Hi Everybody,
I would like to refresh my post sent around 3 month ago. The issue still
persists...
What I've got is
* Ubuntu 16.04 with Samba 4 as AD DC
* OmniOSce CIFS server is joined to AD domain
* Windows 10 Pro joined to AD domain
* and some more client computers joined
I do AD administration from Win10 with RSAT. I've created a lot of
accounts for employees.
PROBLEM: Some users are denied access to OmniOSce shares while other
users can connect without problems. I would like to stress: the issue is
present only with OmniOS shares. Users ARE authorised thru AD DC.
* There is ACL rule for a "employees" AD group allowing access for the
members,
* there are about 20 members and only a few of them have problem,
* problematic accounts CAN connect to another Windows machine via RDP
and are authorized by AD DC (I even changed passwords to check and
still can connect with the new passwords),
* problematic accounts cannot access the CIFS share from OmniIOSce server.
When I try to access the server from Ubuntu machine I get the following
with "good_user":
$ smbclient -U test26 -L //omnios
Enter test26's password:
Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native
SMB service]
Sharename Type Comment
--------- ---- -------
public Disk
c$ Disk Default Share
test1 Disk
test2 Disk
ipc$ IPC Remote IPC
test Disk
Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-51c7d] Server=[Native
SMB service]
Server Comment
--------- -------
Workgroup Master
--------- -------
and with "bad_user" I get
# smbclient -U bad_user -L //omnios
Enter bad_user's password:
session setup failed: NT_STATUS_ACCESS_DENIED
The same results are obtained from Windows machine with "net view
\\omnios" command
* When I log in to Windows machine with "bad user" I can log in
properly but "net view" command produces error 53.
* When I log in to the same Windows machine with "good user", I can
list shares with "net view" command.
I cannot see any difference between the users. They are members of the
same AD groups. They were created one by one.
As a workaround I can disable problematic accounts, create new accounts
and they work as a charm. But that is just a temporary workaround.
Can the issue be related to SID numbers? Maybe OmniOS does not like some
of them?
I have the following ID mappings on OmniOS:
# idmap list
add winuser:administrator@local.domain_name.net unixuser:root
add wingroup:administrators@local.domain_name.net unixgroup:root
add -d winuser:*@local.domain_name.net unixuser:domain_name
The issue drives me crazy. Any help or thoughts appreciated.
Regards,
--
Piotr
_______________________________________________
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss
