[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Tue Jul 29 01:50:53 MDT 2014
On 28/07/14 23:33, Ryan Ashley wrote:
> More information in another winbind log. I attempted to login to a
> remote Windows 7 box with a normal user account which is in both
> groups and should get both drives. Windows logs access denied and does
> not map the drives, and I get this in the logs. At this point I am
> fairly sure winbind is having issues speaking to the DC due to a
> missing module which I can find nothing about online. I did use Google
> for a while today and cannot find a match for the phrases below, so I
> am stuck.
>
> log.wb-TRUEVINE:
> [2014/07/28 18:24:52.880743, 3]
> ../source3/winbindd/winbindd_ads.c:597(query_user)
> ads: query_user
> [2014/07/28 18:24:52.883979, 1]
> ../source3/winbindd/winbindd_ads.c:710(query_user)
> nss_get_info_cached failed: NT_STATUS_NOT_FOUND
>
> log.winbind-idmap:
> [2014/07/28 18:24:52.883979, 3]
> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
> expiration Mon, 28 Jul 2014 20:14:44 EDT
> [2014/07/28 18:24:52.883991, 0]
> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
> Got sig[15] terminate (is_parent=0)
> [2014/07/28 18:24:52.884011, 3]
> ../source3/winbindd/idmap.c:230(idmap_init_domain)
> idmap backend ad not found
> [2014/07/28 18:24:52.884072, 3]
> ../source3/winbindd/idmap.c:235(idmap_init_domain)
> Could not probe idmap module ad
>
> On 7/28/2014 11:16 AM, Ryan Ashley wrote:
>> Found the problem, I believe
>>
>> [2014/07/28 10:14:44.828015, 3]
>> ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect]
>> expiration Mon, 28 Jul 2014 20:14:44 EDT
>> [2014/07/28 10:31:37.274435, 0]
>> ../source3/winbindd/winbindd.c:266(winbindd_sig_term_handler)
>> Got sig[15] terminate (is_parent=0)
>> [2014/07/28 11:02:32.032341, 3]
>> ../source3/winbindd/idmap.c:230(idmap_init_domain)
>> idmap backend ad not found
>> [2014/07/28 11:02:32.051673, 3]
>> ../source3/winbindd/idmap.c:235(idmap_init_domain)
>> Could not probe idmap module ad
>>
>> As you can see, winbind is having issues with AD. What could cause
>> this? Currently I have set share permissions in Linux to 777 and am
>> running S4 4.1.10 from the v4-1-stable branch. Is this something I
>> can fix?
>>
>> On 07/28/2014 10:19 AM, Ryan Ashley wrote:
>>> Great, so by doing "git clone git://git.samba.org/samba.git
>>> samba-master" I am by default cloning the testing branch. I am going
>>> to do a checkout on stable and try again.
>>>
>>> On 07/28/2014 10:11 AM, Rowland Penny wrote:
>>>> On 28/07/14 15:00, Ryan Ashley wrote:
>>>>> Odd, but it says I am using 4.2.0, which is higher than 4.1.8.
>>>>>
>>>>> root at fs01:/usr/src/samba-master# samba-tool -V
>>>>> 4.2.0pre1-GIT-d097898
>>>>> root at fs01:/usr/src/samba-master# winbindd -V
>>>>> Version 4.2.0pre1-GIT-d097898
>>>>> root at fs01:/usr/src/samba-master# nmbd -V
>>>>> Version 4.2.0pre1-GIT-d097898
>>>>> root at fs01:/usr/src/samba-master#
>>>>>
>>>>> I normally clone, configure, and build. Is the stable branch not
>>>>> default? Am I building a testing branch? Should I checkout on the
>>>>> stable branch?
>>>>>
>>>>> On 07/28/2014 09:50 AM, Rowland Penny wrote:
>>>>>> On 28/07/14 14:41, Ryan Ashley wrote:
>>>>>>> Alright, I was poking around this morning trying to make this
>>>>>>> work, and noticed something odd. Loads of zombie nmbd processes.
>>>>>>> Check out the dump below and tell me, what is going on here? Is
>>>>>>> this my problem?
