[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Tue Aug 5 22:24:23 MDT 2014
Plenty of replies since this afternoon! I will try to answer your
questions in order, as well as ask questions.
"All provisioning with RFC2307 does is add the ypServ30.ldif, it does
not do anything else, it is up to you to use it. "
Alright, how? Remember, all my domains are golden except this. I have
never had to use ldif files or assign ID numbers because they always
just worked.
"This is a known windows problem, search Google (other search providers
are available) for a solution."
I have been searching, and I have tried loads of results, to no avail.
Some said install libnss-ldapd, which I still don't know what it does,
others said to do various config entries, also to no avail, so I am back
here. I have reverted my changes since nothing worked.
"I'd guess you don't have a UNIX tab because the Samba AD schema doesn't
have it. I'm not sure why that would be, since I don't use any of the
UNIX AD extensions myself."
I never have either, it always JUST WORKED. This is not frustration with
the help, it is frustration in that it just refuses to work for no good
reason. That's why I am attempting to ditch Windows, because things just
don't work and nobody knows why. I actually feel that Rowland and Steve
have been great, and have made me SERIOUSLY question the highly
incomplete guides on the wiki. I mean nowhere does it mention the line
that creates the keytab for Kerberos in any guides. Nowhere does it
mention the ID's or anything else they have talked with me about. I
honestly believe the ID numbers will solve the issue, but I cannot do
that yet.
"You do not need to provision with rfc2307 nor do you need a UNIX tab to
allocate uidNumbers. You already have what you need. Please try it."
Alright, how? Again, and this is what I keep repeating, I have NEVER had
to do this before. Up to this very point in time, S4 has been
rock-solid. None of my other domains use the Kerberos keytab. None of
them use uID's or gID's. They all just work. You're telling me I have
the tools to do this, but it is like me telling you to adjust your main
jet to 1.5 turns out. Unless you're into antiques like I am, you haven't
a clue what I mean or how to do it. I am not trying to be rude, I just
literally do not have a clue how to do this.
"You have to activate advanced features in ADUC and edit the attributes
from the attribute editor tab."
Yes, I did that and saw it in there, but chose not to edit that way for
one reason. According to many posts I read on search results from
Google, the UNIX tab shows up once the system detects NIS. I believe NIS
is off for some reason, but I did the check at the link below and it
returned one result, indicating that NIS is supposedly enabled. It would
be better to simply show me a yes or no, but I guess that isn't an option.
ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
Referenced from:
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
Ricky:
I have NOT pulled any packages from any repos. I cloned the official
repo, configured and built. It turns out that by default it builds
4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a 4.2
bug, I uninstalled (make uninstall) 4.2 and configured and built 4.1,
then installed it. I completely removed any leftover files and
directories by hand, with the exception of my configuration file. Here's
the info you requested.
root at fs01:~# getent passwd | grep reachfp
reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
root at fs01:~# getent passwd | grep cynthiaj
cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
root at fs01:~# getent passwd | grep daquanm
daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
root at fs01:~# getent passwd | grep reach_support
reach_support:*:70015:70002:Reach
Support:/home/TRUEVINE/reach_support:/bin/false
=====================
FS01 Configuration File:
=====================
[global]
netbios name = FS01
workgroup = TRUEVINE
security = ADS
realm = TRUEVINE.LAN
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config TRUEVINE:backend = ad
idmap config TRUEVINE:schema_mode = rfc2307
idmap config TRUEVINE:range = 500-40000
idmap_ldb:use rfc2307 = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
auth methods = winbind
log level = 3
[install$]
path = /home/shared/install
comment = "Software installation files"
read only = no
guest ok = no
[staff$]
path = /home/shared/staff
comment = "Staff file share"
read only = no
guest ok = no
[fbc$]
path = /home/shared/fbc
comment = "Family Bible College file share"
read only = no
guest ok = no
One thing I am unclear on is whether or not I need "idmap_ldb:use
rfc2307 = yes" in member server configs or ONLY AD DC configs. Also,
what does "idmap config TRUEVINE:range = 500-40000" specify? I was
trying to set AD users to 70001-80000 for their ID's, but maybe I
misunderstand things. Thanks for your help and input. I'm not frustrated
with you guys, just the fact that ONE server is acting up and I am
having to do all kinds of things I have never had to do before just to
share files. It isn't a bad frustration however, I enjoy building
projects from source and using Linux in general. If this was Windows I'd
have found an alternative by now.
