[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 5 11:17:38 MDT 2014

The way that sounds, the "file server" guide is incomplete, because 
nowhere does it mention any of what you're telling me. I also have 
little trouble finding good documentation on every Linux product I use. 
S4 is the one big exception, but with the guides, it eliminates some of 
that need. I do not buy the whole argument of using Windows for 
documentation, because 90% of their documentation is rambling crud. When 
you get an error and have an ID, the docs don't have the ID you want, 
you are hosed.

Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the 
latest updates. The stable repos have an OLD version of S4, and I do not 
mind building it myself anyway.

Finally, you have told me I need this and that, but no direction is 
noted. How do I assign this stuff and why does this ONE system need it 
when all the others don't? I would also believe that if I MUST assign 
IDs to make file-sharing work, that my other setups (dozens of them) 
would be long broken by now since I have never done it in the past. I 
also know that even removing and rejoining the domain results in the 
exact same IDs for those directories in my shared directory. That tells 
me somehow the IDs resolve the same.

My guess here, is that you're telling me I need to assign these IDs so 
winbind does not have to resolve them. In other words, when a user 
accesses the share, the ID is associated with the group and it sends 
that along with the request, which even the Linux stuff can understand 
(ie: ID 4000 can access a directory owned by ID 4000). Am I correct here?

Oh and Rowland, I have been using Linux since before 2000. This is the 
only major issue I have EVER encountered where a standard setup working 
in dozens of locations is failing in this one. We deploy Linux as often 
as Windows here, and we have become GOOD at using and working with it. 
We use Debian, naturally.

On 08/05/2014 08:56 AM, steve wrote:
> On Tue, 2014-08-05 at 08:44 -0400, Ryan Ashley wrote:
>> Thanks, Rowland. The one here at my office is very similar to yours.
>> I'll worry about that later today.
>> As to the two suggesting an older version or different location of TDB
>> files, not possible. This is a brand-new server running XenServer with
>> all three VMs running on it. DC01, PS01, and FS01 are ALL on the same
>> physical hardware. On top of that, when I rebuild, I use the exact same
>> parameters every time to avoid issues. My configuration command is
>> listed below. This exact parameter is used every single time I update S4.
>> ./configure --enable-fhs --prefix=/usr --localstatedir=/var
>> --sysconfdir=/etc
> What distribution did you install on the VMs? It is rare that a Linux
> disribution will not install samba.
>> Now, the "idmap = ad" thing is in the guide. I followed the guide, but
>> none of these parameters are documented or commented so I am completely
>> lost as to what they do. I just follow the guide and expect it to work,
>> which it has until this one case. Comments in the configuration files
>> would REALLY help me understand this stuff more. I still have no clue
>> what 75% of the configuration does.
> It assumes you know about it. Linux documentation nearly always does.
> All it means is that you will need to add a minimum of gidNumber to the
> groups you wish your users to be members of. Then a minimum of uidNumber
> to the users. You can do that when you create the users but you need
> ldbmodify on the DC itself for the groups. Apart from that, the guide is
> more or less complete. If you want full documentation, you will have to
> go with microsoft.
> HTH,
> Steve
>> Either way, I just want to share files with AD groups. If this is the
>> wrong way, what is the right way? Again, my config is STRAIGHT from the
>> guide.
>> On 08/05/2014 04:31 AM, Rowland Penny wrote:
>>> On 05/08/14 00:11, Ryan Ashley wrote:
>>>> DHCP Configuration:
>>>> ==================
>>>> ddns-update-style none;
>>>> option domain-name "truevine.lan";
>>>> option domain-name-servers,;
>>>> default-lease-time 600;
>>>> max-lease-time 7200;
>>>> authoritative;
>>>> log-facility local7;
>>>> subnet netmask {
>>>>    range;
>>>>    option routers;
>>>>    option broadcast-address;
>>>> }
>>>> And I just realized I never finished setting up DNS updates. Well
>>>> that explains the reverse-DNS issue. I can handle that as I have it
>>>> working at my office (S4 DC, Win 7 clients) and that will fix the
>>>> reverse-lookup issue.
>>>> Now how are you proposing I assign ID numbers to groups? I have NEVER
>>>> had to or actually done that in the Windows world, and have not had
>>>> to do it since I started using S4 two years ago. Also, will assigning
>>>> ID numbers break all the other things on my network? I have four
>>>> storage devices joined to the domain using AD authentication for file
>>>> shares and they work fine. I do not want to break everything for this
>>>> if possible.
>>> Here is my working dhcpd.conf:
>>> default-lease-time 14400;
>>> max-lease-time 14400;
>>> authoritative;
>>> subnet netmask {
>>>     range;
>>>     option subnet-mask;
>>>     option broadcast-address;
>>>     option time-offset 0;
>>>     option routers;
>>>     option domain-name "example.com";
>>>     option domain-name-servers;
>>>     option domain-search "example.com";
>>>     option netbios-name-servers;
>>>     option ntp-servers;
>>> }
>>> on commit {
>>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>>> set ClientName = pick-first-value(option host-name,
>>> config-option-host-name, client-name);
>>> log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name:
>>> ", ClientName));
>>> execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP,
>>> ClientDHCID, ClientName);
>>> }
>>> on release {
>>> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
>>> set ClientDHCID = binary-to-ascii(16, 8, ":", hardware);
>>> log(concat("Release: IP: ", ClientIP));
>>> execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP,
>>> ClientDHCID);
>>> }
>>> Notice any differences ???
>>> Are you by any chance using the un-recomended Bind9 flat file backend ?
>>> Rowland

More information about the samba mailing list