[Samba] Samba 4 AD share: Access denied
Rowland Penny
rowlandpenny at googlemail.com
Mon Aug 4 12:58:11 MDT 2014
On 04/08/14 19:24, Ryan Ashley wrote:
> DC Config:
> =======
> # Global parameters
> [global]
> workgroup = TRUEVINE
> realm = TRUEVINE.LAN
> netbios name = DC01
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbi$
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/truevine.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> Print-Server Config:
> ============
> [global]
> netbios name = ps01
> workgroup = TRUEVINE
> security = ADS
> realm = TRUEVINE.LAN
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> auth methods = winbind
> rpc_server:spoolss = external
> rpc_daemon:spoolssd = fork
> spoolss: architecture = Windows x64
>
> [printers]
> path = /var/spool/samba
> printable = yes
> printing = CUPS
>
> [print$]
> path = /srv/samba/printer_drivers
> comment = Printer drivers
> writeable = yes
>
> [Xerox7545]
> path = /var/spool/samba
> browseable = yes
> printable = yes
> printer name = Xerox_WC_7545
>
>
>
> File-Server Config:
> ===========
> [global]
> netbios name = FS01
> workgroup = TRUEVINE
> security = ADS
> realm = TRUEVINE.LAN
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config TRUEVINE:backend = ad
> idmap config TRUEVINE:schema_mode = rfc2307
> idmap config TRUEVINE:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> auth methods = winbind
> log level = 3
>
> [install$]
> path = /home/shared/install
> comment = "Software installation files"
> read only = no
> guest ok = no
>
> [staff$]
> path = /home/shared/staff
> comment = "Staff file share"
> read only = no
> guest ok = no
>
> [fbc$]
> path = /home/shared/fbc
> comment = "Family Bible College file share"
> read only = no
> guest ok = no
>
>
>
> IP Information:
> =========
> Note that I do have a reverse-DNS zone setup in AD but it NEVER works
> with S4. Works fine in 2008 R2, 2008, 2003 R2, etc. Being that I read
> hundreds of posts of people never getting it working in S4, I assume
> it is broken and am not worried about it yet.
Funny that, the reverse-dns zone never working with S4, that is. It
works for me and has been doing for quite some time, but you never
answered how you are running the dns & dhcp, are you using the internal
dns server or bind9 ? how are you getting dhcp to update dns ?
>
> root at fs01:~# host dc01
> dc01.truevine.lan has address 172.16.0.1
> root at fs01:~# host ps01
> ps01.truevine.lan has address 172.16.0.7
> root at fs01:~# host 172.16.0.1
> Host 1.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)
> root at fs01:~# host 172.16.0.7
> Host 7.0.16.172.in-addr.arpa. not found: 3(NXDOMAIN)
>
>
>
> Other:
> ====
> root at fs01:~# getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: reachfp
> # group: administration
> # flags: -s-
> user::rwx
> user:70014:rwx
> group::rwx
> group:fbc:rwx
> group:70020:rwx
> group:70028:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:70014:rwx
> default:group::---
> default:group:fbc:rwx
> default:group:70020:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# getfacl /home/shared/fbc/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/fbc/
> # owner: reachfp
> # group: fbc
> # flags: -s-
> user::rwx
> user:70014:rwx
> group::rwx
> group:70013:rwx
> group:70020:rwx
> group:70028:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:70014:rwx
> default:group::---
> default:group:70013:rwx
> default:group:70020:rwx
> default:group:70028:rwx
> default:mask::rwx
> default:other::---
>
> root at fs01:~# l /home/shared/
> total 40
> drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
> drwxrws---+ 8 reachfp domain computers 4096 Jul 23 11:14 install
> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
> drwxrws---+ 13 reachfp administration 4096 Jul 23 11:30 staff
>
> As you can see, getfacl is using ID numbers, but they do resolve to
> groups when using ls. This is confusing as heck. This core
> functionality should just work. Winbind is running, those IDs resolve
> to groups, but getfacl cannot resolve them? What in the heck is
> missing here? I followed the guide to the letter!
The ID numbers that you have posted are in the 'builtin' range
'70001-80000', probably the best way out of your problem is to trace the
users & groups that these numbers match and then give them uidNumber's &
gidNumber's.
