[Samba] Samba 4 AD share: Access denied

Stuart Naylor stuartiannaylor at thursbygarden.org
Tue Aug 5 12:17:42 MDT 2014

I use the sernet binaries as they are very rapid in there releases.


Great to have so many distro's supported.

Backports or Archlinux is usually a day after a fresh release.

Documentation wise things are not good guys.

I have been on the samba4 trail for some time now and yeah I know where I am at now.
There is a load of confusing almost opposing documentation sometimes its hard to differentiate between versions.

The result is great when you get things going and the coding effort is just amazing.

Doc wise guys and know offence things suck.

Also it must be such a chore to keep repeating things on a mail list.
So much great knowledge just slips through time.

A forum would add much but you guys have your hands full, but sometimes the extra workload means future workload is less.

Anyway thanks for a super product even if the documentation at times is a little barren or confusing.


-----Original message-----
> From:Rowland Penny <rowlandpenny at googlemail.com>
> Sent: Tuesday 5th August 2014 18:50
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4 AD share: Access denied
> On 05/08/14 18:17, Ryan Ashley wrote:
> > The way that sounds, the "file server" guide is incomplete, because 
> > nowhere does it mention any of what you're telling me. I also have 
> > little trouble finding good documentation on every Linux product I 
> > use. S4 is the one big exception, but with the guides, it eliminates 
> > some of that need. I do not buy the whole argument of using Windows 
> > for documentation, because 90% of their documentation is rambling 
> > crud. When you get an error and have an ID, the docs don't have the ID 
> > you want, you are hosed.
> >
> > Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with 
> > the latest updates. The stable repos have an OLD version of S4, and I 
> > do not mind building it myself anyway.
> OK, this is your decision, I just pointed out that you can get 4.1.9 
> from backports, this works, I know this because it is what I use.
> >
> > Finally, you have told me I need this and that, but no direction is 
> > noted. How do I assign this stuff and why does this ONE system need it 
> > when all the others don't? I would also believe that if I MUST assign 
> > IDs to make file-sharing work, that my other setups (dozens of them) 
> > would be long broken by now since I have never done it in the past. I 
> > also know that even removing and rejoining the domain results in the 
> > exact same IDs for those directories in my shared directory. That 
> > tells me somehow the IDs resolve the same.
> >
> > My guess here, is that you're telling me I need to assign these IDs so 
> > winbind does not have to resolve them. In other words, when a user 
> > accesses the share, the ID is associated with the group and it sends 
> > that along with the request, which even the Linux stuff can understand 
> > (ie: ID 4000 can access a directory owned by ID 4000). Am I correct here?
> Windows uses SID's and RID's, Linux has not got a clue what these mean, 
> so you need to use an interpretor, this is where winbind, sssd etc come 
> in. You can do it two ways (at least), you either take the RID and use 
> this to create a users ID number or you give your users & groups RFC2307 
> numbers. There are pro's & con's for both, but for me, using RFC2307 
> attributes wins out, using these means that users & groups get correctly 
> identified everywhere. Using the RFC2307 attributes is actually the way 
> that windows wants you to connect to Linux, this is why they created 
> 'Service for NIS'.
> >
> > Oh and Rowland, I have been using Linux since before 2000. This is the 
> > only major issue I have EVER encountered where a standard setup 
> > working in dozens of locations is failing in this one. We deploy Linux 
> > as often as Windows here, and we have become GOOD at using and working 
> > with it. We use Debian, naturally.
> >
> Well I have been using Linux since well before that, but I must be an 
> idiot because I can get Samba4 to work with both windows & Linux 
> clients, along with bind9, dhcp etc just by reading the documentation 
> and surfing the net!
> It actually doesn't matter what OS you use, as long as it is a 
> maintained recent version, some people swear by Red Hat for instance, 
> others just swear at it ;-)
> Rowland

More information about the samba mailing list