Nextcloud version: 12.0.4
Operating system and version: Ubuntu 16.04.03 LTS
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 5.6):
Is this the first time you’ve seen this error?:
Can you reliably replicate it?: Yes.
My issue(s):
Using the NextCloud VM (appliance), I am attempting to use Samba to join a domain (currently has a single Windows Server 2003 DC) and I want to use Samba to share a folder (which has been added via the web interface) with domain users over the LAN using CIFS (they are a mix of Windows desktop OS and windows Server 2016 terminal server sessions). NextCloud VM is “fs1” and domain is “example.local”.
I have read lots of walk-through guides and documented which steps appear to work best for me. i have installed the NIS tools on the domain controller and I’ve assigned UID and GID groups to the users and groups we care about (and made sure the users are part of the groups in NIS, not just members of the domain groups). I am able to join the NextCloud VM to the domain with no issues, so all the nameserver and DNS and Kerberos stuff seems like it should be good. Samba is configured. Winbind is configured. Testparm returns good. “wbinfo -u” lists domain users. “wbinfo -g” lists domain groups. BUT… “getent group” lists only local groups, and “getent passwd” lists only local users. AND… “chgrp -R “Domain Users” /var/ncdata/ncadmin/files/kdrive/” returns a message saying Domain Users is invalid. Also, no domain user can access the share (or the server via “\fs1”) because it says invalid login.
Packages installed:
ntp krb5-user samba smbclient winbind (smbfs was removed from the packages that one article recommended because it’s not found in the repo; not sure if this is part of my issue?)
/etc/hosts:
"127.0.1.1 " line removed; (dns returns "fs1" as having the correct LAN IP)
/etc/nsswitch.conf: (tried replacing “compat” with “files”, no luck):
passwd: compat winbind
group: compat winbind
shadow: compat winbind
/etc/resolvconf/resolv.conf.d/base
nameserver 192.168.88.10 (existing Win2003R2 domain controller)
nameserver 192.168.88.11 (not currently in use; I expect to replace the Win DC with 2 appliances from Turnkeylinux)
nameserver 192.168.88.12 (not currently in use)
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 8.8.8.8
nameserver 8.8.4.4
search example.local
/etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
[realms]
EXAMPLE.LOCAL = {
kdc = 192.168.88.10
default_domain = EXAMPLE.LOCAL
}
[domain_realm]
.example.local = EXAMPLE.LOCAL
example.local = EXAMPLE.LOCAL
[kdc]
profile = /etc/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
/ect/samba/smb.conf:
[global]
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.LOCAL
domain master = no
local master = no
preferred master = no
# Disable printing error log messages when CUPS is not installed.
printcap name = /etc/printcap
load printers = no
idmap_ldb : use rfc2307 = yes
# idmap backend = tdb
# idmap uid = 10000-99999
# idmap gid = 10000-99999
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : schema_mode = rfc2307
idmap config EXAMPLE : range = 10000-99999
idmap config EXAMPLE : unix_nss_info = yes
winbind enum users = yes
winbind enum groups = yes
# This way users log in with username instead of username@example.org
winbind use default domain = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = true
#winbind options
#winbind operator = +
winbind uid = 10000-25000
winbind gid = 10000-25000
winbind cache time = 15
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/shell
# Becomes /home/example/username
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
log file = /var/log/samba/samba.log
log level = 2
map untrusted to domain = yes
[kdrive]
comment = K Drive
path = /var/ncdata/ncadmin/files/kdrive/
valid users = “@EXAMPLE\Domain Admins”
force group = “Domain Users”
group = “Domain Users”
read only = No
create mask = 0777
force create mode = 0660
directory mask = 0777
directory mode = 0777
force directory mode = 0770
hide unreadable = Yes
access based share enum = Yes
Setting permissions on the folder (which was created in NextCloud as “kdrive” under the user “NCAdmin”)
chmod -R 0770 /var/ncdata/ncadmin/files/kdrive/ (no error)
chgrp -R "Domain Users" /var/ncdata/ncadmin/files/kdrive/ ("chgrp: invalid group: ‘Domain Users’")
So, with all of that copypasted info, (I’m sure I missed some and can add more; just let me know what I’ve missed), does anyone with experience configuring Samba see anything that is preventing me from using the domain users locally in my NextCloud VM? I’ve spent some days trying different combinations of settings, but so far nothing has me able to 1. view domain users in getent, 2. set the permissions for that folder for Domain Users group, 3. access \fs1 via Windows Explorer.