>
> Finally, I do not know what this DN is. Domain Name? That is TRUEVINE,
> FQDN is truevine.lan. As far as causing the error, everybody in the
> entire domain causes it EXCEPT the domain admin. Also, what is "ute"?
>
DN stands for distinguished name, for instance, the DN of Administrator
on your AD DC will be CN=Administrator,CN=User,DC=truevine,DC=lan
truevine.lan is NOT the FQDN, that would be DC01.truevine.lan for
instance, truevine.lan is the domain name or kerberos realm.
Haven't a clue what 'ute' is, perhaps Steve does ??
Rowland
> On 08/03/2014 02:55 AM, steve wrote:
>> On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
>>> I am still trying to get this to work. Is S4 incapable of being a
>>> file-server as a member server? I run ONLY DNS and DHCP on my AD DC
>>> servers. I have a dedicated S4 print server that appears to work
>>> perfectly, but sharing files is critical and I have now been down for
>>> three weeks. Winbind resolves users and groups, everything looks
>>> good, I
>>> have tried what has been suggested before, but now I am becoming
>>> desperate. The system cannot find this "idmap ad" backend. What in the
>>> heck is it and how do I get it or build it? Everything is working
>>> except
>>> this basic functionality which is REALLY need!
>> OK. Time to summarise.
>> smb.conf on DC
>> samba version on DC
>> samba version on working print server
>> smb.conf on working print server
>> the DN of the user who trips the 'idmap ad' error (ute)
>> host <hostname of DC>
>> host <hostname of print server>
>> host <ip of DC>
>> host <ip of print server>
>> getent passwd ute
>> groups ute
>> getfacl <path to share where ute is accessing>
>> /etc/fstab
>>
>> With that we stand a chance.
>> Cheers,
>> Steve
>>
>>> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
>>>> I made a strange discovery this morning. If I attempt to map the drive
>>>> using the server's IP address, I get invalid password. If I attempt to
>>>> map it using the hostname, it flat out denies access.
>>>>
>>>> C:\Users\reach_support>net use s: \\172.16.0.5\staff$ /persistent:no
>>>> Enter the user name for '172.16.0.5': reach_support
>>>> Enter the password for 172.16.0.5:
>>>> System error 86 has occurred.
>>>>
>>>> The specified network password is not correct.
>>>>
>>>>
>>>> C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
>>>> Enter the user name for 'fs01': reach_support
>>>> Enter the password for fs01:
>>>> System error 5 has occurred.
>>>>
>>>> Access is denied.
>>>>
>>>>
>>>> C:\Users\reach_support>
>>>>
>>>> This REALLY looks like an S4 bug to me. Why would it give different
>>>> errors if using a hostname versus the static IP? The hostname simply
>>>> resolves to the IP anyway. Is there anything we can do now?
>>>>
>>>> On 07/30/2014 10:18 AM, Ryan Ashley wrote:
>>>>> Sorry for the delay. I am in eastern time and have been busy with
>>>>> another project. I cannot convert that ID to SID. In Windows however,
>>>>> this shows as "SYSTEM". How do I know? Simple, there are only three
>>>>> things listed. Those are "Domain Admins", "Administration", and
>>>>> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have
>>>>> added no groups to the Linux systems, so if you're asking if it is a
>>>>> local group on the Linux box, no it is not. I can remove the SYSTEM
>>>>> account from the share if needed, but it is on all Windows shares as
>>>>> well and causes no issues.
>>>>>
>>>>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>> Could not convert uid 70028 to sid
>>>>>
>>>>> On 7/30/2014 6:01 AM, steve wrote:
>>>>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>>>>> On 29/07/14 18:42, steve wrote:
>>>>>>> Hi Steve, how about bug 10508 ??
>>>>>>>
>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> Hi Rowland,
>>>>>> Yes, it looks possible.
>>>>>> Could OP tell us if his ntadmins is local to /etc/group? Also,
>>>>>> the what
>>>>>> does:
>>>>>> wbinfo --uid-to-sid=70028
>>>>>> give us?
>>>>>> Steve
>>>>>>
>>>>>>
>>
>
More information about the samba
mailing list