[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Sat Jul 26 02:10:23 MDT 2014
On 26/07/14 03:07, Ryan Ashley wrote:
> As per suggestion, I deleted the TDB files after a reboot, then
> brought up nmbd, smbd, and winbindd. All TDB files were regenerated
> but the problem persists. I can resolve AD groups with wbinfo, but
> share access appears to only be granted to the owner. I need this
> fixed ASAP. I am out of ideas now.
>
>
> On 7/25/2014 5:00 PM, Dale Schroeder wrote:
>> I'll reply to you offline also, as these comments are fairly
>> insignificant.
>>
>> On 07/25/2014 7:51 AM, Ryan Ashley wrote:
>>> You are correct. I forgot to change it. Chalk it up to being
>>> exhausted when I did this. I will make the change now. Could this
>>> cause my issues though?
>> In a word, yes. It appears to be essential.
>>
>> To answer the question in your list email, if you should have any
>> further problems, the cache tdb's may have to be regenerated. There
>> are probably some SAMDOM entries in the default backend, but this may
>> never be an issue since the domain doesn't exist. Beyond that, I
>> can't offer any specific advice because I don't have the ability to
>> use the ad backend here. We have no Samba DC's nor Windows DC's with
>> SFU installed.
>>
>> Good luck,
>> Dale
>>
>>>
>>> On 07/24/2014 03:41 PM, Dale Schroeder wrote:
>>>> Ryan,
>>>>
>>>> Assuming this is a verbatim copy of your config, should not "idmap
>>>> config SAMDOM" actually be "idmap config TRUEVINE"?
>>>>
>>>> Dale
>>>>
>>>> On 07/24/2014 10:25 AM, Ryan Ashley wrote:
>>>>> I have been using Samba4 for ages and love it as a DC and a
>>>>> print-server. I just setup my first member-server designed solely
>>>>> to host file shares, and have hit an issue. Group policy is
>>>>> mapping it correctly for the users in the group, but those users
>>>>> are getting an access denied message from their Windows 7 Pro
>>>>> 64bit clients when accessing the share. I have configured ACLs and
>>>>> the box resolves users and groups. Everything works, except for
>>>>> the shares. Below I attached all of the information I believe to
>>>>> be useful. Ask if you need more, and thank you for your help!
>>>>>
>>>>> smb.conf:
>>>>> ======
>>>>> [global]
>>>>> netbios name = FS01
>>>>> workgroup = TRUEVINE
>>>>> security = ADS
>>>>> realm = TRUEVINE.LAN
>>>>> encrypt passwords = yes
>>>>>
>>>>> idmap config *:backend = tdb
>>>>> idmap config *:range = 70001-80000
>>>>> idmap config SAMDOM:backend = ad
>>>>> idmap config SAMDOM:schema_mode = rfc2307
>>>>> idmap config SAMDOM:range = 500-40000
>>>>>
>>>>> winbind nss info = rfc2307
>>>>> winbind trusted domains only = no
>>>>> winbind use default domain = yes
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>>
>>>>> vfs objects = acl_xattr
>>>>> map acl inherit = yes
>>>>> store dos attributes = yes
>>>>> auth methods = winbind
>>>>>
>>>>> [install$]
>>>>> path = /home/shared/install
>>>>> comment = "Software installation files"
>>>>> read only = no
>>>>>
>>>>> [staff$]
>>>>> path = /home/shared/staff
>>>>> comment = "Staff file share"
>>>>> read only = no
>>>>>
>>>>> [fbc$]
>>>>> path = /home/shared/fbc
>>>>> comment = "Family Bible College file share"
>>>>> read only = no
>>>>>
>>>>>
>>>>>
>>>>> ACL List:
>>>>> ======
>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/staff/
>>>>> # owner: reachfp
>>>>> # group: administration
>>>>> # flags: ss-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:administration:rwx
>>>>> group:domain\040admins:rwx
>>>>> group:70028:rwx
>>>>> mask::rwx
>>>>> other::rwx
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:administration:rwx
>>>>> default:group:domain\040admins:rwx
>>>>> default:group:70028:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/fbc/
>>>>> # owner: reachfp
>>>>> # group: fbc
>>>>> # flags: ss-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:fbc:rwx
>>>>> group:domain\040admins:rwx
>>>>> group:70028:rwx
>>>>> mask::rwx
>>>>> other::rwx
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:fbc:rwx
>>>>> default:group:domain\040admins:rwx
>>>>> default:group:70028:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>>
>>>>>
>>>>> NSSwitch:
>>>>> ======
>>>>> # /etc/nsswitch.conf
>>>>> #
>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>> installed, try:
>>>>> # `info libc "Name Service Switch"' for information about this file.
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>> shadow: compat
>>>>>
>>>>> hosts: files dns
>>>>> networks: files
>>>>>
>>>>> protocols: db files
>>>>> services: db files
>>>>> ethers: db files
>>>>> rpc: db files
>>>>>
>>>>> netgroup: nis
>>>>>
>>>>>
>>>>>
>>>>> FS Permissions:
>>>>> ==========
>>>>> root at fs01:~# l /home/shared
>>>>> total 40
>>>>> drwsrwsrwx+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>> drwsrws---+ 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>> drwsrwsrwx+ 13 reachfp administration 4096 Jul 23 11:30 staff
>>>>>
>>>>>
>>>>>
>>>>> As you can see, I even tried changing the directory permissions to
>>>>> 777 and still no go. The users in the "administration" group are
>>>>> getting the drive mapped but are being denied access to it. Same
>>>>> for FBC. I have worked on this for days now and cannot get
>>>>> anywhere. What should I try next?
>
You seem to have 'flags' set on the directories, as I have never seen
this before I read the manpage and found this means that all files in
the directory will be owned by whoever owns the directory. I do not know
how you set the 'flags' but I suggest you find out how to remove them, I
think that this will cure your problem.
Rowland
More information about the samba
mailing list