Can not access Samba shares

samba
sharedfolders
updates
v7

(Gerald) #1

So after only dovecot has made problems, and this problem was dealt with a renewed update.

does not work now with the current version NethServer release 7.6.1810 (final) Kernel 3.10.0-957.1.3.el7.x86_64 also the Samba service.

First, samba was off, restarted. but you can not access the shares.

Gerald


(Davide Principi) #2

There’s another fix to apply (still not fully tested). To ensure it is good to fix your setup run

 net getdomainsid

If the Sid number is the same on both output lines* run this command

yum install http://packages.nethserver.org/nethserver/7.6.1810/autobuild/x86_64/Packages/nethserver-samba-4.2.0-1.3.pr31.g04d6bcf.ns7.noarch.rpm

Otherwise attach the output of

systemctl status smb winbind

See also

*) The duplicate Sid occurs on a ns6 upgraded system, or if the configuration was restored from a ns6 backup


(Gerald) #3
[Good Morning!

So the SID is not identical, what would be the solution?

root@openzwo ~]# net getdomainsid
    SID for local machine OPENZWO is: S-1-5-21-1124315269-312086000-2235371999
    SID for domain NANDLNET is: S-1-5-21-1955059481-3219934149-1051263816
    [root@openzwo ~]#

(Gerald) #4

Here is the output of ‘systemctl status smb winbind’

[root@openzwo ~]# systemctl status smb winbind
● smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-12-15 19:30:29 CET; 15h ago
     Docs: man:smbd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 5446 (smbd)
   Status: "smbd: ready to serve connections..."
    Tasks: 4
   CGroup: /system.slice/smb.service
           ├─5446 /usr/sbin/smbd --foreground --no-process-group
           ├─5822 /usr/sbin/smbd --foreground --no-process-group
           ├─5823 /usr/sbin/smbd --foreground --no-process-group
           └─7474 /usr/sbin/smbd --foreground --no-process-group

Dec 16 11:19:14 openzwo.nandlnet.de smbd[21303]: [2018/12/16 11:19:14.385138,  0] ../lib/param/loadparm.c:1844(lpcfg_do_service_parameter)
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21303]:   Ignoring unknown parameter "share modes"
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21304]: [2018/12/16 11:19:14.436411,  0] ../lib/param/loadparm.c:784(lpcfg_map_parameter)
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21304]:   Unknown parameter encountered: "share modes"
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21304]: [2018/12/16 11:19:14.436755,  0] ../lib/param/loadparm.c:1844(lpcfg_do_service_parameter)
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21304]:   Ignoring unknown parameter "share modes"
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21305]: [2018/12/16 11:19:14.485041,  0] ../lib/param/loadparm.c:784(lpcfg_map_parameter)
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21305]:   Unknown parameter encountered: "share modes"
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21305]: [2018/12/16 11:19:14.485282,  0] ../lib/param/loadparm.c:1844(lpcfg_do_service_parameter)
Dec 16 11:19:14 openzwo.nandlnet.de smbd[21305]:   Ignoring unknown parameter "share modes"

● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-12-15 19:30:26 CET; 15h ago
     Docs: man:winbindd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 5027 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 2
   CGroup: /system.slice/winbind.service
           ├─5027 /usr/sbin/winbindd --foreground --no-process-group
           └─5444 /usr/sbin/winbindd --foreground --no-process-group

Dec 15 19:30:25 openzwo.nandlnet.de systemd[1]: Starting Samba Winbind Daemon...
Dec 15 19:30:26 openzwo.nandlnet.de winbindd[5027]: [2018/12/15 19:30:26.343756,  0] ../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
Dec 15 19:30:26 openzwo.nandlnet.de winbindd[5027]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Dec 15 19:30:26 openzwo.nandlnet.de winbindd[5027]: [2018/12/15 19:30:26.731481,  0] ../lib/util/become_daemon.c:138(daemon_ready)
Dec 15 19:30:26 openzwo.nandlnet.de systemd[1]: Started Samba Winbind Daemon.
Dec 15 19:30:26 openzwo.nandlnet.de winbindd[5027]:   daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
[root@openzwo ~]#

At startup, they are not automatically included, but I can select the shares manually.

The (Linux) client is included here in the forum according to the WIki , but the releases are not loaded, as well from the stb - he finds the releases but does not bind them.