>>>>>>>
>>>>>>> root at fs01:~# ps x
>>>>>>> PID TTY STAT TIME COMMAND
>>>>>>> 1 ? Ss 0:02 init [2]
>>>>>>> 2 ? S 0:00 [kthreadd]
>>>>>>> 3 ? S 0:00 [ksoftirqd/0]
>>>>>>> 5 ? S 0:00 [kworker/u:0]
>>>>>>> 6 ? S 0:00 [migration/0]
>>>>>>> 7 ? S 0:01 [watchdog/0]
>>>>>>> 8 ? S< 0:00 [cpuset]
>>>>>>> 9 ? S< 0:00 [khelper]
>>>>>>> 10 ? S 0:00 [kdevtmpfs]
>>>>>>> 11 ? S< 0:00 [netns]
>>>>>>> 12 ? S 0:00 [xenwatch]
>>>>>>> 13 ? S 0:00 [xenbus]
>>>>>>> 14 ? S 0:01 [sync_supers]
>>>>>>> 15 ? S 0:00 [bdi-default]
>>>>>>> 16 ? S< 0:00 [kintegrityd]
>>>>>>> 17 ? S< 0:00 [kblockd]
>>>>>>> 19 ? S 0:00 [khungtaskd]
>>>>>>> 20 ? S 0:00 [kswapd0]
>>>>>>> 21 ? SN 0:00 [ksmd]
>>>>>>> 22 ? SN 0:00 [khugepaged]
>>>>>>> 23 ? S 0:00 [fsnotify_mark]
>>>>>>> 24 ? S< 0:00 [crypto]
>>>>>>> 173 ? S 0:00 [jbd2/xvda1-8]
>>>>>>> 174 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 183 ? S 0:00 [kworker/u:1]
>>>>>>> 313 ? Ss 0:00 udevd --daemon
>>>>>>> 420 ? S 0:00 udevd --daemon
>>>>>>> 425 ? S 0:00 udevd --daemon
>>>>>>> 433 ? S 0:00 [khubd]
>>>>>>> 438 ? S< 0:00 [kpsmoused]
>>>>>>> 445 ? S< 0:00 [ata_sff]
>>>>>>> 471 ? S 0:00 [scsi_eh_0]
>>>>>>> 472 ? S 0:00 [scsi_eh_1]
>>>>>>> 1295 ? S 0:00 [jbd2/xvda2-8]
>>>>>>> 1296 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1297 ? S 0:01 [flush-202:0]
>>>>>>> 1298 ? S 0:00 [jbd2/xvda9-8]
>>>>>>> 1299 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1300 ? S 0:00 [jbd2/xvda10-8]
>>>>>>> 1301 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1302 ? S 0:00 [jbd2/xvda8-8]
>>>>>>> 1303 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1307 ? S 0:00 [jbd2/xvda11-8]
>>>>>>> 1308 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1309 ? S 0:00 [jbd2/xvda3-8]
>>>>>>> 1310 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1311 ? S 0:00 [jbd2/xvda4-8]
>>>>>>> 1312 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1313 ? S 0:00 [jbd2/xvda5-8]
>>>>>>> 1314 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1315 ? S 0:00 [jbd2/xvda6-8]
>>>>>>> 1316 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1317 ? S 0:00 [jbd2/xvda7-8]
>>>>>>> 1318 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1319 ? S 0:00 [jbd2/xvdb1-8]
>>>>>>> 1320 ? S< 0:00 [ext4-dio-unwrit]
>>>>>>> 1780 ? Sl 0:00 /usr/sbin/rsyslogd -c5
>>>>>>> 1811 ? Ss 0:00 /usr/sbin/acpid
>>>>>>> 1903 ? Ss 0:00 /usr/sbin/cron
>>>>>>> 1998 ? Ss 0:00 /usr/sbin/sshd
>>>>>>> 2022 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
>>>>>>> 2023 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
>>>>>>> 2024 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
>>>>>>> 2025 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
>>>>>>> 2026 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
>>>>>>> 2027 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
>>>>>>> 2041 ? Ss 0:03 nmbd
>>>>>>> 2043 ? Ss 0:03 smbd
>>>>>>> 2045 ? Ss 0:00 winbindd
>>>>>>> 2046 ? S 0:02 winbindd
>>>>>>> 2047 ? S 0:00 winbindd
>>>>>>> 2048 ? S 0:00 winbindd
>>>>>>> 2049 ? S 0:00 smbd
>>>>>>> 2067 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2085 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2109 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2127 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2145 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2163 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2185 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2203 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2223 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2241 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2263 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2281 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2299 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2317 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2339 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2357 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2375 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2393 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2415 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2433 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2451 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2469 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2491 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2509 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2527 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2545 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2567 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2585 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2603 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2621 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2643 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2661 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2679 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2697 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2719 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2737 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2755 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2773 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2795 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2813 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2831 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2849 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2871 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2889 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2907 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2925 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2946 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2964 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 2982 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3000 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3022 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3040 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3058 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3076 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3098 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3116 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3134 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3152 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3174 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3192 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3210 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3228 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3250 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3268 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3285 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3303 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3325 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3343 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3361 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3380 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3402 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3420 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3438 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3456 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3574 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3592 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3610 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3628 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3650 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3668 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3686 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3704 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3726 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3744 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3762 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3780 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3802 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3820 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3838 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3856 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3878 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3896 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3914 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3932 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3954 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3972 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 3990 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4008 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4030 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4048 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4066 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4084 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4106 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4124 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4142 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4160 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4182 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4200 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4220 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4238 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4261 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4279 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4297 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4315 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4337 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4355 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4373 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4391 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4413 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4431 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4449 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4467 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4489 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4507 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4525 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4543 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4565 