[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 6 02:29:35 MDT 2014

On 06/08/14 05:24, Ryan Ashley wrote:
> Plenty of replies since this afternoon! I will try to answer your 
> questions in order, as well as ask questions.
> "All provisioning with RFC2307 does is add the ypServ30.ldif, it does 
> not do anything else, it is up to you to use it. "
> Alright, how? Remember, all my domains are golden except this. I have 
> never had to use ldif files or assign ID numbers because they always 
> just worked.

By adding whatever RFC2307 attributes that you will need, these are 
usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How you 
add them is up to you, you can use samba-tool, ADUC or even write your 
own scripts around ldb-tools etc.

I think that in the past you must have been using the winbind rid 
backend, only problem with this is that (at the moment) you get 
different id numbers on the server from any client.

> "This is a known windows problem, search Google (other search 
> providers are available) for a solution."
> I have been searching, and I have tried loads of results, to no avail. 
> Some said install libnss-ldapd, which I still don't know what it does, 
> others said to do various config entries, also to no avail, so I am 
> back here. I have reverted my changes since nothing worked.

You cannot have searched very hard, the search term 'no unix attributes 
tab' turns up about 1,910,000 results and the top one is:


> "I'd guess you don't have a UNIX tab because the Samba AD schema 
> doesn't have it. I'm not sure why that would be, since I don't use any 
> of the UNIX AD extensions myself."

That was a very wrong statement, even if you do not provision with 
rfc2307, you still get the rfc2307 attributes and objectclasses in AD 
and it is not the reason you haven't got the tab

> I never have either, it always JUST WORKED. This is not frustration 
> with the help, it is frustration in that it just refuses to work for 
> no good reason. That's why I am attempting to ditch Windows, because 
> things just don't work and nobody knows why. I actually feel that 
> Rowland and Steve have been great, and have made me SERIOUSLY question 
> the highly incomplete guides on the wiki. I mean nowhere does it 
> mention the line that creates the keytab for Kerberos in any guides. 
> Nowhere does it mention the ID's or anything else they have talked 
> with me about. I honestly believe the ID numbers will solve the issue, 
> but I cannot do that yet.
> "You do not need to provision with rfc2307 nor do you need a UNIX tab 
> to allocate uidNumbers. You already have what you need. Please try it."
> Alright, how? Again, and this is what I keep repeating, I have NEVER 
> had to do this before. Up to this very point in time, S4 has been 
> rock-solid. None of my other domains use the Kerberos keytab. None of 
> them use uID's or gID's. They all just work. You're telling me I have 
> the tools to do this, but it is like me telling you to adjust your 
> main jet to 1.5 turns out. Unless you're into antiques like I am, you 
> haven't a clue what I mean or how to do it. I am not trying to be 
> rude, I just literally do not have a clue how to do this.

er, I actually do know what you are talking about when it comes to the 
main jet, this would be the initial setting on the carburettor and you 
would adjust the high speed running from there, what do you set the slow 
run jet to ?

Just how did you setup samba prior to having these problems, did you set 
it up as a PDC or a standalone or what ?

You also seem very reticent about answering questions, you never seem to 
quite answer them fully, sometimes not at all.

> "You have to activate advanced features in ADUC and edit the 
> attributes from the attribute editor tab."
> Yes, I did that and saw it in there, but chose not to edit that way 
> for one reason. According to many posts I read on search results from 
> Google, the UNIX tab shows up once the system detects NIS. I believe 
> NIS is off for some reason, but I did the check at the link below and 
> it returned one result, indicating that NIS is supposedly enabled. It 
> would be better to simply show me a yes or no, but I guess that isn't 
> an option.
> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
> Referenced from: 
> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
> Ricky:
> I have NOT pulled any packages from any repos. I cloned the official 
> repo, configured and built. It turns out that by default it builds 
> 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a 4.2 
> bug, I uninstalled (make uninstall) 4.2 and configured and built 4.1, 
> then installed it. I completely removed any leftover files and 
> directories by hand, with the exception of my configuration file. 
> Here's the info you requested.
> root at fs01:~# getent passwd | grep reachfp
> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
> root at fs01:~# getent passwd | grep cynthiaj
> cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
> root at fs01:~# getent passwd | grep daquanm
> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
> root at fs01:~# getent passwd | grep reach_support
> reach_support:*:70015:70002:Reach 
> Support:/home/TRUEVINE/reach_support:/bin/false

All of those numbers are coming from the 'builtin' range (70001-80000) 
and shouldn't be and wouldn't be if you gave your users and groups 
uidNumber's & gidNumber's

If you do not want to do this, change this line:

idmap config TRUEVINE:backend = ad

To this:

idmap config TRUEVINE:backend = rid

Remove these:

idmap config TRUEVINE:schema_mode = rfc2307
idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver 
anyway, it's for the AD server
auth methods = winbind