(Dr Thomas Quinton) #5

Having same Problem after update…


(Davide Principi) #6

Do you have any template-custom?

Did you check if you have a duplicate Sid as described above?


(Dr Thomas Quinton) #7

they are different


(Giacomo Sanchietti) #8

Please also try to access the share with smbclient, something like:

smbclient -d 3 -U <user>@<domain> //<server>/<folder>

Report back any error.


(Dr Thomas Quinton) #9

Interestingy it all looks fine from the Windows clients except one special app which needs a share for receiving and sending docs thrue a protected channel.
But from the SUSE client with embeded profiles on the server and also embeded shares (all from the function: YAST/ Windows Domain/ Experts settings) there seems to bee no access.


(Giacomo Sanchietti) #10

I don’t know what are embedded profiles/shares from SUSE.
If you’re talking about accessing the shares using Gnome Nautilus, it never worked for me :slight_smile:

Could you please test the smbclient command from SUSE and report back?
Otherwise we have no clue about the error.


(Dr Thomas Quinton) #11

I will try that and give you the output. Embeded means that there is a posibilty routing the Profil on Suse to the User-Share on the NS by default for all Domain users- as long as it works- perfect and better than a roaming profile.


(Gerald) #12

No, I did not edit the templates.


(nikolaus.herrmann) #13

We have Tested as you told us (iglqut)

smbclient -d 3 -U root@smb.mydomain.at //server/share

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
WARNING: The “idmap gid” option is deprecated
WARNING: The “idmap uid” option is deprecated
added interface eth0 ip=192.168.0.104 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.6.16-git.124.aee309c5c1821.1-SUSE-SLE_12-x86_64).
resolve_lmhosts: Attempting lmhosts lookup for name igl-dc<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name server<0x20>
Connecting to 192.168.0.70 at port 445
got OID=1.2.840.48018.1.2.2
Enter root@smb.mydomain.at’s password: GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62008215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62008215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

Dear giacomo,
What is your suggestion?
Thanks


(Giacomo Sanchietti) #14

It’s probably something related to client configuration.
Let’s do another couple of tests:

  1. Execute the same command above from the NethServer itself and see if it works
  2. Execute this command from the SUSE and copy here the output: testparm -s -v

(nikolaus.herrmann) #15

Test fron Nethserver:
smbclient -d 3 -U root@smb.mydomain.at //server/share

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
Processing section “[global]”
Processing section “[global]”
added interface br0 ip=192.168.0.70 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.8.3).
resolve_lmhosts: Attempting lmhosts lookup for name igl-dc<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name server<0x20>
Connecting to 192.168.0.70 at port 445
got OID=1.2.840.48018.1.2.2


