[Samba] Samba 4 AD share: Access denied

steve steve at steve-ss.com
Sun Aug 3 00:55:32 MDT 2014 

On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
> I am still trying to get this to work. Is S4 incapable of being a 
> file-server as a member server? I run ONLY DNS and DHCP on my AD DC 
> servers. I have a dedicated S4 print server that appears to work 
> perfectly, but sharing files is critical and I have now been down for 
> three weeks. Winbind resolves users and groups, everything looks good, I 
> have tried what has been suggested before, but now I am becoming 
> desperate. The system cannot find this "idmap ad" backend. What in the 
> heck is it and how do I get it or build it? Everything is working except 
> this basic functionality which is REALLY need!

OK. Time to summarise.
smb.conf on DC
samba version on DC
samba version on working print server
smb.conf on working print server
the DN of the user who trips the 'idmap ad' error (ute)
host <hostname of DC>
host <hostname of print server>
host <ip of DC>
host <ip of print server>
getent passwd ute
groups ute
getfacl <path to share where ute is accessing>
/etc/fstab

With that we stand a chance.
Cheers,
Steve

> 
> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
> > I made a strange discovery this morning. If I attempt to map the drive 
> > using the server's IP address, I get invalid password. If I attempt to 
> > map it using the hostname, it flat out denies access.
> >
> > C:\Users\reach_support>net use s: \\172.16.0.5\staff$ /persistent:no
> > Enter the user name for '172.16.0.5': reach_support
> > Enter the password for 172.16.0.5:
> > System error 86 has occurred.
> >
> > The specified network password is not correct.
> >
> >
> > C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
> > Enter the user name for 'fs01': reach_support
> > Enter the password for fs01:
> > System error 5 has occurred.
> >
> > Access is denied.
> >
> >
> > C:\Users\reach_support>
> >
> > This REALLY looks like an S4 bug to me. Why would it give different 
> > errors if using a hostname versus the static IP? The hostname simply 
> > resolves to the IP anyway. Is there anything we can do now?
> >
> > On 07/30/2014 10:18 AM, Ryan Ashley wrote:
> >> Sorry for the delay. I am in eastern time and have been busy with 
> >> another project. I cannot convert that ID to SID. In Windows however, 
> >> this shows as "SYSTEM". How do I know? Simple, there are only three 
> >> things listed. Those are "Domain Admins", "Administration", and 
> >> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have 
> >> added no groups to the Linux systems, so if you're asking if it is a 
> >> local group on the Linux box, no it is not. I can remove the SYSTEM 
> >> account from the share if needed, but it is on all Windows shares as 
> >> well and causes no issues.
> >>
> >> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> >> Could not convert uid 70028 to sid
> >>
> >> On 7/30/2014 6:01 AM, steve wrote:
> >>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
> >>>> On 29/07/14 18:42, steve wrote:
> >>>> Hi Steve, how about bug 10508 ??
> >>>>
> >>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
> >>>>
> >>>> Rowland
> >>>>
> >>> Hi Rowland,
> >>> Yes, it looks possible.
> >>> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
> >>> does:
> >>>   wbinfo --uid-to-sid=70028
> >>> give us?
> >>> Steve
> >>>
> >>>
> >>
> >
>

More information about the samba mailing list