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4583 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4601 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4619 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4641 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4659 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4677 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4694 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4716 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4734 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4752 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4770 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4792 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4811 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4829 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4847 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4869 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4887 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4905 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4923 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4945 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4963 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4981 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 4999 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5021 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5039 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5057 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5075 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5097 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5115 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5133 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5151 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5173 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5191 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5209 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5227 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5249 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5267 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5285 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5303 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5325 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5343 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5361 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5379 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5525 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5543 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5571 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5589 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5611 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5630 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5648 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5666 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5688 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5706 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5724 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5742 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5764 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5782 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5800 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5818 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5840 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5858 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5876 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5894 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5916 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5934 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5952 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5970 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 5992 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6010 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6028 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6046 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6068 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6086 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6104 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6122 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6144 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6161 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6179 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6197 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6219 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6238 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6256 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6274 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6296 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6314 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6332 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6350 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6372 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6390 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6408 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6426 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6448 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6466 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6484 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6502 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6524 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6542 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6560 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6578 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6600 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6618 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6636 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6654 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6676 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6694 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6712 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6730 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6752 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6770 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6789 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6807 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6829 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6847 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6852 ? S 0:01 [kworker/0:0]
>>>>>>> 6867 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6885 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6906 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6924 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6942 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6960 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 6982 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7000 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7018 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7036 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7058 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7076 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7094 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7112 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7134 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7152 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7170 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7188 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7210 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7228 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7246 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7264 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7286 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7304 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7322 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7340 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7458 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7476 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7494 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7512 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7534 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7552 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7569 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7587 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7609 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7627 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7645 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7665 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7676 ? S 0:00 [kworker/0:2]
>>>>>>> 7687 ? Z 0:00 [nmbd] <defunct>
>>>>>>> 7697 ? Ss 0:00 sshd: root at pts/0
>>>>>>> 7699 pts/0 Ss 0:00 -bash
>>>>>>> 7711 ? S 0:00 [kworker/0:1]
>>>>>>> 7718 ? S 0:00 [flush-202:16]
>>>>>>> 7721 pts/0 R+ 0:00 ps x
>>>>>>>
>>>>>>> On 07/28/2014 09:18 AM, Ryan Ashley wrote:
>>>>>>>> I have never even played with apparmor. I do my Debian installs
>>>>>>>> using a net CD and doing the expert 64bit install. I disable
>>>>>>>> recommended and suggested packages and install only exactly
>>>>>>>> what I need, so I do not have apparmor or selinux. Good thought
>>>>>>>> though. I also tried disabling the firewall on a test PC and
>>>>>>>> still no go. This has NEVER happened before so I am lost.
>>>>>>>>
>>>>>>>> So where else should I look? The system in question is a domain
>>>>>>>> member server, can resolve users and groups, and can set ACLs
>>>>>>>> with user and groups from AD. It is simply denying access to
>>>>>>>> group members of said shares.
>>>>>>>>
>>>>>>>> On 07/28/2014 05:02 AM, Rowland Penny wrote:
>>>>>>>>> On 27/07/14 16:28, Ryan Ashley wrote:
>>>>>>>>>> I understand and I should have stated more clearly that I
>>>>>>>>>> have been going through those results for over a week now.
>>>>>>>>>> Nothing seems to help. Funny thing is that creating a second
>>>>>>>>>> virtual file-server and using share authentication works
>>>>>>>>>> fine. Yet another reason I am leaning towards group issues.
