[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Mon Aug 4 17:11:20 MDT 2014

DHCP Configuration:
ddns-update-style none;
option domain-name "truevine.lan";
option domain-name-servers,;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet netmask {
   option routers;
   option broadcast-address;

And I just realized I never finished setting up DNS updates. Well that 
explains the reverse-DNS issue. I can handle that as I have it working 
at my office (S4 DC, Win 7 clients) and that will fix the reverse-lookup 
Now how are you proposing I assign ID numbers to groups? I have NEVER 
had to or actually done that in the Windows world, and have not had to 
do it since I started using S4 two years ago. Also, will assigning ID 
numbers break all the other things on my network? I have four storage 
devices joined to the domain using AD authentication for file shares and 
they work fine. I do not want to break everything for this if possible.

On 8/4/2014 3:22 PM, Rowland Penny wrote:
> On 04/08/14 20:12, Ryan Ashley wrote:
>> I forgot to mention, I am running BIND9. I created the reverse zones 
>> in AD using the snap-in on a Windows 7 Pro 64bit system. DHCP does 
>> update DNS, but the reverse zones are always ignored, at all 
>> locations. I also forgot to mention that all three systems are 
>> running 4.1.10 stable. They were running 4.2.0 pre something.
> Please post dhcpd.conf from your samba4 AD DC, the setup works with 
> bind9.9 and dhcp, but it must be correctly set up.
>> How do I give these groups uID or gID numbers? Are you suggesting I 
>> create them on the Linux box?
> Probably easiest if you the windows RSAT tools (ADUC) on a windows 
> machine, but then again you should already be doing this seeing as how 
> you are using the winbind ad idmap backend.
> Rowland
>> Finally, the DN should not matter since it affects all users, and 
>> that is a LOT of typing for ever domain user. If it is required I 
>> will do it, but since only the domain admin can do this, it seems as 
>> though a user's DN is irrelevant. If it was some users and not 
>> others, I'd have already checked the groups, DN, etc.
>> On 08/04/2014 02:58 PM, Rowland Penny wrote:
>>> On 04/08/14 19:24, Ryan Ashley wrote:
>>> Funny that, the reverse-dns zone never working with S4, that is. It 
>>> works for me and has been doing for quite some time, but you never 
>>> answered how you are running the dns & dhcp, are you using the 
>>> internal dns server or bind9 ? how are you getting dhcp to update dns ?
>>> The ID numbers that you have posted are in the 'builtin' range 
>>> '70001-80000', probably the best way out of your problem is to trace 
>>> the users & groups that these numbers match and then give them 
>>> uidNumber's & gidNumber's.
>>> DN stands for distinguished name, for instance, the DN of 
>>> Administrator on your AD DC will be 
>>> CN=Administrator,CN=User,DC=truevine,DC=lan
>>> truevine.lan is NOT the FQDN, that would be DC01.truevine.lan for 
>>> instance, truevine.lan is the domain name or kerberos realm.
>>> Haven't a clue what 'ute' is, perhaps Steve does ??
>>> Rowland
>>>> On 08/03/2014 02:55 AM, steve wrote:
>>>>> On Sun, 2014-08-03 at 00:19 -0400, Ryan Ashley wrote:
>>>>>> I am still trying to get this to work. Is S4 incapable of being a
>>>>>> file-server as a member server? I run ONLY DNS and DHCP on my AD DC
>>>>>> servers. I have a dedicated S4 print server that appears to work
>>>>>> perfectly, but sharing files is critical and I have now been down 
>>>>>> for
>>>>>> three weeks. Winbind resolves users and groups, everything looks 
>>>>>> good, I
>>>>>> have tried what has been suggested before, but now I am becoming
>>>>>> desperate. The system cannot find this "idmap ad" backend. What 
>>>>>> in the
>>>>>> heck is it and how do I get it or build it? Everything is working 
>>>>>> except
>>>>>> this basic functionality which is REALLY need!
>>>>> OK. Time to summarise.
>>>>> smb.conf on DC
>>>>> samba version on DC
>>>>> samba version on working print server
>>>>> smb.conf on working print server
>>>>> the DN of the user who trips the 'idmap ad' error (ute)
>>>>> host <hostname of DC>
>>>>> host <hostname of print server>
>>>>> host <ip of DC>
>>>>> host <ip of print server>
>>>>> getent passwd ute
>>>>> groups ute
>>>>> getfacl <path to share where ute is accessing>
>>>>> /etc/fstab
>>>>> With that we stand a chance.
>>>>> Cheers,
>>>>> Steve
>>>>>> On 7/31/2014 12:04 PM, Ryan Ashley wrote:
>>>>>>> I made a strange discovery this morning. If I attempt to map the 
>>>>>>> drive
>>>>>>> using the server's IP address, I get invalid password. If I 
>>>>>>> attempt to
>>>>>>> map it using the hostname, it flat out denies access.
>>>>>>> C:\Users\reach_support>net use s: \\\staff$ 
>>>>>>> /persistent:no
>>>>>>> Enter the user name for '': reach_support
>>>>>>> Enter the password for
>>>>>>> System error 86 has occurred.
>>>>>>> The specified network password is not correct.
>>>>>>> C:\Users\reach_support>net use s: \\fs01\staff$ /persistent:no
>>>>>>> Enter the user name for 'fs01': reach_support
>>>>>>> Enter the password for fs01:
>>>>>>> System error 5 has occurred.
>>>>>>> Access is denied.
>>>>>>> C:\Users\reach_support>
>>>>>>> This REALLY looks like an S4 bug to me. Why would it give different
>>>>>>> errors if using a hostname versus the static IP? The hostname 
>>>>>>> simply
>>>>>>> resolves to the IP anyway. Is there anything we can do now?
>>>>>>> On 07/30/2014 10:18 AM, Ryan Ashley wrote:
>>>>>>>> Sorry for the delay. I am in eastern time and have been busy with
>>>>>>>> another project. I cannot convert that ID to SID. In Windows 
>>>>>>>> however,
>>>>>>>> this shows as "SYSTEM". How do I know? Simple, there are only 
>>>>>>>> three
>>>>>>>> things listed. Those are "Domain Admins", "Administration", and
>>>>>>>> "SYSTEM". Also, what do you mean by "ntadmins" being local? I have
>>>>>>>> added no groups to the Linux systems, so if you're asking if it 
>>>>>>>> is a
>>>>>>>> local group on the Linux box, no it is not. I can remove the 
>>>>>>>> SYSTEM
>>>>>>>> account from the share if needed, but it is on all Windows 
>>>>>>>> shares as
>>>>>>>> well and causes no issues.
>>>>>>>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>>>> Could not convert uid 70028 to sid
>>>>>>>> On 7/30/2014 6:01 AM, steve wrote:
>>>>>>>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>>>>>>>> On 29/07/14 18:42, steve wrote:
>>>>>>>>>> Hi Steve, how about bug 10508 ??
>>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>>>>>>> Rowland
>>>>>>>>> Hi Rowland,
>>>>>>>>> Yes, it looks possible.
>>>>>>>>> Could OP tell us if his ntadmins is local to /etc/group? Also, 
>>>>>>>>> the what
>>>>>>>>> does:
>>>>>>>>>    wbinfo --uid-to-sid=70028
>>>>>>>>> give us?
>>>>>>>>> Steve

More information about the samba mailing list