[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 5 22:24:23 MDT 2014

Plenty of replies since this afternoon! I will try to answer your 
questions in order, as well as ask questions.

"All provisioning with RFC2307 does is add the ypServ30.ldif, it does 
not do anything else, it is up to you to use it. "

Alright, how? Remember, all my domains are golden except this. I have 
never had to use ldif files or assign ID numbers because they always 
just worked.

"This is a known windows problem, search Google (other search providers 
are available) for a solution."

I have been searching, and I have tried loads of results, to no avail. 
Some said install libnss-ldapd, which I still don't know what it does, 
others said to do various config entries, also to no avail, so I am back 
here. I have reverted my changes since nothing worked.

"I'd guess you don't have a UNIX tab because the Samba AD schema doesn't 
have it. I'm not sure why that would be, since I don't use any of the 
UNIX AD extensions myself."

I never have either, it always JUST WORKED. This is not frustration with 
the help, it is frustration in that it just refuses to work for no good 
reason. That's why I am attempting to ditch Windows, because things just 
don't work and nobody knows why. I actually feel that Rowland and Steve 
have been great, and have made me SERIOUSLY question the highly 
incomplete guides on the wiki. I mean nowhere does it mention the line 
that creates the keytab for Kerberos in any guides. Nowhere does it 
mention the ID's or anything else they have talked with me about. I 
honestly believe the ID numbers will solve the issue, but I cannot do 
that yet.

"You do not need to provision with rfc2307 nor do you need a UNIX tab to 
allocate uidNumbers. You already have what you need. Please try it."

Alright, how? Again, and this is what I keep repeating, I have NEVER had 
to do this before. Up to this very point in time, S4 has been 
rock-solid. None of my other domains use the Kerberos keytab. None of 
them use uID's or gID's. They all just work. You're telling me I have 
the tools to do this, but it is like me telling you to adjust your main 
jet to 1.5 turns out. Unless you're into antiques like I am, you haven't 
a clue what I mean or how to do it. I am not trying to be rude, I just 
literally do not have a clue how to do this.

"You have to activate advanced features in ADUC and edit the attributes 
from the attribute editor tab."

Yes, I did that and saw it in there, but chose not to edit that way for 
one reason. According to many posts I read on search results from 
Google, the UNIX tab shows up once the system detects NIS. I believe NIS 
is off for some reason, but I did the check at the link below and it 
returned one result, indicating that NIS is supposedly enabled. It would 
be better to simply show me a yes or no, but I guess that isn't an option.

ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
Referenced from: 

I have NOT pulled any packages from any repos. I cloned the official 
repo, configured and built. It turns out that by default it builds 
4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a 4.2 
bug, I uninstalled (make uninstall) 4.2 and configured and built 4.1, 
then installed it. I completely removed any leftover files and 
directories by hand, with the exception of my configuration file. Here's 
the info you requested.

root at fs01:~# getent passwd | grep reachfp
root at fs01:~# getent passwd | grep cynthiaj
cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
root at fs01:~# getent passwd | grep daquanm
daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
root at fs01:~# getent passwd | grep reach_support

FS01 Configuration File:
   netbios name = FS01
   workgroup = TRUEVINE
   security = ADS
   realm = TRUEVINE.LAN
   encrypt passwords = yes
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config TRUEVINE:backend = ad
   idmap config TRUEVINE:schema_mode = rfc2307
   idmap config TRUEVINE:range = 500-40000
   idmap_ldb:use rfc2307 = yes

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   auth methods = winbind
   log level = 3

   path = /home/shared/install
   comment = "Software installation files"
   read only = no
   guest ok = no

   path = /home/shared/staff
   comment = "Staff file share"
   read only = no
   guest ok = no

   path = /home/shared/fbc
   comment = "Family Bible College file share"
   read only = no
   guest ok = no

One thing I am unclear on is whether or not I need "idmap_ldb:use 
rfc2307 = yes" in member server configs or ONLY AD DC configs. Also, 
what does "idmap config TRUEVINE:range = 500-40000" specify? I was 
trying to set AD users to 70001-80000 for their ID's, but maybe I 
misunderstand things. Thanks for your help and input. I'm not frustrated 
with you guys, just the fact that ONE server is acting up and I am 
having to do all kinds of things I have never had to do before just to 
share files. It isn't a bad frustration however, I enjoy building 
projects from source and using Linux in general. If this was Windows I'd 
have found an alternative by now.