On 8/5/2014 11:57 PM, Ricky Nance wrote:
> So IF I read the 70+ previous mails correctly, it looks like you have
> tried both packages and samba source, if this is the case you could
> have some seriously screwed up library files, causing various issues
> (such as binaries just crashing at certain points). With that said,
> there is a fair chance that your libnss_winbind.so (or so.2) is
> mismatched from your current winbind causing exactly this issue.
>
> Is there any chance you can give us a current recap of your
> issue/setup? Include current configs (if you need to mask something,
> make that clear). Also please provide the output of getent passwd |
> grep ADUSER (replace ADUSER with an actual user) and which setup
> (package or source, and which package you are using) you currently
> have (as well as what you have tried there too).
>
> Thanks,
> Ricky
>
> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com> wrote:
>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>> Well, again, no issues until now. I never did the Kerberos keytab thing
>>> before, and everything works. Never did the NIS thing before, and everything
>>> works. Now I am learning these things should be done and I have been told
>>> what to do and have done them as well as documented them in our technical
>>> reference. However, I am now at the point where I cannot set ID's due to not
>>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" and it is
>>> in all of my S4 configuration files, but no luck yet. What do I need to
>>> check to get that tab to appear? If assigning an ID fixes this, I will
>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>
>> You have to activate advanced features in ADUC and edit the attributes
>> from the attribute editor tab.
>>
>> It's a pity we couldn't help you sort this out. I think it's quite
>> strange that it doesn't work at this particular server as you say that
>> this is the standard way of yours to configure Samba. Why it doesn't
>> work, I really don't know. One thing that springs to mind is, and I
>> don't have knowledge enough to back it up, when using the TDB backend
>> you're not guaranteed consistent id mapping through the server park. I
>> have found nothing that states that winbind populates the
>> tdb-databases in a certain order (a-z, ascending SID numbering or
>> other mechanism). Which of course might give you different uidnumbers
>> (from the *:range) for different accounts. Please correct me if I'm
>> wrong. Is there a way to check this?
>>
>> But I do think that Rowland and Steve are right to 'push' for
>> populating and using uid- and gidnumbers. uid- and gidnumbers with an
>> interpretator like winbind, sssd or other is a/the bridge between
>> Linux and windows. And it's a low-cost activation and maintenance. I
>> think you should consider their advice and rethink your setup.
>>
>> Well, I'm out of ideas except that I have noticed that the activation
>> of vfs module acl_xattr in the global section of smb.conf does not
>> always/ever work on a mounted volume created from LVM. You might need
>> to/have to put it in the share section.
>>
>> If you find out what caused this, please let us know.
>>
>> Regards
>> Davor
>>
>>> On 08/05/2014 02:16 PM, steve wrote:
>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>> The way that sounds, the "file server" guide is incomplete, because
>>>>> nowhere does it mention any of what you're telling me. I also have
>>>>> little trouble finding good documentation on every Linux product I use.
>>>>> S4 is the one big exception, but with the guides, it eliminates some of
>>>>> that need. I do not buy the whole argument of using Windows for
>>>>> documentation, because 90% of their documentation is rambling crud. When
>>>>> you get an error and have an ID, the docs don't have the ID you want,
>>>>> you are hosed.
>>>> Unless you know what you're doing, the time it takes to get up on
>>>> user-land Linux compared with enterprise or microsoft
>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>>>> mind building it myself anyway.
>>>> Debian doesn't install samba unless you tell it?
>>>>> Finally, you have told me I need this and that, but no direction is
>>>>> noted.
>>>> http://bit.ly/1s8LTZc
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list