I have a fresh Centos 8 server that I'm setting up for a client, and it's giving me the worst troubles with setting up network shares on the AD DC.
I've scoured google for several hours, and nothing I can dig up helps. A lot of the results are several years old, and I don't think apply to newer versions. After several of these moments, maybe this thread will help somebody in the future.
One issue I've considered is that during domain provisioning my default NETBIOS name was LOCALHOST
and I never changed it, so it may be causing issues resolving on other machines. I've tried changing it, but I may not be changing everything correctly as doing so causes connecting to the domain to fail entirely.
Currently I'm able to access my network server using 3 different methods, each with their own error
1. Opening \\OFFICE
Connecting to just the shortname shows all of the files & printers that are being shared, but none of them are able to connect.
Attempting to connect to one of the shares gives the error
\\OFFICE\public is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
A volume has been accessed for which a file system driver is required that has not yet been loaded.
2. Opening \\office.mydomain.com
Connecting this way allows me to access all of the network printers, however only sysvol
and netlogon
are accessible drives. Attempting to connect to any of the other drives gives this error
\\office.mydomain.com\public is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
Element not found.
3. Opening \\192.168.1.2
Attempting to connect using the controllers IP address works for all printers and network shares except for netlogon
and sysvol
. Attempting to open either of the default drives prompts for a login, which fails even with the OFFICE\administrator
account.
My thesis was that the drive shares aren't actually considered part of the domain, but trying to access the locations from a non-domain account prompts for a domain login.
I also spent several hours digging into DNS thinking that could be the issue, but if the NETBIOS being LOCALHOST
isn't a problem, I don't have any issues with the shares other than not being able to access the directories. Printers work fine, pinging the server is fine, nslookup
returns the correct result, SSH works correctly with the domain. I'm not familiar enough with Samba to know what handles the mapping of the shares, ex. \public
The version of running:
$: smbd -V
Version 4.12.3
All of my directories show up properly
$: smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
public Disk
share1 Disk
share2 Disk
share3 Disk
share4 Disk
users Disk
IPC$ IPC IPC Service (Samba 4.12.3)
Printer1 Printer EPSON WF-7520 Series
Printer2 Printer EPSON ET-3750 Series
Printer3 Printer EPSON ET-3750 Series
Printer4 Printer Brother QL-710W
Printer5 Printer EPSON ET-3750 Series
SMB1 disabled -- no workgroup available
Below are my configs
smb.conf
# Global parameters
[global]
# Realm information
netbios name = LOCALHOST
realm = OFFICE.MYDOMAIN.COM
server role = active directory domain controller
disable netbios = no
smb ports = 139 445
# DNS is controlled by BIND
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, s3fs
# Work group
workgroup = OFFICE
idmap_ldb:use rfc2307 = yes
# Log from user IPs
log file = /var/log/samba/%m.log
#log level = 5
# Printing servers with Cups!
printing = cups
printcap name = cups
load printers = yes
cups options = raw
# Mapped drive configs
map archive = no
map readonly = no
# Home Directories
logon drive = H:
logon home = \\office.mydomaincom\users\%U
# Winbindd
winbind cache time = 10
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%D/%U
# WINS
domain logons = yes
preferred master = yes
domain master = yes
#wins support = yes
#host msdfs = yes
time server = yes
# DNS
dns forwarder = 192.168.1.2
# Enable FreeRADIUS authorization
ntlm auth = mschapv2-and-ntlmv2-only
# Generic system volume
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = no
# Net login scripts
[netlogon]
path = /usr/local/samba/var/locks/sysvol/office.mydomain.com/scripts
read only = no
# Shared printers
[printers]
comment = All Printers
path = /var/spool/samba/
printable = yes
create mask = 0600
browseable = no
# Share for all companies
[public]
path = /srv/samba/public
read only = no
[share1]
path = /srv/samba/share1
read only = no
[share2]
path = /srv/samba/share2
read only = no
[share3]
path = /srv/samba/share3
read only = no
[share4]
path = /srv/samba/share4
read only = no
# User home directory
[users]
path = /srv/samba/home
read only = no
krb5.conf
[libdefaults]
default_realm = OFFICE.MYDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
OFFICE.MYDOMAIN.COM = {
default_domain = office.mydomain.com
}
[domain_realm]
localhost = OFFICE.MYDOMAIN.COM
nsswitch.conf
passwd: files winbind
group: files winbind
netgroup: files winbind
automount: files winbind
services: files winbind
# In order of likelihood of use to accelerate lookup.
shadow: files winbind
hosts: dns myhostname
aliases: files
ethers: files
gshadow: files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks: dns
protocols: files winbind
publickey: files
rpc: files
Best Answer
After much more digging and playing around, I figured out that I had two issues at hand.
Firstly was how I was connecting to the server.
\\OFFICE
,\\office.mydomain.com
, and\\192.168.1.2
all connect, however none of them are actually recognized as fully part of the DC. I had to incorporate the NETBIOS name into the FQDN and connect to\\localhost.office.mydomain.com
. From here all printers, and shares (Includingnetlogon
andsysvol
) were recognized. This might be changeable somewhere else, but this works for my needs.Secondly was a folder permission issue,
I tested moving my shares into the
sysvol
share, and had no problems connecting to them at that point. So I checked the permissions on thesysvol
share and saw that it was owned by theBUILTIN\administrators
group, which my shares are owned by, however the parent folder also needs that permission, otherwise samba won't read the shares properly.Once I figured out my shares were working while housed inside of
sysvol
I applied the permissions back to my/srv/samba
directory, and moved them back. I'm not 100% onsysvol
but I believe storing additional files in that share probably isn't the best idea.