(nikolaus.herrmann) #16

Test fromk SUSE-Client

testparm -s -v
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap uid" option is deprecated
Processing section "[homes]"
Processing section "[profiles]"
Processing section "[users]"
Processing section "[groups]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
	bind interfaces only = No
	config backend = file
	dos charset = CP850
	enable core files = Yes
	interfaces = 
	multicast dns register = Yes
	netbios aliases = 
	netbios name = IGLL-ANM
	netbios scope = 
	realm = smb.mydomain.at
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
	server string = Samba 4.6.16-git.124.aee309c5c1821.1-SUSE-SLE_12-x86_64
	share backend = classic
	unix charset = UTF-8
	workgroup = smb
	browse list = Yes
	domain master = Auto
	enhanced browsing = Yes
	lm announce = Auto
	lm interval = 60
	local master = Yes
	os level = 20
	preferred master = Auto
	allow dns updates = secure only
	dns forwarder = 
	dns update command = /usr/sbin/samba_dnsupdate
	machine password timeout = 604800
	nsupdate command = /usr/bin/nsupdate -g
	rndc command = /usr/sbin/rndc
	spn update command = /usr/sbin/samba_spnupdate
	mangle prefix = 1
	mangling method = hash2
	max stat cache size = 256
	stat cache = Yes
	client ldap sasl wrapping = sign
	ldap admin dn = 
	ldap connection timeout = 2
	ldap delete dn = No
	ldap deref = auto
	ldap follow referral = Auto
	ldap group suffix = 
	ldap idmap suffix = 
	ldap machine suffix = 
	ldap page size = 1000
	ldap passwd sync = no
	ldap replication sleep = 1000
	ldap server require strong auth = Yes
	ldap ssl = start tls
	ldap ssl ads = No
	ldap suffix = 
	ldap timeout = 15
	ldap user suffix = 
	lock spin time = 200
	oplock break wait time = 0
	smb2 leases = Yes
	debug class = No
	debug hires timestamp = Yes
	debug pid = No
	debug prefix timestamp = No
	debug uid = No
	ldap debug level = 0
	ldap debug threshold = 10
	log file = 
	logging = 
	log level = 2
	max log size = 5000
	syslog = 1
	syslog only = No
	timestamp logs = Yes
	abort shutdown script = 
	add group script = 
	add machine script = 
	add user script = 
	add user to group script = 
	allow nt4 crypto = No
	delete group script = 
	delete user from group script = 
	delete user script = 
	domain logons = No
	enable privileges = Yes
	init logon delay = 100
	init logon delayed hosts = 
	logon drive = P:
	logon home = \\%L\%U\.9xprofile
	logon path = \\%L\profiles\.msprofile
	logon script = 
	reject md5 clients = No
	set primary group script = 
	shutdown script = 
	add share command = 
	afs token lifetime = 604800
	afs username map = 
	allow insecure wide links = No
	async smb echo handler = No
	auto services = 
	cache directory = /var/lib/samba
	change notify = Yes
	change share command = 
	cluster addresses = 
	clustering = No
	config file = 
	ctdbd socket = 
	ctdb locktime warn threshold = 0
	ctdb timeout = 0
	default service = 
	delete share command = 
	homedir map = auto.home
	kernel change notify = Yes
	lock directory = /var/lib/samba/lock
	log writeable files on exit = No
	message command = 
	nbt client socket address = 0.0.0.0
	ncalrpc dir = /var/run/samba/ncalrpc
	NIS homedir = No
	nmbd bind explicit broadcast = Yes
	panic action = 
	perfcount module = 
	pid directory = /run/samba
	registry shares = No
	remote announce = 
	remote browse sync = 
	reset on zero vc = No
	smbd profiling level = off
	state directory = /var/lib/samba
	usershare allow guests = No
	usershare max shares = 0
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	utmp = No
	utmp directory = 
	wtmp directory = 
	addport command = 
	addprinter command = 
	cups connection timeout = 30
	cups encrypt = No
	cups server = 
	deleteprinter command = 
	disable spoolss = No
	enumports command = 
	iprint server = 
	load printers = Yes
	lpq cache time = 30
	os2 driver map = 
	printcap cache time = 750
	printcap name = cups
	show add printer wizard = Yes
	cldap port = 389
	client ipc max protocol = default
	client ipc min protocol = default
	client max protocol = default
	client min protocol = CORE
	client use spnego = Yes
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
	defer sharing violations = Yes
	dgram port = 138
	disable netbios = No
	enable asu support = No
	eventlog list = 
	large readwrite = Yes
	lsa over netlogon = No
	max mux = 50
	max ttl = 259200
	max wins ttl = 518400
	max xmit = 16644
	min receivefile size = 0
	min wins ttl = 21600
	name resolve order = lmhosts wins host bcast
	nbt port = 137
	nt pipe support = Yes
	nt status support = Yes
	read raw = Yes
	rpc big endian = No
	rpc server port = 0
	server max protocol = SMB3
	server min protocol = LANMAN1
	server multi channel support = No
	smb2 max credits = 8192
	smb2 max read = 8388608
	smb2 max trans = 8388608
	smb2 max write = 8388608
	smb ports = 445 139
	svcctl list = 
	time server = No
	unicode = Yes
	unix extensions = Yes
	use spnego = Yes
	web port = 901
	write raw = Yes
	algorithmic rid base = 1000
	allow dcerpc auth level connect = No
	allow trusted domains = Yes
	auth methods = 
	check password script = 
	client ipc signing = default
	client lanman auth = No
	client NTLMv2 auth = Yes
	client plaintext auth = No
	client schannel = Auto
	client signing = default
	client use spnego principal = No
