[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Mon Aug 4 12:24:56 MDT 2014
DC Config:
=======
# Global parameters
[global]
workgroup = TRUEVINE
realm = TRUEVINE.LAN
netbios name = DC01
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbi$
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/truevine.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Print-Server Config:
============
[global]
netbios name = ps01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
auth methods = winbind
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss: architecture = Windows x64
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba/printer_drivers
comment = Printer drivers
writeable = yes
[Xerox7545]
path = /var/spool/samba
browseable = yes
printable = yes
printer name = Xerox_WC_7545
File-Server Config:
===========
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind
log level = 3
[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
guest ok = no
[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
guest ok = no
[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
guest ok = no
IP Information:
=========
Note that I do have a reverse-DNS zone setup in AD but it NEVER works
with S4. Works fine in 2008 R2, 2008, 2003 R2, etc. Being that I read
hundreds of posts of people never getting it working in S4, I assume it
is broken and am not worried about it yet.
root at fs01:~# host dc01
dc01.truevine.lan has address 172.16.0.1
root at fs01:~# host ps01
ps01.truevine.lan has address 172.16.0.7
root at fs01:~# host 172.16.0.1
Host 1.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)
root at fs01:~# host 172.16.0.7
Host 7.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)
Other:
====
root at fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: administration
# flags: -s-
user::rwx
user:70014:rwx
group::rwx
group:fbc:rwx
group:70020:rwx
group:70028:rwx
mask::rwx
other::---
default:user::rwx
default:user:70014:rwx
default:group::---
default:group:fbc:rwx
default:group:70020:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---
root at fs01:~# getfacl /home/shared/fbc/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc/
# owner: reachfp
# group: fbc
# flags: -s-
user::rwx
user:70014:rwx
group::rwx
group:70013:rwx
group:70020:rwx
group:70028:rwx
mask::rwx
other::---
default:user::rwx
default:user:70014:rwx
default:group::---
default:group:70013:rwx
default:group:70020:rwx
default:group:70028:rwx
default:mask::rwx
default:other::---
root at fs01:~# l /home/shared/
total 40
drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
drwxrws---+ 8 reachfp domain computers 4096 Jul 23 11:14 install
drwx------ 2 root root 16384 Jul 15 10:00 lost+found
drwxrws---+ 13 reachfp administration 4096 Jul 23 11:30 staff
As you can see, getfacl is using ID numbers, but they do resolve to
groups when using ls. This is confusing as heck. This core functionality
should just work. Winbind is running, those IDs resolve to groups, but
getfacl cannot resolve them? What in the heck is missing here? I
followed the guide to the letter!
Finally, I do not know what this DN is. Domain Name? That is TRUEVINE,
FQDN is truevine.lan. As far as causing the error, everybody in the
entire domain causes it EXCEPT the domain admin. Also, what is "ute"?
On 08/03/2014 02:55 AM, steve wrote:
> On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
>> I am still trying to get this to work. Is S4 incapable of being a
>> file-server as a member server? I run ONLY DNS and DHCP on my AD DC
>> servers. I have a dedicated S4 print server that appears to work
>> perfectly, but sharing files is critical and I have now been down for
>> three weeks. Winbind resolves users and groups, everything looks good, I
>> have tried what has been suggested before, but now I am becoming
>> desperate. The system cannot find this "idmap ad" backend. What in the
>> heck is it and how do I get it or build it? Everything is working except
>> this basic functionality which is REALLY need!
> OK. Time to summarise.
> smb.conf on DC
> samba version on DC
> samba version on working print server
> smb.conf on working print server
> the DN of the user who trips the 'idmap ad' error (ute)
> host <hostname of DC>
> host <hostname of print server>
> host <ip of DC>
> host <ip of print server>
> getent passwd ute
> groups ute
> getfacl <path to share where ute is accessing>
> /etc/fstab
>
> With that we stand a chance.
> Cheers,
> Steve
>
>> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
>>> I made a strange discovery this morning. If I attempt to map the drive
>>> using the server's IP address, I get invalid password. If I attempt to
>>> map it using the hostname, it flat out denies access.
>>>
>>> C:\Users\reach_support>net use s: \\172.16.0.5\staff$ /persistent:no
>>> Enter the user name for '172.16.0.5': reach_support
>>> Enter the password for 172.16.0.5:
>>> System error 86 has occurred.
>>>
>>> The specified network password is not correct.
>>>
>>>
>>> C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
>>> Enter the user name for 'fs01': reach_support
>>> Enter the password for fs01:
>>> System error 5 has occurred.
>>>
>>> Access is denied.
>>>
>>>
>>> C:\Users\reach_support>
>>>
>>> This REALLY looks like an S4 bug to me. Why would it give different
>>> errors if using a hostname versus the static IP? The hostname simply
>>> resolves to the IP anyway. Is there anything we can do now?
>>>
>>> On 07/30/2014 10:18 AM, Ryan Ashley wrote:
>>>> Sorry for the delay. I am in eastern time and have been busy with
>>>> another project. I cannot convert that ID to SID. In Windows however,
>>>> this shows as "SYSTEM". How do I know? Simple, there are only three
>>>> things listed. Those are "Domain Admins", "Administration", and
>>>> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have
>>>> added no groups to the Linux systems, so if you're asking if it is a
>>>> local group on the Linux box, no it is not. I can remove the SYSTEM
>>>> account from the share if needed, but it is on all Windows shares as
>>>> well and causes no issues.
>>>>
>>>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>>>> Could not convert uid 70028 to sid
>>>>
>>>> On 7/30/2014 6:01 AM, steve wrote:
>>>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>>>> On 29/07/14 18:42, steve wrote:
>>>>>> Hi Steve, how about bug 10508 ??
>>>>>>
>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> Hi Rowland,
>>>>> Yes, it looks possible.
>>>>> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
>>>>> does:
>>>>> wbinfo --uid-to-sid=70028
>>>>> give us?
>>>>> Steve
>>>>>
>>>>>
>
More information about the samba
mailing list