[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Tue Aug 5 12:36:32 MDT 2014

On 05/08/14 19:07, Ryan Ashley wrote:
> I provisioned with rfc2307 specified and it is in my domain 
> controller's smb.conf. I added the line about using rfc2307 to my 
> print-server and file-server. No change though. Is that line only for 
> domain controllers?

All provisioning with RFC2307 does is add the ypServ30.ldif, it does not 
do anything else, it is up to you to use it.

> Also, I have been all over ADUC looking for the "UNIX Attributes" tab 
> but cannot find it. Why won't it show up with an S4 DC provisioned 
> with rfc2307? This may be the problem, though so far every ID has been 
> perfect and the same across both servers.

This is a known windows problem, search Google (other search providers 
are available) for a solution.


> On 08/05/2014 01:50 PM, Rowland Penny wrote:
>> On 05/08/14 18:17, Ryan Ashley wrote:
>>> The way that sounds, the "file server" guide is incomplete, because 
>>> nowhere does it mention any of what you're telling me. I also have 
>>> little trouble finding good documentation on every Linux product I 
>>> use. S4 is the one big exception, but with the guides, it eliminates 
>>> some of that need. I do not buy the whole argument of using Windows 
>>> for documentation, because 90% of their documentation is rambling 
>>> crud. When you get an error and have an ID, the docs don't have the 
>>> ID you want, you are hosed.
>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with 
>>> the latest updates. The stable repos have an OLD version of S4, and 
>>> I do not mind building it myself anyway.
>> OK, this is your decision, I just pointed out that you can get 4.1.9 
>> from backports, this works, I know this because it is what I use.
>>> Finally, you have told me I need this and that, but no direction is 
>>> noted. How do I assign this stuff and why does this ONE system need 
>>> it when all the others don't? I would also believe that if I MUST 
>>> assign IDs to make file-sharing work, that my other setups (dozens 
>>> of them) would be long broken by now since I have never done it in 
>>> the past. I also know that even removing and rejoining the domain 
>>> results in the exact same IDs for those directories in my shared 
>>> directory. That tells me somehow the IDs resolve the same.
>>> My guess here, is that you're telling me I need to assign these IDs 
>>> so winbind does not have to resolve them. In other words, when a 
>>> user accesses the share, the ID is associated with the group and it 
>>> sends that along with the request, which even the Linux stuff can 
>>> understand (ie: ID 4000 can access a directory owned by ID 4000). Am 
>>> I correct here?
>> Windows uses SID's and RID's, Linux has not got a clue what these 
>> mean, so you need to use an interpretor, this is where winbind, sssd 
>> etc come in. You can do it two ways (at least), you either take the 
>> RID and use this to create a users ID number or you give your users & 
>> groups RFC2307 numbers. There are pro's & con's for both, but for me, 
>> using RFC2307 attributes wins out, using these means that users & 
>> groups get correctly identified everywhere. Using the RFC2307 
>> attributes is actually the way that windows wants you to connect to 
>> Linux, this is why they created 'Service for NIS'.
>>> Oh and Rowland, I have been using Linux since before 2000. This is 
>>> the only major issue I have EVER encountered where a standard setup 
>>> working in dozens of locations is failing in this one. We deploy 
>>> Linux as often as Windows here, and we have become GOOD at using and 
>>> working with it. We use Debian, naturally.
>> Well I have been using Linux since well before that, but I must be an 
>> idiot because I can get Samba4 to work with both windows & Linux 
>> clients, along with bind9, dhcp etc just by reading the documentation 
>> and surfing the net!
>> It actually doesn't matter what OS you use, as long as it is a 
>> maintained recent version, some people swear by Red Hat for instance, 
>> others just swear at it ;-)
>> Rowland

More information about the samba mailing list