[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Aug 5 07:20:57 MDT 2014


On 05/08/14 13:44, Ryan Ashley wrote:
> Thanks, Rowland. The one here at my office is very similar to yours. 
> I'll worry about that later today.
>
> As to the two suggesting an older version or different location of TDB 
> files, not possible. This is a brand-new server running XenServer with 
> all three VMs running on it. DC01, PS01, and FS01 are ALL on the same 
> physical hardware. On top of that, when I rebuild, I use the exact 
> same parameters every time to avoid issues. My configuration command 
> is listed below. This exact parameter is used every single time I 
> update S4.

Can I suggest that, as you are using Wheezy, you either use samba4 from 
backports (this gets you 4.1.9) or use the sernet packages, this will 
put samba into standard directories that most people are using now.

>
> ./configure --enable-fhs --prefix=/usr --localstatedir=/var 
> --sysconfdir=/etc
>
> Now, the "idmap = ad" thing is in the guide. I followed the guide, but 
> none of these parameters are documented or commented so I am 
> completely lost as to what they do. I just follow the guide and expect 
> it to work, which it has until this one case. Comments in the 
> configuration files would REALLY help me understand this stuff more. I 
> still have no clue what 75% of the configuration does.
>

Welcome to Linux ;-) The software is great but the documentation could 
be better. The best place to start would be on the samba wiki:

https://wiki.samba.org/index.php/Main_Page

You can also read the manpages, to find out what all those lines in 
smb.con mean: 'man smb.conf'
Or 'package name --help' will give you usage instructions i.e. 
'samba-tool --help'

Rowland

> Either way, I just want to share files with AD groups. If this is the 
> wrong way, what is the right way? Again, my config is STRAIGHT from 
> the guide.
>
> On 08/05/2014 04:31 AM, Rowland Penny wrote:
>> On 05/08/14 00:11, Ryan Ashley wrote:
>>> DHCP Configuration:
>>> ==================
>>> ddns-update-style none;
>>> option domain-name "truevine.lan";
>>> option domain-name-servers 172.16.0.1,172.16.0.2;
>>> default-lease-time 600;
>>> max-lease-time 7200;
>>> authoritative;
>>> log-facility local7;
>>> subnet 172.16.0.0 netmask 255.255.252.0 {
>>>   range 172.16.2.1 172.16.2.100;
>>>   option routers 172.16.0.254;
>>>   option broadcast-address 172.16.3.255;
>>> }
>>>
>>> And I just realized I never finished setting up DNS updates. Well 
>>> that explains the reverse-DNS issue. I can handle that as I have it 
>>> working at my office (S4 DC, Win 7 clients) and that will fix the 
>>> reverse-lookup issue.
>>> Now how are you proposing I assign ID numbers to groups? I have 
>>> NEVER had to or actually done that in the Windows world, and have 
>>> not had to do it since I started using S4 two years ago. Also, will 
>>> assigning ID numbers break all the other things on my network? I 
>>> have four storage devices joined to the domain using AD 
>>> authentication for file shares and they work fine. I do not want to 
>>> break everything for this if possible.
>>>
>> Here is my working dhcpd.conf:
>>
>> default-lease-time 14400;
>> max-lease-time 14400;
>> authoritative;
>>
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>    range 192.168.0.21 192.168.0.229;
>>    option subnet-mask 255.255.255.0;
>>    option broadcast-address 192.168.0.255;
>>    option time-offset 0;
>>    option routers 192.168.0.1;
>>    option domain-name "example.com";
>>    option domain-name-servers 192.168.0.5;
>>    option domain-search "example.com";
>>    option netbios-name-servers 192.168.0.5;
>>    option ntp-servers 192.168.0.5;
>> }
>>
>> on commit {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> set ClientName = pick-first-value(option host-name, 
>> config-option-host-name, client-name);
>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: 
>> ", ClientName));
>> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, 
>> ClientDHCID, ClientName);
>> }
>>
>> on release {
>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>> log(concat("Release: IP: ", ClientIP));
>> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, 
>> ClientDHCID);
>> }
>>
>> Notice any differences ???
>>
>> Are you by any chance using the un-recomended Bind9 flat file backend ?
>>
>> Rowland
>>
>



More information about the samba mailing list