[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Wed Aug 6 11:50:08 MDT 2014

Sorry Rowland! I accidentally sent this to you the first go around. My bad.

I am actually surprised that a few others in the IT field know how to 
toy with carbs and such. My hobby is antique tractors and road vehicles. 
I love how easy it is to work on them. I wouldn't touch my 2013 F-150 
with a ten-foot pole though. Too many computers and such. Also, the 
engine is covered in plastic guards, but I digress.

What information have I not answered fully? If I did not understand what 
was asked, I asked about it. Like when "ute" was posted. I have posted 
my configs each time they are asked for. Nothing has been edited. I 
asked about NIS and you gave me the link at MS I read a while back. It 
says install the NIS stuff. S4 says NIS is installed. Now I am confused. 
I very obviously cannot install NIS stuff from 2008 R2 into a Linux 
system with S4, and S4 says it is running NIS according to the test on 
the wiki page I linked below. Do you understand my confusion now?

To add to that, MS says that once the NIS stuff is on the server (again, 
S4 says it is), I will see the UNIX tab on my ADUC tool. This is why I 
have been very hesitant to use the advanced feature and attempt to add 
ID's. If the tool isn't detecting NIS and I force this stuff, will 
something break? If I can get a guarantee that nothing will break if I 
force ID's via the advanced options, I'll do it right now. My thought 
process is different however. It goes something like "I need to get NIS 
working on the S4 server, then the regular tab will show up, and I am 
golden. Since it is not showing up, I probably shouldn't attempt to 
force ID's through the advanced option". Am I wrong here?

As for questions, I asked two or three times if I needed that line in my 
member server configurations, and I was just now told that I should only 
have it on DC's. This is fine, but we all miss or forget to answer once 
in a while, so if I forgot something, kindly remind me and I will be 
happy to answer it. Oh, and what about my question for the line that 
sets a range of 500-40000?

I'm not aggravated with anybody, but I need this fixed. I am a VERY BUSY 
person and I may forget things. Do not take it personally, please. I 
love the S4 project and it has worked fine up until now. I believe my 
issue here is that I must assign an ID to each group and each user for 
file shares to work correctly under Linux. My other clients share files 
from Linux-based NAS devices and that is PROBABLY the key difference. 
Now I know I can add these ID numbers without the UNIX tab, but is it 
safe to do that