	dedicated keytab file = 
	encrypt passwords = Yes
	guest account = nobody
	kerberos encryption types = all
	kerberos method = secrets and keytab
	kpasswd port = 464
	krb5 port = 88
	lanman auth = No
	log nt token command = 
	map to guest = Bad User
	map untrusted to domain = No
	ntlm auth = No
	ntp signd socket directory = /var/lib/samba/ntp_signd
	null passwords = No
	obey pam restrictions = No
	old password allowed period = 60
	pam password change = No
	passdb backend = tdbsam
	passdb expand explicit = No
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	passwd chat timeout = 2
	passwd program = 
	password hash gpg key ids = 
	password server = *
	preload modules = 
	private dir = /var/lib/samba/private
	raw NTLMv2 auth = No
	rename user script = 
	restrict anonymous = 0
	root directory = 
	samba kcc command = /usr/sbin/samba_kcc
	security = ADS
	server role = auto
	server schannel = Auto
	server signing = default
	smb passwd file = /var/lib/samba/private/smbpasswd
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = tls/key.pem
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible
	unix password sync = No
	username level = 0
	username map = 
	username map cache time = 0
	username map script = 
	aio max threads = 100
	deadtime = 0
	getwd cache = Yes
	hostname lookups = No
	keepalive = 300
	max disk size = 0
	max open files = 16384
	max smbd processes = 0
	name cache timeout = 660
	socket options = TCP_NODELAY
	use mmap = Yes
	get quota command = 
	host msdfs = Yes
	set quota command = 
	create krb5 conf = Yes
	idmap backend = tdb
	idmap cache time = 604800
	idmap gid = 10000-20000
	idmap negative cache time = 120
	idmap uid = 10000-20000
	include system krb5 conf = Yes
	neutralize nt4 emulation = No
	reject md5 servers = No
	require strong key = Yes
	template homedir = /home/%D/%U
	template shell = /bin/bash
	winbind cache time = 300
	winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
	winbindd socket directory = /var/run/samba/winbindd
	winbind enum groups = No
	winbind enum users = No
	winbind expand groups = 0
	winbind max clients = 200
	winbind max domain connections = 1
	winbind nested groups = Yes
	winbind normalize names = No
	winbind nss info = template
	winbind offline logon = Yes
	winbind reconnect delay = 30
	winbind refresh tickets = Yes
	winbind request timeout = 60
	winbind rpc only = No
	winbind sealed pipes = Yes
	winbind separator = \
	winbind trusted domains only = No
	winbind use default domain = No
	dns proxy = Yes
	wins hook = 
	wins proxy = No
	wins server = 
	wins support = No
	idmap config * : range = 10000-20000
	idmap config * : backend = tdb
	comment = 
	path = 
	administrative share = No
	browseable = Yes
	case sensitive = Auto
	default case = lower
	delete veto files = No
	hide dot files = Yes
	hide files = 
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	mangled names = Yes
	mangling char = ~
	map archive = Yes
	map hidden = No
	map readonly = yes
	map system = No
	preserve case = Yes
	short preserve case = Yes
	store dos attributes = No
	veto files = 
	veto oplock files = 
	blocking locks = Yes
	csc policy = manual
	fake oplocks = No
	kernel oplocks = No
	kernel share modes = Yes
	level2 oplocks = Yes
	locking = Yes
	oplock contention limit = 2
	oplocks = Yes
	posix locking = Yes
	strict locking = Auto
	afs share = No
	available = Yes
	copy = 
	delete readonly = No
	dfree cache time = 0
	dfree command = 
	directory name cache size = 100
	dmapi support = No
	dont descend = 
	dos filemode = No
	dos filetime resolution = No
	dos filetimes = Yes
	fake directory create times = No
	follow symlinks = Yes
	fstype = NTFS
	include = 
	magic output = 
	magic script = 
	postexec = 
	preexec = 
	preexec close = No
	root postexec = 
	root preexec = 
	root preexec close = No
	spotlight = No
	volume = 
	wide links = No
	cups options = raw
	default devmode = Yes
	force printername = No
	lppause command = 
	lpq command = %p
	lpresume command = 
	lprm command = 
	max print jobs = 1000
	max reported print jobs = 0
	printable = No
	print command = 
	printer name = 
	printing = cups
	printjob username = %U
	print notify backchannel = No
	queuepause command = 
	queueresume command = 
	use client driver = No
	acl allow execute always = No
	acl check permissions = Yes
	acl map full control = Yes
	durable handles = Yes
	ea support = No
	map acl inherit = No
	nt acl support = Yes
	profile acls = No
	access based share enum = No
	acl group control = No
	admin users = 
	create mask = 0744
	directory mask = 0755
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force unknown acl user = No
	force user = 
	guest ok = No
	guest only = No
	hosts allow = 
	hosts deny = 
	inherit acls = No
	inherit owner = no
	inherit permissions = No
	invalid users = 
	read list = 
	read only = Yes
	smb encrypt = default
	valid users = 
	write list = 
	aio read size = 0
	aio write behind = 
	aio write size = 0
	allocation roundup size = 1048576
	block size = 1024
	max connections = 0
	min print space = 0
	strict allocate = No
	strict rename = No
	strict sync = No
	sync always = No
	use sendfile = No
	write cache size = 0
	msdfs proxy = 
	msdfs root = No
	msdfs shuffle referrals = No
	ntvfs handler = unixuid, default
	vfs objects = 


