[Samba] Samba 4 AD share: Access denied

Gregory Sloop gregs at sloop.net
Tue Aug 5 12:46:54 MDT 2014

RA> Well, again, no issues until now. I never did the Kerberos keytab thing
RA> before, and everything works. Never did the NIS thing before, and 
RA> everything works. Now I am learning these things should be done and I 
RA> have been told what to do and have done them as well as documented them
RA> in our technical reference. However, I am now at the point where I 
RA> cannot set ID's due to not having the UNIX tab in ADUC. I did provision
RA> with "--use-rfc2307" and it is in all of my S4 configuration files, but
RA> no luck yet. What do I need to check to get that tab to appear? If 
RA> assigning an ID fixes this, I will HAPPILY do it on all of our domains
RA> as we go out for maintenance.

RA> On 08/05/2014 02:16 PM, steve wrote:
>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>> The way that sounds, the "file server" guide is incomplete, because
>>> nowhere does it mention any of what you're telling me. I also have
>>> little trouble finding good documentation on every Linux product I use.
>>> S4 is the one big exception, but with the guides, it eliminates some of
>>> that need. I do not buy the whole argument of using Windows for
>>> documentation, because 90% of their documentation is rambling crud. When
>>> you get an error and have an ID, the docs don't have the ID you want,
>>> you are hosed.
>> Unless you know what you're doing, the time it takes to get up on
>> user-land Linux compared with enterprise or microsoft
>> out-of-the-box-or-just-call-the-engineer is false economy.
>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>> mind building it myself anyway.
>> Debian doesn't install samba unless you tell it?
>>> Finally, you have told me I need this and that, but no direction is
>>> noted.
>> http://bit.ly/1s8LTZc

I've followed this thread since it started - and while I don't have technical help to offer, since I've not followed the technical details carefully - I'd thought I'd say this, even at the risk of being seen to "meddle" where I shouldn't.

I'll try to be gentle about it, but you've hopped all over the place. ...claimed that revereses in DNS didn't work, but then found you hadn't finished configuring DNS etc.

Just SLOW DOWN! Yeah, the docs can be skimpy, and things can be a bit confusing - but SLOW DOWN - tackle one thing at a time. Don't make a thousand changes and keep moving the goal-posts all over the field.

I know Rowland/Steve/Marc will almost certainly be able to resolve your issue. But it's going to take careful, methodical steps through each part. And, IMO, you haven't done that very well. Sometimes you'll answer a few of the underlying questions, and leave out others. [Not sure why, perhaps you missed them, but often it seems you're doing it because you're frustrated and want a solution right this second.]

If I were helping you, I'd be quite frustrated at the effort. The guys helping you are the best on the list. Short of a Samba dev person hopping in to verify a particular bug, there's not better help to be had. So, no matter if it worked three weeks ago or not, if you want help, and it's not working, and you'd like for it to work - go gentle on the help you ARE getting. Being frustrated with them won't help.

I suppose you could run a SerNet package and pay SerNet to solve your problems/do Samba consulting. But you're not paying anyone and they're spending a lot of time trying to help you...

Please try to be gentle and appreciative...

As an aside:
I'd guess you don't have a UNIX tab because the Samba AD schema doesn't have it. I'm not sure why that would be, since I don't use any of the UNIX AD extensions myself.

