[Samba] Samba 4 AD share: Access denied

steve steve at steve-ss.com
Wed Aug 6 01:22:26 MDT 2014

On Wed, 2014-08-06 at 00:24 -0400, Ryan Ashley wrote:
> Plenty of replies since this afternoon! I will try to answer your 
> questions in order, as well as ask questions.
> "All provisioning with RFC2307 does is add the ypServ30.ldif, it does 
> not do anything else, it is up to you to use it. "
> Alright, how? Remember, all my domains are golden except this. I have 
> never had to use ldif files or assign ID numbers because they always 
> just worked.
> "This is a known windows problem, search Google (other search providers 
> are available) for a solution."
> I have been searching, and I have tried loads of results, to no avail. 
> Some said install libnss-ldapd, which I still don't know what it does, 
> others said to do various config entries, also to no avail, so I am back 
> here. I have reverted my changes since nothing worked.
> "I'd guess you don't have a UNIX tab because the Samba AD schema doesn't 
> have it. I'm not sure why that would be, since I don't use any of the 
> UNIX AD extensions myself."
> I never have either, it always JUST WORKED. This is not frustration with 
> the help, it is frustration in that it just refuses to work for no good 
> reason. That's why I am attempting to ditch Windows, because things just 
> don't work and nobody knows why. I actually feel that Rowland and Steve 
> have been great, and have made me SERIOUSLY question the highly 
> incomplete guides on the wiki.

Please remember that here, you're at the bleeding edge of open source.
It is up to you to help us get the documentation up to your own high
standard. One thing you can do immediately is to post your method for
getting your other domains working so well. A simple blog post is all
that is required. The people here soon find them. And hit them hard.
Here is one you could try:

>  I mean nowhere does it mention the line 
> that creates the keytab for Kerberos in any guides. Nowhere does it 
> mention the ID's or anything else they have talked with me about. I 
> honestly believe the ID numbers will solve the issue, but I cannot do 
> that yet.
> "You do not need to provision with rfc2307 nor do you need a UNIX tab to 
> allocate uidNumbers. You already have what you need. Please try it."
> Alright, how? 

Please try to help us to help you. We have already sent you the link to
try to hint as to how you could get information which tells you how to
do this:

This will get you there directly:
ldbedit --url=/path/to/your/samba/private/sam.ldb cn=Domain\ Users
add the line:
gidNumber: 20513

ldbedit --url=/path/to/your/samba/private/sam.ldb cn=reachfp
add the line:
uidNumber: 501

For this, you need to know how to use vi. If you are unwilling or unable
to do so, please tell us and we'll send an alternative method.

More information about the samba mailing list