[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Mon Aug 4 13:12:22 MDT 2014

I forgot to mention, I am running BIND9. I created the reverse zones in 
AD using the snap-in on a Windows 7 Pro 64bit system. DHCP does update 
DNS, but the reverse zones are always ignored, at all locations. I also 
forgot to mention that all three systems are running 4.1.10 stable. They 
were running 4.2.0 pre something.

How do I give these groups uID or gID numbers? Are you suggesting I 
create them on the Linux box?

Finally, the DN should not matter since it affects all users, and that 
is a LOT of typing for ever domain user. If it is required I will do it, 
but since only the domain admin can do this, it seems as though a user's 
DN is irrelevant. If it was some users and not others, I'd have already 
checked the groups, DN, etc.

On 08/04/2014 02:58 PM, Rowland Penny wrote:
> On 04/08/14 19:24, Ryan Ashley wrote:
> Funny that, the reverse-dns zone never working with S4, that is. It 
> works for me and has been doing for quite some time, but you never 
> answered how you are running the dns & dhcp, are you using the 
> internal dns server or bind9 ? how are you getting dhcp to update dns ?
> The ID numbers that you have posted are in the 'builtin' range 
> '70001-80000', probably the best way out of your problem is to trace 
> the users & groups that these numbers match and then give them 
> uidNumber's & gidNumber's.
> DN stands for distinguished name, for instance, the DN of 
> Administrator on your AD DC will be 
> CN=Administrator,CN=User,DC=truevine,DC=lan
> truevine.lan is NOT the FQDN, that would be DC01.truevine.lan for 
> instance, truevine.lan is the domain name or kerberos realm.
> Haven't a clue what 'ute' is, perhaps Steve does ??
> Rowland
>> On 08/03/2014 02:55 AM, steve wrote:
>>> On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
>>>> I am still trying to get this to work. Is S4 incapable of being a
>>>> file-server as a member server? I run ONLY DNS and DHCP on my AD DC
>>>> servers. I have a dedicated S4 print server that appears to work
>>>> perfectly, but sharing files is critical and I have now been down for
>>>> three weeks. Winbind resolves users and groups, everything looks 
>>>> good, I
>>>> have tried what has been suggested before, but now I am becoming
>>>> desperate. The system cannot find this "idmap ad" backend. What in the
>>>> heck is it and how do I get it or build it? Everything is working 
>>>> except
>>>> this basic functionality which is REALLY need!
>>> OK. Time to summarise.
>>> smb.conf on DC
>>> samba version on DC
>>> samba version on working print server
>>> smb.conf on working print server
>>> the DN of the user who trips the 'idmap ad' error (ute)
>>> host <hostname of DC>
>>> host <hostname of print server>
>>> host <ip of DC>
>>> host <ip of print server>
>>> getent passwd ute
>>> groups ute
>>> getfacl <path to share where ute is accessing>
>>> /etc/fstab
>>> With that we stand a chance.
>>> Cheers,
>>> Steve
>>>> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
>>>>> I made a strange discovery this morning. If I attempt to map the 
>>>>> drive
>>>>> using the server's IP address, I get invalid password. If I 
>>>>> attempt to
>>>>> map it using the hostname, it flat out denies access.
>>>>> C:\Users\reach_support>net use s: \\\staff$ /persistent:no
>>>>> Enter the user name for '': reach_support
>>>>> Enter the password for
>>>>> System error 86 has occurred.
>>>>> The specified network password is not correct.
>>>>> C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
>>>>> Enter the user name for 'fs01': reach_support
>>>>> Enter the password for fs01:
>>>>> System error 5 has occurred.
>>>>> Access is denied.
>>>>> C:\Users\reach_support>
>>>>> This REALLY looks like an S4 bug to me. Why would it give different
>>>>> errors if using a hostname versus the static IP? The hostname simply
>>>>> resolves to the IP anyway. Is there anything we can do now?
>>>>> On 07/30/2014 10:18 AM, Ryan Ashley wrote:
>>>>>> Sorry for the delay. I am in eastern time and have been busy with
>>>>>> another project. I cannot convert that ID to SID. In Windows 
>>>>>> however,
>>>>>> this shows as "SYSTEM". How do I know? Simple, there are only three
>>>>>> things listed. Those are "Domain Admins", "Administration", and
>>>>>> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have
>>>>>> added no groups to the Linux systems, so if you're asking if it is a
>>>>>> local group on the Linux box, no it is not. I can remove the SYSTEM
>>>>>> account from the share if needed, but it is on all Windows shares as
>>>>>> well and causes no issues.
>>>>>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not convert uid 70028 to sid
>>>>>> On 7/30/2014 6:01 AM, steve wrote:
>>>>>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>>>>>> On 29/07/14 18:42, steve wrote:
>>>>>>>> Hi Steve, how about bug 10508 ??
>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>>>>> Rowland
>>>>>>> Hi Rowland,
>>>>>>> Yes, it looks possible.
>>>>>>> Could OP tell us if his ntadmins is local to /etc/group? Also, 
>>>>>>> the what
>>>>>>> does:
>>>>>>>    wbinfo --uid-to-sid=70028
>>>>>>> give us?
>>>>>>> Steve

More information about the samba mailing list