Hi Everybody, I would like to refresh my post sent around 3 month ago. The issue still persists...
What I've got is * Ubuntu 16.04 with Samba 4 as AD DC * OmniOSce CIFS server is joined to AD domain * Windows 10 Pro joined to AD domain * and some more client computers joined I do AD administration from Win10 with RSAT. I've created a lot of accounts for employees. PROBLEM: Some users are denied access to OmniOSce shares while other users can connect without problems. I would like to stress: the issue is present only with OmniOS shares. Users ARE authorised thru AD DC. * There is ACL rule for a "employees" AD group allowing access for the members, * there are about 20 members and only a few of them have problem, * problematic accounts CAN connect to another Windows machine via RDP and are authorized by AD DC (I even changed passwords to check and still can connect with the new passwords), * problematic accounts cannot access the CIFS share from OmniIOSce server. When I try to access the server from Ubuntu machine I get the following with "good_user": $ smbclient -U test26 -L //omnios Enter test26's password: Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native SMB service] Sharename Type Comment --------- ---- ------- public Disk c$ Disk Default Share test1 Disk test2 Disk ipc$ IPC Remote IPC test Disk Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native SMB service] Server Comment --------- ------- Workgroup Master --------- ------- and with "bad_user" I get # smbclient -U bad_user -L //omnios Enter bad_user's password: session setup failed: NT_STATUS_ACCESS_DENIED The same results are obtained from Windows machine with "net view \\omnios" command * When I log in to Windows machine with "bad user" I can log in properly but "net view" command produces error 53. * When I log in to the same Windows machine with "good user", I can list shares with "net view" command. I cannot see any difference between the users. They are members of the same AD groups. They were created one by one. As a workaround I can disable problematic accounts, create new accounts and they work as a charm. But that is just a temporary workaround. Can the issue be related to SID numbers? Maybe OmniOS does not like some of them? I have the following ID mappings on OmniOS: # idmap list add winuser:administrator@local.domain_name.net unixuser:root add wingroup:administrators@local.domain_name.net unixgroup:root add -d winuser:*@local.domain_name.net unixuser:domain_name The issue drives me crazy. Any help or thoughts appreciated. Regards, -- Piotr
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss