[Samba] Samba 4 AD share: Access denied

[Rowland Penny]

On 05/08/14 18:17, Ryan Ashley wrote:
> The way that sounds, the "file server" guide is incomplete, because 
> nowhere does it mention any of what you're telling me. I also have 
> little trouble finding good documentation on every Linux product I 
> use. S4 is the one big exception, but with the guides, it eliminates 
> some of that need. I do not buy the whole argument of using Windows 
> for documentation, because 90% of their documentation is rambling 
> crud. When you get an error and have an ID, the docs don't have the ID 
> you want, you are hosed.
>
> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with 
> the latest updates. The stable repos have an OLD version of S4, and I 
> do not mind building it myself anyway.

OK, this is your decision, I just pointed out that you can get 4.1.9 
from backports, this works, I know this because it is what I use.

>
> Finally, you have told me I need this and that, but no direction is 
> noted. How do I assign this stuff and why does this ONE system need it 
> when all the others don't? I would also believe that if I MUST assign 
> IDs to make file-sharing work, that my other setups (dozens of them) 
> would be long broken by now since I have never done it in the past. I 
> also know that even removing and rejoining the domain results in the 
> exact same IDs for those directories in my shared directory. That 
> tells me somehow the IDs resolve the same.
>
> My guess here, is that you're telling me I need to assign these IDs so 
> winbind does not have to resolve them. In other words, when a user 
> accesses the share, the ID is associated with the group and it sends 
> that along with the request, which even the Linux stuff can understand 
> (ie: ID 4000 can access a directory owned by ID 4000). Am I correct here?

Windows uses SID's and RID's, Linux has not got a clue what these mean, 
so you need to use an interpretor, this is where winbind, sssd etc come 
in. You can do it two ways (at least), you either take the RID and use 
this to create a users ID number or you give your users & groups RFC2307 
numbers. There are pro's & con's for both, but for me, using RFC2307 
attributes wins out, using these means that users & groups get correctly 
identified everywhere. Using the RFC2307 attributes is actually the way 
that windows wants you to connect to Linux, this is why they created 
'Service for NIS'.

>
> Oh and Rowland, I have been using Linux since before 2000. This is the 
> only major issue I have EVER encountered where a standard setup 
> working in dozens of locations is failing in this one. We deploy Linux 
> as often as Windows here, and we have become GOOD at using and working 
> with it. We use Debian, naturally.
>

Well I have been using Linux since well before that, but I must be an 
idiot because I can get Samba4 to work with both windows & Linux 
clients, along with bind9, dhcp etc just by reading the documentation 
and surfing the net!

It actually doesn't matter what OS you use, as long as it is a 
maintained recent version, some people swear by Red Hat for instance, 
others just swear at it ;-)

Rowland