[homes]
	comment = Home Directories
	browseable = No
	inherit acls = Yes
	read only = No
	valid users = %S %D%w%S


[profiles]
	comment = Network Profiles Service
	path = %H
	store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
	read only = No


[users]
	comment = All users
	path = /home
	veto files = /aquota.user/groups/shares/
	inherit acls = Yes
	read only = No


[groups]
	comment = All groups
	path = /home/groups
	inherit acls = Yes
	read only = No


[printers]
	comment = All Printers
	path = /var/tmp
	browseable = No
	printable = Yes
	create mask = 0600


[print$]
	comment = Printer Drivers
	path = /var/lib/samba/drivers
	create mask = 0664
	directory mask = 0775
	force group = ntadmin
	write list = @ntadmin root

(Davide Principi) #17

The output seems truncated: does it succeed?

Furthermore “root@smb.mydomain.at” is not an AD user and is not mapped in nethserver to any Samba user.


(Gerald) #18

my output when I type it in the console:

[root@openzwo ~]# smbclient -d 3 -U gerald.musch@nandlnet.de //openzwo/ablage
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[global]"
Processing section "[global]"
added interface enp0s20u1u4 ip=2003:d8:6bc5:3400:8eae:4cff:fefe:194 bcast= netmask=ffff:ffff:ffff:ffff::
added interface enp0s20u1u4 ip=192.168.20.3 bcast=192.168.20.255 netmask=255.255.255.0
added interface br0 ip=192.168.200.10 bcast=192.168.200.255 netmask=255.255.255.0
added interface br0.11 ip=192.168.222.10 bcast=192.168.222.255 netmask=255.255.255.0
Client started (version 4.8.3).
resolve_lmhosts: Attempting lmhosts lookup for name openzwo<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name openzwo<0x20>
Connecting to 192.168.200.10 at port 445
got OID=1.2.840.48018.1.2.2
Enter gerald.musch@nandlnet.de's password: 
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Try "help" to get a list of possible commands.
smb: \>