>>>>>>>>>> If the file-server is share-level the Windows 7 boxes are
>>>>>>>>>> happy. As soon as it goes AD and uses AD groups, they stop
>>>>>>>>>> working. I have not tried user-level security yet. Then again
>>>>>>>>>> I may have user-level and share-level confused. It has been a
>>>>>>>>>> long week. I will keep searching but so far nothing I have
>>>>>>>>>> found and tried works.
>>>>>>>>>>
>>>>>>>>>> Is there a way to get an actual reason for the denial? If it
>>>>>>>>>> flat-out told me a reason I could troubleshoot. Right now I
>>>>>>>>>> am just shooting in random directions hoping to hit something
>>>>>>>>>> since all I get is "Access Denied". Is it possible to see is
>>>>>>>>>> S4 is denying the connection via a log or something, or if
>>>>>>>>>> Windows 7 is being stupid... again?
>>>>>>>>>>
>>>>>>>>>> On 7/27/2014 10:57 AM, Rowland Penny wrote:
>>>>>>>>>>> On 27/07/14 15:15, Ryan Ashley wrote:
>>>>>>>>>>>> That solution is for Windows 8. That also is not our issue.
>>>>>>>>>>>> The WIndows 7 Pro 64bit workstations see the server and
>>>>>>>>>>>> shares, and they map the shares according to group policy,
>>>>>>>>>>>> but then everybody gets access denied, despite being in the
>>>>>>>>>>>> domain groups for which the shares were created. Funny
>>>>>>>>>>>> thing is that if I logon as domain admin, I get to access
>>>>>>>>>>>> the shares. Due to this, I fully believe the S4 server is
>>>>>>>>>>>> ignoring or not accounting for group membership. The
>>>>>>>>>>>> "reachfp" account is the domain admin. This is also the
>>>>>>>>>>>> default owner of files on the shares. The group
>>>>>>>>>>>> "administration" contains many members and does not grant
>>>>>>>>>>>> access, despite the group being granted full control. This
>>>>>>>>>>>> lead e into believing I am still dealing with a permissions
>>>>>>>>>>>> issue and not another issue. If it was the other issue, I
>>>>>>>>>>>> would assume domain admin could not see the share or access
>>>>>>>>>>>> it. Is that about right?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> You are missing the point, I probably could have chosen a
>>>>>>>>>>> better target but I only spent about 30secs on the search:
>>>>>>>>>>>
>>>>>>>>>>> windows 7 64 bit access denied samba
>>>>>>>>>>>
>>>>>>>>>>> This returns About 116,000 results, here's another one:
>>>>>>>>>>>
>>>>>>>>>>> http://www.sevenforums.com/network-sharing/242602-can-t-connect-samba-share-win-7-ultimate-64-bit.html
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Try looking into this before dismissing it out of hand and
>>>>>>>>>>> insisting that samba is the problem.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> OK, after more thought and re-reading your posts, a thought
>>>>>>>>> has popped into my head, apparmor, do you have this running on
>>>>>>>>> the server ?
>>>>>>>>> I have been caught out by this a few times, not being allowed
>>>>>>>>> to do things that I thought I should be able to do, or
>>>>>>>>> packages not running correctly because they were not allowed
>>>>>>>>> access, in every case it was apparmor. As I could never get
>>>>>>>>> apparmor to play ball with me (I thought that I had found all
>>>>>>>>> rights that needed modding and then another one would pop its
>>>>>>>>> head up and what is in the logs bares no resemblance to what
>>>>>>>>> you need to put in the conf file), I now disable apparmor
>>>>>>>>> straight after installing a new system.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> Somebody else reported this problem, he went to 4.1.8 and the
>>>>>> zombie nmbd problem went away, if you upgrade to the latest
>>>>>> samba4 you may hit two birds with one stone, the nmbd problem and
>>>>>> your group problem ;-)
>>>>>>
>>>>>> Rowland
>>>>>
>>>> Hi, what you are using is not the stable branch, it is the branch
>>>> that will become the next release i.e. 4.2. This does not mean that
>>>> you shouldn't use it, it just means that it could be upgraded at
>>>> any time until it is 'frozen' just before release. These upgrades
>>>> 'could' break something, not saying they will, just that they
>>>> could, for production use I would use the latest version from here:
>>>>
>>>> https://ftp.samba.org/pub/samba/stable/
>>>>
>>>> Rowland
>>>>
>>>
>>
>
Do you have all of these packages installed:
samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5
krb5-user
If not, install what is missing and add these lines to smb.conf:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
Restart samba and try again, you may have to join the machine to the
domain again.
Rowland
More information about the samba
mailing list