[Samba] Samba 4 AD share: Access denied

steve steve at steve-ss.com
Tue Aug 5 06:56:52 MDT 2014 

On Tue, 2014-08-05 at 08:44 -0400, Ryan Ashley wrote:
> Thanks, Rowland. The one here at my office is very similar to yours. 
> I'll worry about that later today.
> 
> As to the two suggesting an older version or different location of TDB 
> files, not possible. This is a brand-new server running XenServer with 
> all three VMs running on it. DC01, PS01, and FS01 are ALL on the same 
> physical hardware. On top of that, when I rebuild, I use the exact same 
> parameters every time to avoid issues. My configuration command is 
> listed below. This exact parameter is used every single time I update S4.
> 
> ./configure --enable-fhs --prefix=/usr --localstatedir=/var 
> --sysconfdir=/etc

What distribution did you install on the VMs? It is rare that a Linux
disribution will not install samba.
> 
> Now, the "idmap = ad" thing is in the guide. I followed the guide, but 
> none of these parameters are documented or commented so I am completely 
> lost as to what they do. I just follow the guide and expect it to work, 
> which it has until this one case. Comments in the configuration files 
> would REALLY help me understand this stuff more. I still have no clue 
> what 75% of the configuration does.

It assumes you know about it. Linux documentation nearly always does.
All it means is that you will need to add a minimum of gidNumber to the
groups you wish your users to be members of. Then a minimum of uidNumber
to the users. You can do that when you create the users but you need
ldbmodify on the DC itself for the groups. Apart from that, the guide is
more or less complete. If you want full documentation, you will have to
go with microsoft.
HTH,
Steve


> 
> Either way, I just want to share files with AD groups. If this is the 
> wrong way, what is the right way? Again, my config is STRAIGHT from the 
> guide.
> 
> On 08/05/2014 04:31 AM, Rowland Penny wrote:
> > On 05/08/14 00:11, Ryan Ashley wrote:
> >> DHCP Configuration:
> >> ==================
> >> ddns-update-style none;
> >> option domain-name "truevine.lan";
> >> option domain-name-servers 172.16.0.1,172.16.0.2;
> >> default-lease-time 600;
> >> max-lease-time 7200;
> >> authoritative;
> >> log-facility local7;
> >> subnet 172.16.0.0 netmask 255.255.252.0 {
> >>   range 172.16.2.1 172.16.2.100;
> >>   option routers 172.16.0.254;
> >>   option broadcast-address 172.16.3.255;
> >> }
> >>
> >> And I just realized I never finished setting up DNS updates. Well 
> >> that explains the reverse-DNS issue. I can handle that as I have it 
> >> working at my office (S4 DC, Win 7 clients) and that will fix the 
> >> reverse-lookup issue.
> >> Now how are you proposing I assign ID numbers to groups? I have NEVER 
> >> had to or actually done that in the Windows world, and have not had 
> >> to do it since I started using S4 two years ago. Also, will assigning 
> >> ID numbers break all the other things on my network? I have four 
> >> storage devices joined to the domain using AD authentication for file 
> >> shares and they work fine. I do not want to break everything for this 
> >> if possible.
> >>
> > Here is my working dhcpd.conf:
> >
> > default-lease-time 14400;
> > max-lease-time 14400;
> > authoritative;
> >
> > subnet 192.168.0.0 netmask 255.255.255.0 {
> >    range 192.168.0.21 192.168.0.229;
> >    option subnet-mask 255.255.255.0;
> >    option broadcast-address 192.168.0.255;
> >    option time-offset 0;
> >    option routers 192.168.0.1;
> >    option domain-name "example.com";
> >    option domain-name-servers 192.168.0.5;
> >    option domain-search "example.com";
> >    option netbios-name-servers 192.168.0.5;
> >    option ntp-servers 192.168.0.5;
> > }
> >
> > on commit {
> > set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> > set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> > set ClientName = pick-first-value(option host-name, 
> > config-option-host-name, client-name);
> > log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: 
> > ", ClientName));
> > execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, 
> > ClientDHCID, ClientName);
> > }
> >
> > on release {
> > set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> > set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
> > log(concat("Release: IP: ", ClientIP));
> > execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, 
> > ClientDHCID);
> > }
> >
> > Notice any differences ???
> >
> > Are you by any chance using the un-recomended Bind9 flat file backend ?
> >
> > Rowland
> >
>

More information about the samba mailing list