(Gerald) #19

and the next output testparm -s -v

	ntlm auth = ntlmv2-only
	nt pipe support = Yes
	ntp signd socket directory = /var/lib/samba/ntp_signd
	nt status support = Yes
	null passwords = No
	obey pam restrictions = Yes
	old password allowed period = 60
	oplock break wait time = 0
	os2 driver map = 
	os level = 20
	pam password change = No
	panic action = 
	passdb backend = tdbsam
	passdb expand explicit = No
	passwd chat = *new*password* %n\n *new*password* %n\n *changed*
	passwd chat debug = No
	passwd chat timeout = 2
	passwd program = 
	password hash gpg key ids = 
	password hash userPassword schemes = 
	password server = *
	perfcount module = 
	pid directory = /run
	preferred master = Auto
	prefork children = 1
	preload modules = 
	printcap cache time = 750
	printcap name = cups
	private dir = /var/lib/samba/private
	raw NTLMv2 auth = No
	read raw = Yes
	realm = NANDLNET.DE
	registry shares = No
	reject md5 clients = No
	reject md5 servers = No
	remote announce = 
	remote browse sync = 
	rename user script = 
	require strong key = Yes
	reset on zero vc = No
	restrict anonymous = 0
	rndc command = /usr/sbin/rndc
	root directory = 
	rpc big endian = No
	rpc server dynamic port range = 49152-65535
	rpc server port = 0
	samba kcc command = /usr/sbin/samba_kcc
	security = ADS
	server max protocol = SMB3
	server min protocol = LANMAN1
	server multi channel support = No
	server role = auto
	server schannel = Yes
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns
	server signing = default
	server string = NethServer 7.6.1810 final (Samba %v)
	set primary group script = 
	set quota command = 
	share backend = classic
	show add printer wizard = Yes
	shutdown script = 
	smb2 leases = Yes
	smb2 max credits = 8192
	smb2 max read = 8388608
	smb2 max trans = 8388608
	smb2 max write = 8388608
	smbd profiling level = off
	smb passwd file = /var/lib/samba/private/smbpasswd
	smb ports = 445 139
	socket options = TCP_NODELAY
	spn update command = /usr/sbin/samba_spnupdate
	stat cache = Yes
	state directory = /var/lib/samba
	svcctl list = 
	syslog = 1
	syslog only = No
	template homedir = /home/%D/%U
	template shell = /bin/false
	time server = No
	timestamp logs = Yes
	tls cafile = tls/ca.pem
	tls certfile = tls/cert.pem
	tls crlfile = 
	tls dh params file = 
	tls enabled = Yes
	tls keyfile = tls/key.pem
	tls priority = NORMAL:-VERS-SSL3.0
	tls verify peer = as_strict_as_possible
	unicode = Yes
	unix charset = UTF-8
	unix extensions = Yes
	unix password sync = No
	use mmap = Yes
	username level = 0
	username map = 
	username map cache time = 0
	username map script = 
	usershare allow guests = No
	usershare max shares = 0
	usershare owner only = Yes
	usershare path = /var/lib/samba/usershares
	usershare prefix allow list = 
	usershare prefix deny list = 
	usershare template share = 
	utmp = No
	utmp directory = 
	web port = 901
	winbind cache time = 300
	winbindd socket directory = /run/samba/winbindd
	winbind enum groups = No
	winbind enum users = No
	winbind expand groups = 0
	winbind max clients = 200
	winbind max domain connections = 1
	winbind nested groups = Yes
	winbind normalize names = No
	winbind nss info = template
	winbind offline logon = No
	winbind reconnect delay = 30
	winbind refresh tickets = No
	winbind request timeout = 60
	winbind rpc only = No
	winbind scan trusted domains = Yes
	winbind sealed pipes = Yes
	winbind separator = \
	winbind use default domain = No
	wins hook = 
	wins proxy = No
	wins server = 
	wins support = No
	workgroup = NANDLNET
	write raw = Yes
	wtmp directory = 
	idmap config nandlnet : range = 200000-2147483647
	idmap config nandlnet : backend = nss
	idmap config * : range = 10000-99999
	idmap config * : backend = tdb
	access based share enum = No
	acl allow execute always = No
	acl check permissions = Yes
	acl group control = No
	acl map full control = Yes
	administrative share = No
	admin users = 
	afs share = No
	aio read size = 1
	aio write behind = 
	aio write size = 1
	allocation roundup size = 1048576
	available = Yes
	blocking locks = Yes
	block size = 1024
	browseable = Yes
	case sensitive = Auto
	comment = 
	copy = 
	create mask = 0744
	csc policy = manual
	cups options = 
	default case = lower
	default devmode = Yes
	delete readonly = No
	delete veto files = No
	dfree cache time = 0
	dfree command = 
	directory mask = 0755
	directory name cache size = 100
	dmapi support = No
	dont descend = 
	dos filemode = No
	dos filetime resolution = No
	dos filetimes = Yes
	durable handles = Yes
	ea support = No
	fake directory create times = No
	fake oplocks = No
	follow symlinks = Yes
	force create mode = 0000
	force directory mode = 0000
	force group = 
	force printername = No
	force unknown acl user = No
	force user = 
	fstype = NTFS
	guest ok = No
	guest only = No
	hide dot files = Yes
	hide files = 
	hide special files = No
	hide unreadable = No
	hide unwriteable files = No
	hosts allow = 
	hosts deny = 
	include = 
	inherit acls = No
	inherit owner = windows and unix
	inherit permissions = No
	invalid users = 
	kernel oplocks = No
	kernel share modes = Yes
	level2 oplocks = Yes
	locking = Yes
	lppause command = 
	lpq command = %p
	lpresume command = 
	lprm command = 
	magic output = 
	magic script = 
	mangled names = yes
	mangling char = ~
	map acl inherit = No
	map archive = Yes
	map hidden = No
	map readonly = yes
	map system = No
	max connections = 0
	max print jobs = 1000
	max reported print jobs = 0
	min print space = 0
	msdfs proxy = 
	msdfs root = No
	msdfs shuffle referrals = No
	nt acl support = Yes
	ntvfs handler = unixuid, default
	oplocks = Yes
	path = 
	posix locking = Yes
	postexec = 
	preexec = 
	preexec close = No
	preserve case = Yes
	printable = No
	print command = 
	printer name = 
	printing = cups
	printjob username = %U
	print notify backchannel = No
	queuepause command = 
	queueresume command = 
	read list = 
	read only = Yes
	root postexec = 
	root preexec = 
	root preexec close = No
	short preserve case = Yes
	smb encrypt = default
	spotlight = No
	store dos attributes = No
	strict allocate = No
	strict locking = Auto
	strict rename = No
	strict sync = Yes
	sync always = No
	use client driver = No
	use sendfile = No
	valid users = 
	veto files = 
	veto oplock files = 
	vfs objects = 
	volume = 
	wide links = No
	write cache size = 0
	write list = 


