH(BADSIG)
nov 25 17:45:02 DC1 samba: [2022/11/25 17:45:02.999210,  0] ../../source4/auth/gensec/gensec_gssapi.c:1349(gensec_gssapi_check_packet)
nov 25 17:45:02 DC1 samba:   gssapi_check_packet(hdr_signing=0,sig_size=28,data=134,pdu=134) failed: NT_STATUS_ACCESS_DENIED
nov 25 17:45:03 DC1 samba: [2022/11/25 17:45:03.000237,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 25 17:45:03 DC1 samba:   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig indicates error
nov 25 17:45:03 DC1 samba: [2022/11/25 17:45:03.000309,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
nov 25 17:45:03 DC1 samba:   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH(BADSIG)
nov 25 17:45:03 DC1 samba: [2022/11/25 17:45:03.062827,  0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
nov 25 17:45:03 DC1 samba:   dnsupdate_nameupdate_done: Failed DNS update with exit code 5

Here it says that there is already a Samba process running: samba -i

samba version 4.17.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
ERROR: samba is already running. File /usr/local/samba/var/run/samba.pid exists and process id 527 is running.

What should I check in my settings?

- RHEL 7.9 - a server having the physical mount of /data has SELINUX as enforcing with the selinx bool samba_share_nfs set to on; this /data folder is NFS exported - a few NFS client servers mount this /data folder with no_root_squash and as NFS vers=4.1 - one NFS client as root writes /data/log.txt and this file has permissions -rw-r--r--. 1 root root - each NFS client server also samba shares out it's NFS mounted /data folder, where the /data/ folder permissions are drwxrwx---. 1 ron users; see below for smb.conf - through samba from my win10 pc, logged in as ron I can go to \\server\data and delete log.txt even though it has root.root rw-r-r permissions. **Why?** - *my code that writes log.txt has to be run as root, and I am ok with anyone being able to read my log.txt (I actually want that) I just don't want log.txt to be able to be deleted or edited.* --- # /etc/samba/smb.conf [global] workgroup = SAMBA security = user passdb backend = tdbsam printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes [data] comment = data inherit acls = Yes read only = No path = /data directory mask = 770 create mask = 660

I have this configuration with Samba 4.14.12:

[global]
        netbios name = MyRouter
        interfaces = br-lan eth0 
        server string = MyRouter
        unix charset = UTF-8
        workgroup = WORKGROUP

        bind interfaces only = yes

        #server min protocol = SMB2
        passdb backend = smbpasswd
        dns proxy = no
        socket options = IPTOS_LOWDELAY TCP_NODELAY
        use sendfile = yes
        map to guest = Bad User
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes
        printing = bsd
        client signing = mandatory

        ## disable core dumps
        enable core files = no
        #smb encrypt = desired
        security = user
        mdns name = mdns


        #delete veto files = yes

######### Dynamic written config options #########
        disable netbios = yes
        smb ports = 445
        aio read size = 0
        aio write size = 0

[HDDSoft]
        path = /media/HDDSoft/HDD_DATI/+PC
        create mask = 0666
        directory mask = 0777
        read only = yes
        guest ok = no
        guest only = yes

[hdd]
        path = /media/HDDSoft/HDD_DATI
        valid users = root
        create mask = 0666
        directory mask = 0777
        browseable = no
        read only = no
        guest ok = no

Why doesn't it show in network File Explorer?

I'm trying to move files to a new fileserver which is a samba4 domain member using rsync -a. Unfortunately the uid and gid are not mapped correctly. The files on the target get the uid from the source. So I tried to force the correct mapping by using --usermap=3000019:'DOMAIN\myuser' but then I get

Unknown --usermap name on receiver: DOMAIN\myuser

uid and gid mapping is working as expected:

getent passwd 'DOMAIN\myuser'
DOMAIN\myuser:*:10001105:10000514:My User:/share/homes/DOMAIN/myuser:/bin/false

or

id 'DOMAIN\myuser
uid=10001105(DOMAIN\myuser) gid=10000514(DOMAIN\domain users)

Does anyone know how to handle domain users with rsync correctly?