[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Mon Aug 4 13:31:34 MDT 2014 

On 04/08/14 20:23, Davor Vusir wrote:
> 2014-08-04 20:24 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>> DC Config:
>> =======
>> # Global parameters
>> [global]
>>          workgroup = TRUEVINE
>>          realm = TRUEVINE.LAN
>>          netbios name = DC01
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbi$
>>          idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/truevine.lan/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>>
>>
>> Print-Server Config:
>> ============
>> [global]
>>    netbios name = ps01
>>    workgroup = TRUEVINE
>>    security = ADS
>>
>>    realm = TRUEVINE.LAN
>>    encrypt passwords = yes
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 70001-80000
>>    idmap config SAMDOM:backend = ad
>>    idmap config SAMDOM:schema_mode = rfc2307
>>    idmap config SAMDOM:range = 500-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>
>>    auth methods = winbind
>>    rpc_server:spoolss = external
>>    rpc_daemon:spoolssd = fork
>>    spoolss: architecture = Windows x64
>>
>> [printers]
>>    path = /var/spool/samba
>>    printable = yes
>>    printing = CUPS
>>
>> [print$]
>>    path = /srv/samba/printer_drivers
>>    comment = Printer drivers
>>    writeable = yes
>>
>> [Xerox7545]
>>    path = /var/spool/samba
>>    browseable = yes
>>    printable = yes
>>    printer name = Xerox_WC_7545
>>
>>
>>
>> File-Server Config:
>> ===========
>>
>> [global]
>>    netbios name = FS01
>>    workgroup = TRUEVINE
>>    security = ADS
>>    realm = TRUEVINE.LAN
>>    encrypt passwords = yes
>>
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
> I think you get the 70xxx numbers and acces denied because you are
> using "secrets and keytab". Change to "system keytab". See also
> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#KERBEROSMETHOD
>
> Regards
> Davor
>
>

I doubt it, I have exactly the same line in smb.conf and this is from a 
demo share:

getfacl /home/Demo
getfacl: Removing leading '/' from absolute path names
# file: home/Demo
# owner: rowland
# group: Domain\040Users
user::rwx
user:root:rwx
user:rowland:rwx
group::r-x
group:root:r-x
group:Domain\040Users:r-x
mask::rwx
other::r-x
default:user::rwx
default:user:root:rwx
default:user:rowland:rwx
default:group::rwx
default:group:root:rwx
default:group:Domain\040Users:rwx
default:mask::rwx
default:other::r-x

No ID numbers there ;-)

Rowland

More information about the samba mailing list