On 08/06/2014 04:29 AM, Rowland Penny wrote:
> On 06/08/14 05:24, Ryan Ashley wrote:
>> Plenty of replies since this afternoon! I will try to answer your 
>> questions in order, as well as ask questions.
>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it does 
>> not do anything else, it is up to you to use it. "
>> Alright, how? Remember, all my domains are golden except this. I have 
>> never had to use ldif files or assign ID numbers because they always 
>> just worked.
> By adding whatever RFC2307 attributes that you will need, these are 
> usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How 
> you add them is up to you, you can use samba-tool, ADUC or even write 
> your own scripts around ldb-tools etc.
> I think that in the past you must have been using the winbind rid 
> backend, only problem with this is that (at the moment) you get 
> different id numbers on the server from any client.
>> "This is a known windows problem, search Google (other search 
>> providers are available) for a solution."
>> I have been searching, and I have tried loads of results, to no 
>> avail. Some said install libnss-ldapd, which I still don't know what 
>> it does, others said to do various config entries, also to no avail, 
>> so I am back here. I have reverted my changes since nothing worked.
> You cannot have searched very hard, the search term 'no unix 
> attributes tab' turns up about 1,910,000 results and the top one is:
> http://support.microsoft.com/kb/921913
>> "I'd guess you don't have a UNIX tab because the Samba AD schema 
>> doesn't have it. I'm not sure why that would be, since I don't use 
>> any of the UNIX AD extensions myself."
> That was a very wrong statement, even if you do not provision with 
> rfc2307, you still get the rfc2307 attributes and objectclasses in AD 
> and it is not the reason you haven't got the tab
>> I never have either, it always JUST WORKED. This is not frustration 
>> with the help, it is frustration in that it just refuses to work for 
>> no good reason. That's why I am attempting to ditch Windows, because 
>> things just don't work and nobody knows why. I actually feel that 
>> Rowland and Steve have been great, and have made me SERIOUSLY 
>> question the highly incomplete guides on the wiki. I mean nowhere 
>> does it mention the line that creates the keytab for Kerberos in any 
>> guides. Nowhere does it mention the ID's or anything else they have 
>> talked with me about. I honestly believe the ID numbers will solve 
>> the issue, but I cannot do that yet.
>> "You do not need to provision with rfc2307 nor do you need a UNIX tab 
>> to allocate uidNumbers. You already have what you need. Please try it."
>> Alright, how? Again, and this is what I keep repeating, I have NEVER 
>> had to do this before. Up to this very point in time, S4 has been 
>> rock-solid. None of my other domains use the Kerberos keytab. None of 
>> them use uID's or gID's. They all just work. You're telling me I have 
>> the tools to do this, but it is like me telling you to adjust your 
>> main jet to 1.5 turns out. Unless you're into antiques like I am, you 
>> haven't a clue what I mean or how to do it. I am not trying to be 
>> rude, I just literally do not have a clue how to do this.
> er, I actually do know what you are talking about when it comes to the 
> main jet, this would be the initial setting on the carburettor and you 
> would adjust the high speed running from there, what do you set the 
> slow run jet to ?
> Just how did you setup samba prior to having these problems, did you 
> set it up as a PDC or a standalone or what ?
> You also seem very reticent about answering questions, you never seem 
> to quite answer them fully, sometimes not at all.
>> "You have to activate advanced features in ADUC and edit the 
>> attributes from the attribute editor tab."
>> Yes, I did that and saw it in there, but chose not to edit that way 
>> for one reason. According to many posts I read on search results from 
>> Google, the UNIX tab shows up once the system detects NIS. I believe 
>> NIS is off for some reason, but I did the check at the link below and 
>> it returned one result, indicating that NIS is supposedly enabled. It 
>> would be better to simply show me a yes or no, but I guess that isn't 
>> an option.
>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>> Referenced from: 
>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>> Ricky:
>> I have NOT pulled any packages from any repos. I cloned the official 
>> repo, configured and built. It turns out that by default it builds 
>> 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to rule out a 4.2 
>> bug, I uninstalled (make uninstall) 4.2 and configured and built 4.1, 
>> then installed it. I completely removed any leftover files and 
>> directories by hand, with the exception of my configuration file. 
>> Here's the info you requested.
>> root at fs01:~# getent passwd | grep reachfp
>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>> root at fs01:~# getent passwd | grep cynthiaj
>> cynthiaj:*:70016:70002:Cynthia Jones:/home/TRUEVINE/cynthiaj:/bin/false
>> root at fs01:~# getent passwd | grep daquanm
>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>> root at fs01:~# getent passwd | grep reach_support
>> reach_support:*:70015:70002:Reach 
>> Support:/home/TRUEVINE/reach_support:/bin/false
> All of those numbers are coming from the 'builtin' range (70001-80000) 
> and shouldn't be and wouldn't be if you gave your users and groups 
> uidNumber's & gidNumber's
> If you do not want to do this, change this line:
> idmap config TRUEVINE:backend = ad
> To this:
> idmap config TRUEVINE:backend = rid
> Remove these:
> idmap config TRUEVINE:schema_mode = rfc2307
> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver 
> anyway, it's for the AD server
> auth methods = winbind
> Rowland