On 8/5/2014 11:57 PM, Ricky Nance wrote:
> So IF I read the 70+ previous mails correctly, it looks like you have
> tried both packages and samba source, if this is the case you could
> have some seriously screwed up library files, causing various issues
> (such as binaries just crashing at certain points). With that said,
> there is a fair chance that your libnss_winbind.so (or so.2) is
> mismatched from your current winbind causing exactly this issue.
> Is there any chance you can give us a current recap of your
> issue/setup? Include current configs (if you need to mask something,
> make that clear). Also please provide the output of getent passwd |
> grep ADUSER (replace ADUSER with an actual user) and which setup
> (package or source, and which package you are using) you currently
> have (as well as what you have tried there too).
> Thanks,
> Ricky
> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com> wrote:
>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>> Well, again, no issues until now. I never did the Kerberos keytab thing
>>> before, and everything works. Never did the NIS thing before, and everything
>>> works. Now I am learning these things should be done and I have been told
>>> what to do and have done them as well as documented them in our technical
>>> reference. However, I am now at the point where I cannot set ID's due to not
>>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" and it is
>>> in all of my S4 configuration files, but no luck yet. What do I need to
>>> check to get that tab to appear? If assigning an ID fixes this, I will
>>> HAPPILY do it on all of our domains as we go out for maintenance.
>> You have to activate advanced features in ADUC and edit the attributes
>> from the attribute editor tab.
>> It's a pity we couldn't help you sort this out. I think it's quite
>> strange that it doesn't work at this particular server as you say that
>> this is the standard way of yours to configure Samba. Why it doesn't
>> work, I really don't know. One thing that springs to mind is, and I
>> don't have knowledge enough to back it up, when using the TDB backend
>> you're not guaranteed consistent id mapping through the server park. I
>> have found nothing that states that winbind populates the
>> tdb-databases in a certain order (a-z, ascending SID numbering or
>> other mechanism). Which of course might give you different uidnumbers
>> (from the *:range) for different accounts. Please correct me if I'm
>> wrong. Is there a way to check this?
>> But I do think that Rowland and Steve are right to 'push' for
>> populating and using uid- and gidnumbers. uid- and gidnumbers with an
>> interpretator like winbind, sssd or other is a/the bridge between
>> Linux and windows. And it's a low-cost activation and maintenance. I
>> think you should consider their advice and rethink your setup.
>> Well, I'm out of ideas except that I have noticed that the activation
>> of vfs module acl_xattr in the global section of smb.conf does not
>> always/ever work on a mounted volume created from LVM. You might need
>> to/have to put it in the share section.
>> If you find out what caused this, please let us know.
>> Regards
>> Davor
>>> On 08/05/2014 02:16 PM, steve wrote:
>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>> The way that sounds, the "file server" guide is incomplete, because
>>>>> nowhere does it mention any of what you're telling me. I also have
>>>>> little trouble finding good documentation on every Linux product I use.
>>>>> S4 is the one big exception, but with the guides, it eliminates some of
>>>>> that need. I do not buy the whole argument of using Windows for
>>>>> documentation, because 90% of their documentation is rambling crud. When
>>>>> you get an error and have an ID, the docs don't have the ID you want,
>>>>> you are hosed.
>>>> Unless you know what you're doing, the time it takes to get up on
>>>> user-land Linux compared with enterprise or microsoft
>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 with the
>>>>> latest updates. The stable repos have an OLD version of S4, and I do not
>>>>> mind building it myself anyway.
>>>> Debian doesn't install samba unless you tell it?
>>>>> Finally, you have told me I need this and that, but no direction is
>>>>> noted.
>>>> http://bit.ly/1s8LTZc
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list