[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 5 12:07:35 MDT 2014

I provisioned with rfc2307 specified and it is in my domain controller's 
smb.conf. I added the line about using rfc2307 to my print-server and 
file-server. No change though. Is that line only for domain controllers?

Also, I have been all over ADUC looking for the "UNIX Attributes" tab 
but cannot find it. Why won't it show up with an S4 DC provisioned with 
rfc2307? This may be the problem, though so far every ID has been 
perfect and the same across both servers.

On 08/05/2014 01:50 PM, Rowland Penny wrote:
> On 05/08/14 18:17, Ryan Ashley wrote:
>> The way that sounds, the "file server" guide is incomplete, because 
>> nowhere does it mention any of what you're telling me. I also have 
>> little trouble finding good documentation on every Linux product I 
>> use. S4 is the one big exception, but with the guides, it eliminates 
>> some of that need. I do not buy the whole argument of using Windows 
>> for documentation, because 90% of their documentation is rambling 
>> crud. When you get an error and have an ID, the docs don't have the 
>> ID you want, you are hosed.
>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with 
>> the latest updates. The stable repos have an OLD version of S4, and I 
>> do not mind building it myself anyway.
> OK, this is your decision, I just pointed out that you can get 4.1.9 
> from backports, this works, I know this because it is what I use.
>> Finally, you have told me I need this and that, but no direction is 
>> noted. How do I assign this stuff and why does this ONE system need 
>> it when all the others don't? I would also believe that if I MUST 
>> assign IDs to make file-sharing work, that my other setups (dozens of 
>> them) would be long broken by now since I have never done it in the 
>> past. I also know that even removing and rejoining the domain results 
>> in the exact same IDs for those directories in my shared directory. 
>> That tells me somehow the IDs resolve the same.
>> My guess here, is that you're telling me I need to assign these IDs 
>> so winbind does not have to resolve them. In other words, when a user 
>> accesses the share, the ID is associated with the group and it sends 
>> that along with the request, which even the Linux stuff can 
>> understand (ie: ID 4000 can access a directory owned by ID 4000). Am 
>> I correct here?
> Windows uses SID's and RID's, Linux has not got a clue what these 
> mean, so you need to use an interpretor, this is where winbind, sssd 
> etc come in. You can do it two ways (at least), you either take the 
> RID and use this to create a users ID number or you give your users & 
> groups RFC2307 numbers. There are pro's & con's for both, but for me, 
> using RFC2307 attributes wins out, using these means that users & 
> groups get correctly identified everywhere. Using the RFC2307 
> attributes is actually the way that windows wants you to connect to 
> Linux, this is why they created 'Service for NIS'.
>> Oh and Rowland, I have been using Linux since before 2000. This is 
>> the only major issue I have EVER encountered where a standard setup 
>> working in dozens of locations is failing in this one. We deploy 
>> Linux as often as Windows here, and we have become GOOD at using and 
>> working with it. We use Debian, naturally.
> Well I have been using Linux since well before that, but I must be an 
> idiot because I can get Samba4 to work with both windows & Linux 
> clients, along with bind9, dhcp etc just by reading the documentation 
> and surfing the net!
> It actually doesn't matter what OS you use, as long as it is a 
> maintained recent version, some people swear by Red Hat for instance, 
> others just swear at it ;-)
> Rowland

More information about the samba mailing list