[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 5 06:44:23 MDT 2014


Thanks, Rowland. The one here at my office is very similar to yours. 
I'll worry about that later today.

As to the two suggesting an older version or different location of TDB 
files, not possible. This is a brand-new server running XenServer with 
all three VMs running on it. DC01, PS01, and FS01 are ALL on the same 
physical hardware. On top of that, when I rebuild, I use the exact same 
parameters every time to avoid issues. My configuration command is 
listed below. This exact parameter is used every single time I update S4.

./configure --enable-fhs --prefix=/usr --localstatedir=/var 
--sysconfdir=/etc

Now, the "idmap = ad" thing is in the guide. I followed the guide, but 
none of these parameters are documented or commented so I am completely 
lost as to what they do. I just follow the guide and expect it to work, 
which it has until this one case. Comments in the configuration files 
would REALLY help me understand this stuff more. I still have no clue 
what 75% of the configuration does.

Either way, I just want to share files with AD groups. If this is the 
wrong way, what is the right way? Again, my config is STRAIGHT from the 
guide.

On 08/05/2014 04:31 AM, Rowland Penny wrote:
> On 05/08/14 00:11, Ryan Ashley wrote:
>> DHCP Configuration:
>> ==================
>> ddns-update-style none;
>> option domain-name "truevine.lan";
>> option domain-name-servers 172.16.0.1,172.16.0.2;
>> default-lease-time 600;
>> max-lease-time 7200;
>> authoritative;
>> log-facility local7;
>> subnet 172.16.0.0 netmask 255.255.252.0 {
>>   range 172.16.2.1 172.16.2.100;
>>   option routers 172.16.0.254;
>>   option broadcast-address 172.16.3.255;
>> }
>>
>> And I just realized I never finished setting up DNS updates. Well 
>> that explains the reverse-DNS issue. I can handle that as I have it 
>> working at my office (S4 DC, Win 7 clients) and that will fix the 
>> reverse-lookup issue.
>> Now how are you proposing I assign ID numbers to groups? I have NEVER 
>> had to or actually done that in the Windows world, and have not had 
>> to do it since I started using S4 two years ago. Also, will assigning 
>> ID numbers break all the other things on my network? I have four 
>> storage devices joined to the domain using AD authentication for file 
>> shares and they work fine. I do not want to break everything for this 
>> if possible.
>>
> Here is my working dhcpd.conf:
>
> default-lease-time 14400;
> max-lease-time 14400;
> authoritative;
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
>    range 192.168.0.21 192.168.0.229;
>    option subnet-mask 255.255.255.0;
>    option broadcast-address 192.168.0.255;
>    option time-offset 0;
>    option routers 192.168.0.1;
>    option domain-name "example.com";
>    option domain-name-servers 192.168.0.5;
>    option domain-search "example.com";
>    option netbios-name-servers 192.168.0.5;
>    option ntp-servers 192.168.0.5;
> }
>
> on commit {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> set ClientName = pick-first-value(option host-name, 
> config-option-host-name, client-name);
> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: 
> ", ClientName));
> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, 
> ClientDHCID, ClientName);
> }
>
> on release {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> log(concat("Release: IP: ", ClientIP));
> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, 
> ClientDHCID);
> }
>
> Notice any differences ???
>
> Are you by any chance using the un-recomended Bind9 flat file backend ?
>
> Rowland
>



More information about the samba mailing list