> =====================
> FS01 Configuration File:
> =====================
> [global]
>   netbios name = FS01
>   workgroup = TRUEVINE
>   security = ADS
>   realm = TRUEVINE.LAN
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config TRUEVINE:backend = ad
>   idmap config TRUEVINE:schema_mode = rfc2307
>   idmap config TRUEVINE:range = 500-40000
>   idmap_ldb:use rfc2307 = yes
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   auth methods = winbind
>   log level = 3
> [install$]
>   path = /home/shared/install
>   comment = "Software installation files"
>   read only = no
>   guest ok = no
> [staff$]
>   path = /home/shared/staff
>   comment = "Staff file share"
>   read only = no
>   guest ok = no
> [fbc$]
>   path = /home/shared/fbc
>   comment = "Family Bible College file share"
>   read only = no
>   guest ok = no
> One thing I am unclear on is whether or not I need "idmap_ldb:use 
> rfc2307 = yes" in member server configs or ONLY AD DC configs. Also, 
> what does "idmap config TRUEVINE:range = 500-40000" specify? I was 
> trying to set AD users to 70001-80000 for their ID's, but maybe I 
> misunderstand things. Thanks for your help and input. I'm not 
> frustrated with you guys, just the fact that ONE server is acting up 
> and I am having to do all kinds of things I have never had to do 
> before just to share files. It isn't a bad frustration however, I 
> enjoy building projects from source and using Linux in general. If 
> this was Windows I'd have found an alternative by now.
> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>> So IF I read the 70+ previous mails correctly, it looks like you have
>> tried both packages and samba source, if this is the case you could
>> have some seriously screwed up library files, causing various issues
>> (such as binaries just crashing at certain points). With that said,
>> there is a fair chance that your libnss_winbind.so (or so.2) is
>> mismatched from your current winbind causing exactly this issue.
>> Is there any chance you can give us a current recap of your
>> issue/setup? Include current configs (if you need to mask something,
>> make that clear). Also please provide the output of getent passwd |
>> grep ADUSER (replace ADUSER with an actual user) and which setup
>> (package or source, and which package you are using) you currently
>> have (as well as what you have tried there too).
>> Thanks,
>> Ricky
>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com> 
>> wrote:
>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>> Well, again, no issues until now. I never did the Kerberos keytab 
>>>> thing
>>>> before, and everything works. Never did the NIS thing before, and 
>>>> everything
>>>> works. Now I am learning these things should be done and I have 
>>>> been told
>>>> what to do and have done them as well as documented them in our 
>>>> technical
>>>> reference. However, I am now at the point where I cannot set ID's 
>>>> due to not
>>>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" 
>>>> and it is
>>>> in all of my S4 configuration files, but no luck yet. What do I 
>>>> need to
>>>> check to get that tab to appear? If assigning an ID fixes this, I will
>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>> You have to activate advanced features in ADUC and edit the attributes
>>> from the attribute editor tab.
>>> It's a pity we couldn't help you sort this out. I think it's quite
>>> strange that it doesn't work at this particular server as you say that
>>> this is the standard way of yours to configure Samba. Why it doesn't
>>> work, I really don't know. One thing that springs to mind is, and I
>>> don't have knowledge enough to back it up, when using the TDB backend
>>> you're not guaranteed consistent id mapping through the server park. I
>>> have found nothing that states that winbind populates the
>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>> other mechanism). Which of course might give you different uidnumbers
>>> (from the *:range) for different accounts. Please correct me if I'm
>>> wrong. Is there a way to check this?
>>> But I do think that Rowland and Steve are right to 'push' for
>>> populating and using uid- and gidnumbers. uid- and gidnumbers with an
>>> interpretator like winbind, sssd or other is a/the bridge between
>>> Linux and windows. And it's a low-cost activation and maintenance. I
>>> think you should consider their advice and rethink your setup.
>>> Well, I'm out of ideas except that I have noticed that the activation
>>> of vfs module acl_xattr in the global section of smb.conf does not
>>> always/ever work on a mounted volume created from LVM. You might need
>>> to/have to put it in the share section.
>>> If you find out what caused this, please let us know.
>>> Regards
>>> Davor
>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>> The way that sounds, the "file server" guide is incomplete, because
>>>>>> nowhere does it mention any of what you're telling me. I also have
>>>>>> little trouble finding good documentation on every Linux product 
>>>>>> I use.
>>>>>> S4 is the one big exception, but with the guides, it eliminates 
>>>>>> some of
>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>> documentation, because 90% of their documentation is rambling 
>>>>>> crud. When
>>>>>> you get an error and have an ID, the docs don't have the ID you 
>>>>>> want,
>>>>>> you are hosed.
>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>> user-land Linux compared with enterprise or microsoft
>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 
>>>>>> with the
>>>>>> latest updates. The stable repos have an OLD version of S4, and I 
>>>>>> do not
>>>>>> mind building it myself anyway.
>>>>> Debian doesn't install samba unless you tell it?
>>>>>> Finally, you have told me I need this and that, but no direction is
>>>>>> noted.
>>>>> http://bit.ly/1s8LTZc
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list