Hi Alexander,
Finally succeeded to make it work with the following configuration on the freeipa server.

[global]
    workgroup = MYDOMAIN.LOCAL
    netbios name = MYSERVER
    realm = MYDOMAIN.LOCAL
    kerberos method = dedicated keytab
    dedicated keytab file = /etc/samba/samba.keytab
    create krb5 conf = no
    security = user
    domain master = yes
    domain logons = yes
    max log size = 100000
    log file = /var/log/samba/log.%m
    rpc_server:epmapper = external
    rpc_server:lsarpc = external
    rpc_server:lsass = external
    rpc_server:lsasd = external
    rpc_server:samr = external
    rpc_server:netlogon = external
    rpc_server:tcpip = yes
    rpc_daemon:epmd = fork
    rpc_daemon:lsasd = fork
    smb ports = 139 445
    log level = 10

[scratch]
    path = /data/scratch
    comment = Scratch shared files
    read only = no
    browseable = yes
    guest ok = no
    create mask = 0644

I commented out the following from the global section:

        ;passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
        ;disable spoolss = yes
        ;ldapsam:trusted = yes
        ;ldap ssl = off
        ;ldap suffix = dc=mydomain,dc=local
        ;ldap user suffix = cn=users,cn=accounts
        ;ldap group suffix = cn=groups,cn=accounts
        ;ldap machine suffix = cn=computers,cn=accounts

Any idea why this was causing trouble?

The smbstatus below shows several '.' as well as a file that I'm accessing.

Samba version 4.9.4
PID     Username     Group        Machine                                   Protocol Version  Encryption           Signing             
----------------------------------------------------------------------------------------------------------------------------------------
23252   beauduin     mydomain     10.0.21.247 (ipv4:10.0.21.247:39798)      SMB3_02           -                    partial(AES-128-CMAC)
23253   baina        mydomain     10.0.21.251 (ipv4:10.0.21.251:62736)      SMB3_02           -                    partial(AES-128-CMAC)

Service      pid     Machine       Connected at                     Encryption   Signing    
---------------------------------------------------------------------------------------------
scratch      23252   10.0.21.247   Wed Mar 13 10:16:14 AM 2019 CET  -            -          
scratch      23253   10.0.21.251   Wed Mar 13 10:16:17 AM 2019 CET  -            -          
public       23252   10.0.21.247   Wed Mar 13 10:16:21 AM 2019 CET  -            -          

Locked files:
Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
--------------------------------------------------------------------------------------------------
23252        1010       DENY_NONE  0x100081    RDONLY     NONE             /data/public   .   Wed Mar 13 10:16:21 2019
23252        1010       DENY_WRITE 0x120089    RDONLY     LEASE(RWH)       /data/scratch   Time-Shift Project.docx   Wed Mar 13 10:19:23 2019
23252        1010       DENY_NONE  0x120080    RDONLY     LEASE(RWH)       /data/scratch   Time-Shift Project.docx   Wed Mar 13 10:19:23 2019
23252        1010       DENY_NONE  0x120089    RDONLY     LEASE(RWH)       /data/scratch   Time-Shift Project.docx   Wed Mar 13 10:19:23 2019
23253        1011       DENY_NONE  0x100081    RDONLY     NONE             /data/scratch   .   Wed Mar 13 10:16:16 2019
23252        1010       DENY_NONE  0x100081    RDONLY     NONE             /data/scratch   .   Wed Mar 13 10:16:20 2019
23253        1011       DENY_NONE  0x100081    RDONLY     NONE             /data/scratch   .   Wed Mar 13 10:16:16 2019
23252        1010       DENY_NONE  0x100081    RDONLY     NONE             /data/scratch   .   Wed Mar 13 10:16:22 2019
23252        1010       DENY_NONE  0x1000a0    RDONLY     NONE             /data/scratch   .   Wed Mar 13 10:19:24 2019

Also, when i check in the properties, tab "security" in windows, of a file in the freeipa server's share /data/scratch, the SIDs of user and group are not resolved.
My desktop is also a samba server and the SIDs are resolved.

What could be the cause of this non-resolution of the SIDs?

Thank you.

