[Samba] Samba 4 AD share: Access denied

Davor Vusir davortvusir at gmail.com
Tue Aug 5 14:18:27 MDT 2014 

2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
> Well, again, no issues until now. I never did the Kerberos keytab thing
> before, and everything works. Never did the NIS thing before, and everything
> works. Now I am learning these things should be done and I have been told
> what to do and have done them as well as documented them in our technical
> reference. However, I am now at the point where I cannot set ID's due to not
> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" and it is
> in all of my S4 configuration files, but no luck yet. What do I need to
> check to get that tab to appear? If assigning an ID fixes this, I will
> HAPPILY do it on all of our domains as we go out for maintenance.
>

You have to activate advanced features in ADUC and edit the attributes
from the attribute editor tab.

It's a pity we couldn't help you sort this out. I think it's quite
strange that it doesn't work at this particular server as you say that
this is the standard way of yours to configure Samba. Why it doesn't
work, I really don't know. One thing that springs to mind is, and I
don't have knowledge enough to back it up, when using the TDB backend
you're not guaranteed consistent id mapping through the server park. I
have found nothing that states that winbind populates the
tdb-databases in a certain order (a-z, ascending SID numbering or
other mechanism). Which of course might give you different uidnumbers
(from the *:range) for different accounts. Please correct me if I'm
wrong. Is there a way to check this?

But I do think that Rowland and Steve are right to 'push' for
populating and using uid- and gidnumbers. uid- and gidnumbers with an
interpretator like winbind, sssd or other is a/the bridge between
Linux and windows. And it's a low-cost activation and maintenance. I
think you should consider their advice and rethink your setup.

Well, I'm out of ideas except that I have noticed that the activation
of vfs module acl_xattr in the global section of smb.conf does not
always/ever work on a mounted volume created from LVM. You might need
to/have to put it in the share section.

If you find out what caused this, please let us know.

Regards
Davor

>
> On 08/05/2014 02:16 PM, steve wrote:
>>
>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>
>>> The way that sounds, the "file server" guide is incomplete, because
>>> nowhere does it mention any of what you're telling me. I also have
>>> little trouble finding good documentation on every Linux product I use.
>>> S4 is the one big exception, but with the guides, it eliminates some of
>>> that need. I do not buy the whole argument of using Windows for
>>> documentation, because 90% of their documentation is rambling crud. When
>>> you get an error and have an ID, the docs don't have the ID you want,
>>> you are hosed.
>>
>> Unless you know what you're doing, the time it takes to get up on
>> user-land Linux compared with enterprise or microsoft
>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>
>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>> mind building it myself anyway.
>>
>> Debian doesn't install samba unless you tell it?
>>>
>>> Finally, you have told me I need this and that, but no direction is
>>> noted.
>>
>> http://bit.ly/1s8LTZc
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list