[Samba] Samba 4 AD share: Access denied

Ricky Nance ricky.nance at gmail.com
Tue Aug 5 21:57:49 MDT 2014 

So IF I read the 70+ previous mails correctly, it looks like you have
tried both packages and samba source, if this is the case you could
have some seriously screwed up library files, causing various issues
(such as binaries just crashing at certain points). With that said,
there is a fair chance that your libnss_winbind.so (or so.2) is
mismatched from your current winbind causing exactly this issue.

Is there any chance you can give us a current recap of your
issue/setup? Include current configs (if you need to mask something,
make that clear). Also please provide the output of getent passwd |
grep ADUSER (replace ADUSER with an actual user) and which setup
(package or source, and which package you are using) you currently
have (as well as what you have tried there too).

Thanks,
Ricky

On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com> wrote:
> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>> Well, again, no issues until now. I never did the Kerberos keytab thing
>> before, and everything works. Never did the NIS thing before, and everything
>> works. Now I am learning these things should be done and I have been told
>> what to do and have done them as well as documented them in our technical
>> reference. However, I am now at the point where I cannot set ID's due to not
>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" and it is
>> in all of my S4 configuration files, but no luck yet. What do I need to
>> check to get that tab to appear? If assigning an ID fixes this, I will
>> HAPPILY do it on all of our domains as we go out for maintenance.
>>
>
> You have to activate advanced features in ADUC and edit the attributes
> from the attribute editor tab.
>
> It's a pity we couldn't help you sort this out. I think it's quite
> strange that it doesn't work at this particular server as you say that
> this is the standard way of yours to configure Samba. Why it doesn't
> work, I really don't know. One thing that springs to mind is, and I
> don't have knowledge enough to back it up, when using the TDB backend
> you're not guaranteed consistent id mapping through the server park. I
> have found nothing that states that winbind populates the
> tdb-databases in a certain order (a-z, ascending SID numbering or
> other mechanism). Which of course might give you different uidnumbers
> (from the *:range) for different accounts. Please correct me if I'm
> wrong. Is there a way to check this?
>
> But I do think that Rowland and Steve are right to 'push' for
> populating and using uid- and gidnumbers. uid- and gidnumbers with an
> interpretator like winbind, sssd or other is a/the bridge between
> Linux and windows. And it's a low-cost activation and maintenance. I
> think you should consider their advice and rethink your setup.
>
> Well, I'm out of ideas except that I have noticed that the activation
> of vfs module acl_xattr in the global section of smb.conf does not
> always/ever work on a mounted volume created from LVM. You might need
> to/have to put it in the share section.
>
> If you find out what caused this, please let us know.
>
> Regards
> Davor
>
>>
>> On 08/05/2014 02:16 PM, steve wrote:
>>>
>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>
>>>> The way that sounds, the "file server" guide is incomplete, because
>>>> nowhere does it mention any of what you're telling me. I also have
>>>> little trouble finding good documentation on every Linux product I use.
>>>> S4 is the one big exception, but with the guides, it eliminates some of
>>>> that need. I do not buy the whole argument of using Windows for
>>>> documentation, because 90% of their documentation is rambling crud. When
>>>> you get an error and have an ID, the docs don't have the ID you want,
>>>> you are hosed.
>>>
>>> Unless you know what you're doing, the time it takes to get up on
>>> user-land Linux compared with enterprise or microsoft
>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>
>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>>> mind building it myself anyway.
>>>
>>> Debian doesn't install samba unless you tell it?
>>>>
>>>> Finally, you have told me I need this and that, but no direction is
>>>> noted.
>>>
>>> http://bit.ly/1s8LTZc
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list