[printers]
	browseable = No
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	use client driver = Yes


[homes]
	comment = Home directories
	create mask = 0660
	directory mask = 0770
	force create mode = 0660
	force directory mode = 0770
	read only = No


[print$]
	comment = Printer drivers
	guest ok = Yes
	path = /var/lib/nethserver/print_driver


[netlogon]
	comment = Network Logon Service
	guest ok = Yes
	path = /var/lib/nethserver/netlogon
	read only = No


[ablage]
	comment = allgemeine Ablage
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/ablage
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[bilder]
	comment = in Stein gemeisselt
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/bilder
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[filme]
	comment = bewegte Bilder
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/filme
	read only = No
	store dos attributes = Yes


[login]
	comment = Skripte
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/login
	read only = No
	store dos attributes = Yes


[lumix]
	comment = Kamera
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/lumix
	read only = No
	store dos attributes = Yes


[musik]
	comment = was auf die Ohren
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/musik
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[nadelundfaden]
	comment = Anika's Paradies
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/nadelundfaden
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[pdf]
	comment = PDF Ablage
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/pdf
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[privatxxx]
	comment = nur für Mama & Papa
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/privatxxx
	read only = No
	store dos attributes = Yes


[scanner]
	comment = Ablage Scanner
	create mask = 0664
	guest ok = Yes
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/scanner
	read only = No
	store dos attributes = Yes


[thw]
	comment = Gerald's Arbeitsverzeichnis
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/thw
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache


[tipp10]
	comment = Dianas Schreibprogramm
	create mask = 0664
	inherit acls = Yes
	inherit permissions = Yes
	map acl inherit = Yes
	map archive = No
	map readonly = no
	path = /var/lib/nethserver/ibay/tipp10
	read only = No
	store dos attributes = Yes
	vfs objects = recycle
	recycle: exclude = *.tmp,*.temp,*.o,*.obj,~$*
	recycle: directory_mode = 0770
	recycle: touch = True
	recycle: keeptree = True
	recycle: versions = True
	recycle: repository = Recycle Bin
	recycle: exclude_dir = /tmp,/temp,/cache

(nikolaus.herrmann) #20

Sorry,
I tested with a normal user at Nethserver and it seems to be Ok.
I will try same in a minute at SUSE

smbclient -d 3 -U myuser@smb.mydomain.at //server/share

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
Processing section “[global]”
Processing section “[global]”
added interface br0 ip=192.168.0.70 bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.8.3).
resolve_lmhosts: Attempting lmhosts lookup for name igl-dc<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name igl-dc<0x20>
Connecting to 192.168.0.70 at port 445
got OID=1.2.840.48018.1.2.2
Enter myuser@smb.mydomain.at 's password:
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘http_negotiate’ registered
Try “help” to get a list of possible commands.
smb: >
smb: > ls
dos_clean_name [*]
unix_clean_name [*]
. D 0 Mon Dec 17 17:04:57 2018
… D 0 Mon Dec 3 13:11:47 2018
software D 0 Mon Mar 20 17:04:11 2017
Other Dir’s and Files

            893728388 blocks of size 1024. 507048796 blocks available

Total bytes listed: 4779870
smb: > ^C