Regards,
F

On Tue, Mar 12, 2019 at 7:44 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On ti, 12 maalis 2019, fujisan wrote:
>This is strange as /data and /tmp are 2 partitions on my server and scratch
>is a directory in /data
>
>/dev/mapper/fedora-data 2832342640 946566920 1741877916  36% /data
>/dev/mapper/fedora-tmp   153769424     61780  145826940   1% /tmp
>
># ls -l /data/
>total 52
>drwxrwx---.  5 root     staff  4096 Mar 11 13:02 scratch
>
>There is absolutely no symlink involved here.
That's what the log tells, I'm not inventing anything here. :)

>Locked files:
>Pid          Uid        DenyMode   Access      R/W        Oplock
>SharePath   Name   Time
>--------------------------------------------------------------------------------------------------
>20533        1011       DENY_NONE  0x100081    RDONLY     NONE
>/data/scratch   .   Tue Mar 12 18:29:06 2019
>20533        1011       DENY_NONE  0x100081    RDONLY     NONE
>/data/scratch   .   Tue Mar 12 18:29:06 2019
Note this '.' file? This is what smbd complaints about.

As far as the rest of configuration is concerned, it seems that you are
using NTLMSSP to login to smbd and it works. Also, since smbd is able to
pull the data from LDAP, its own cifs/... principal for
/etc/samba/samba.keytab is just fine.



>Regards
>F
>
>On Tue, Mar 12, 2019 at 7:04 PM Alexander Bokovoy <abokovoy@redhat.com>
>wrote:
>
>> On ti, 12 maalis 2019, fujisan wrote:
>> >I added a share in smb.conf.regedit then I imported the file with net conf
>> >import smb.conf.regedit .
>> >I send you another tar file at your email.
>> >
>> >Regards
>> >F
>> >
>> ># net conf list
>> >
>> >[global]
>> >    workgroup = MYDOMAIN.LOCAL
>> >    netbios name = MYSERVER
>> >    realm = MYDOMAIN.LOCAL
>> >    kerberos method = dedicated keytab
>> >    dedicated keytab file = /etc/samba/samba.keytab
>> >    create krb5 conf = no
>> >    security = user
>> >    domain master = yes
>> >    domain logons = yes
>> >    max log size = 100000
>> >    log file = /var/log/samba/log.%m
>> >    passdb backend =
>> >ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN-LOCAL.socket
>> >    disable spoolss = yes
>> >    ldapsam:trusted = yes
>> >    ldap ssl = off
>> >    ldap suffix = dc=mydomain,dc=local
>> >    ldap user suffix = cn=users,cn=accounts
>> >    ldap group suffix = cn=groups,cn=accounts
>> >    ldap machine suffix = cn=computers,cn=accounts
>> >    rpc_server:epmapper = external
>> >    rpc_server:lsarpc = external
>> >    rpc_server:lsass = external
>> >    rpc_server:lsasd = external
>> >    rpc_server:samr = external
>> >    rpc_server:netlogon = external
>> >    rpc_server:tcpip = yes
>> >    rpc_daemon:epmd = fork
>> >    rpc_daemon:lsasd = fork
>> >    log level = 10
>> >
>> >[scratch]
>> >    path = /data/scratch
>> >    comment = Scratch shared files
>> >    create mask = 0644
>> >    invalid users = opera
>>
>> Thanks. However, Samba says /data/scratch is a symlink to /tmp which is
>> outside of the share and therefore fails:
>>
>> [2019/03/12 18:29:40.679585,  2, pid=20580, effective(1024, 1023),
>> real(1024, 0), class=vfs] ../source3/smbd/vfs.c:1305(check_reduced_name)
>>   check_reduced_name: Bad access attempt: . is a symlink outside the share
>> path
>>   conn_rootdir =/data/scratch
>>   resolved_name=/tmp
>> [2019/03/12 18:29:40.679613,  5, pid=20580, effective(1024, 1023),
>> real(1024, 0)] ../source3/smbd/filename.c:1271(check_name)
>>   check_name: name . failed with NT_STATUS_ACCESS_DENIED
>>
>> May be you can try with /data/scratch not being a symlink. Samba is
>> pretty serious on not allowing wide symlinks by default.
>>
>>
>> --
>> / Alexander Bokovoy
>> Sr. Principal Software Engineer
>> Security / Identity Management Engineering
>> Red Hat Limited, Finland
>>

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland