[Samba] Samba 4 AD share: Access denied
rowlandpenny at googlemail.com
Tue Aug 5 12:36:32 MDT 2014
On 05/08/14 19:07, Ryan Ashley wrote:
> I provisioned with rfc2307 specified and it is in my domain
> controller's smb.conf. I added the line about using rfc2307 to my
> print-server and file-server. No change though. Is that line only for
> domain controllers?
All provisioning with RFC2307 does is add the ypServ30.ldif, it does not
do anything else, it is up to you to use it.
> Also, I have been all over ADUC looking for the "UNIX Attributes" tab
> but cannot find it. Why won't it show up with an S4 DC provisioned
> with rfc2307? This may be the problem, though so far every ID has been
> perfect and the same across both servers.
This is a known windows problem, search Google (other search providers
are available) for a solution.
> On 08/05/2014 01:50 PM, Rowland Penny wrote:
>> On 05/08/14 18:17, Ryan Ashley wrote:
>>> The way that sounds, the "file server" guide is incomplete, because
>>> nowhere does it mention any of what you're telling me. I also have
>>> little trouble finding good documentation on every Linux product I
>>> use. S4 is the one big exception, but with the guides, it eliminates
>>> some of that need. I do not buy the whole argument of using Windows
>>> for documentation, because 90% of their documentation is rambling
>>> crud. When you get an error and have an ID, the docs don't have the
>>> ID you want, you are hosed.
>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with
>>> the latest updates. The stable repos have an OLD version of S4, and
>>> I do not mind building it myself anyway.
>> OK, this is your decision, I just pointed out that you can get 4.1.9
>> from backports, this works, I know this because it is what I use.
>>> Finally, you have told me I need this and that, but no direction is
>>> noted. How do I assign this stuff and why does this ONE system need
>>> it when all the others don't? I would also believe that if I MUST
>>> assign IDs to make file-sharing work, that my other setups (dozens
>>> of them) would be long broken by now since I have never done it in
>>> the past. I also know that even removing and rejoining the domain
>>> results in the exact same IDs for those directories in my shared
>>> directory. That tells me somehow the IDs resolve the same.
>>> My guess here, is that you're telling me I need to assign these IDs
>>> so winbind does not have to resolve them. In other words, when a
>>> user accesses the share, the ID is associated with the group and it
>>> sends that along with the request, which even the Linux stuff can
>>> understand (ie: ID 4000 can access a directory owned by ID 4000). Am
>>> I correct here?
>> Windows uses SID's and RID's, Linux has not got a clue what these
>> mean, so you need to use an interpretor, this is where winbind, sssd
>> etc come in. You can do it two ways (at least), you either take the
>> RID and use this to create a users ID number or you give your users &
>> groups RFC2307 numbers. There are pro's & con's for both, but for me,
>> using RFC2307 attributes wins out, using these means that users &
>> groups get correctly identified everywhere. Using the RFC2307
>> attributes is actually the way that windows wants you to connect to
>> Linux, this is why they created 'Service for NIS'.
>>> Oh and Rowland, I have been using Linux since before 2000. This is
>>> the only major issue I have EVER encountered where a standard setup
>>> working in dozens of locations is failing in this one. We deploy
>>> Linux as often as Windows here, and we have become GOOD at using and
>>> working with it. We use Debian, naturally.
>> Well I have been using Linux since well before that, but I must be an
>> idiot because I can get Samba4 to work with both windows & Linux
>> clients, along with bind9, dhcp etc just by reading the documentation
>> and surfing the net!
>> It actually doesn't matter what OS you use, as long as it is a
>> maintained recent version, some people swear by Red Hat for instance,
>> others just swear at it ;-)
More information about the samba