>> =====================
>> FS01 Configuration File:
>> =====================
>> [global]
>>   netbios name = FS01
>>   workgroup = TRUEVINE
>>   security = ADS
>>   realm = TRUEVINE.LAN
>>   encrypt passwords = yes
>>   dedicated keytab file = /etc/krb5.keytab
>>   kerberos method = secrets and keytab
>>   idmap config *:backend = tdb
>>   idmap config *:range = 70001-80000
>>   idmap config TRUEVINE:backend = ad
>>   idmap config TRUEVINE:schema_mode = rfc2307
>>   idmap config TRUEVINE:range = 500-40000
>>   idmap_ldb:use rfc2307 = yes
>>   winbind nss info = rfc2307
>>   winbind trusted domains only = no
>>   winbind use default domain = yes
>>   winbind enum users = yes
>>   winbind enum groups = yes
>>   vfs objects = acl_xattr
>>   map acl inherit = yes
>>   store dos attributes = yes
>>   auth methods = winbind
>>   log level = 3
>> [install$]
>>   path = /home/shared/install
>>   comment = "Software installation files"
>>   read only = no
>>   guest ok = no
>> [staff$]
>>   path = /home/shared/staff
>>   comment = "Staff file share"
>>   read only = no
>>   guest ok = no
>> [fbc$]
>>   path = /home/shared/fbc
>>   comment = "Family Bible College file share"
>>   read only = no
>>   guest ok = no
>> One thing I am unclear on is whether or not I need "idmap_ldb:use 
>> rfc2307 = yes" in member server configs or ONLY AD DC configs. Also, 
>> what does "idmap config TRUEVINE:range = 500-40000" specify? I was 
>> trying to set AD users to 70001-80000 for their ID's, but maybe I 
>> misunderstand things. Thanks for your help and input. I'm not 
>> frustrated with you guys, just the fact that ONE server is acting up 
>> and I am having to do all kinds of things I have never had to do 
>> before just to share files. It isn't a bad frustration however, I 
>> enjoy building projects from source and using Linux in general. If 
>> this was Windows I'd have found an alternative by now.
>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>> So IF I read the 70+ previous mails correctly, it looks like you have
>>> tried both packages and samba source, if this is the case you could
>>> have some seriously screwed up library files, causing various issues
>>> (such as binaries just crashing at certain points). With that said,
>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>> mismatched from your current winbind causing exactly this issue.
>>> Is there any chance you can give us a current recap of your
>>> issue/setup? Include current configs (if you need to mask something,
>>> make that clear). Also please provide the output of getent passwd |
>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>> (package or source, and which package you are using) you currently
>>> have (as well as what you have tried there too).
>>> Thanks,
>>> Ricky
>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir <davortvusir at gmail.com> 
>>> wrote:
>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>> Well, again, no issues until now. I never did the Kerberos keytab 
>>>>> thing
>>>>> before, and everything works. Never did the NIS thing before, and 
>>>>> everything
>>>>> works. Now I am learning these things should be done and I have 
>>>>> been told
>>>>> what to do and have done them as well as documented them in our 
>>>>> technical
>>>>> reference. However, I am now at the point where I cannot set ID's 
>>>>> due to not
>>>>> having the UNIX tab in ADUC. I did provision with "--use-rfc2307" 
>>>>> and it is
>>>>> in all of my S4 configuration files, but no luck yet. What do I 
>>>>> need to
>>>>> check to get that tab to appear? If assigning an ID fixes this, I 
>>>>> will
>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>> You have to activate advanced features in ADUC and edit the attributes
>>>> from the attribute editor tab.
>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>> strange that it doesn't work at this particular server as you say that
>>>> this is the standard way of yours to configure Samba. Why it doesn't
>>>> work, I really don't know. One thing that springs to mind is, and I
>>>> don't have knowledge enough to back it up, when using the TDB backend
>>>> you're not guaranteed consistent id mapping through the server park. I
>>>> have found nothing that states that winbind populates the
>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>> other mechanism). Which of course might give you different uidnumbers
>>>> (from the *:range) for different accounts. Please correct me if I'm
>>>> wrong. Is there a way to check this?
>>>> But I do think that Rowland and Steve are right to 'push' for
>>>> populating and using uid- and gidnumbers. uid- and gidnumbers with an
>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>> Linux and windows. And it's a low-cost activation and maintenance. I
>>>> think you should consider their advice and rethink your setup.
>>>> Well, I'm out of ideas except that I have noticed that the activation
>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>> always/ever work on a mounted volume created from LVM. You might need
>>>> to/have to put it in the share section.
>>>> If you find out what caused this, please let us know.
>>>> Regards
>>>> Davor
>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>> The way that sounds, the "file server" guide is incomplete, because
>>>>>>> nowhere does it mention any of what you're telling me. I also have
>>>>>>> little trouble finding good documentation on every Linux product 
>>>>>>> I use.
>>>>>>> S4 is the one big exception, but with the guides, it eliminates 
>>>>>>> some of
>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>> documentation, because 90% of their documentation is rambling 
>>>>>>> crud. When
>>>>>>> you get an error and have an ID, the docs don't have the ID you 
>>>>>>> want,
>>>>>>> you are hosed.
>>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 6.2 
>>>>>>> with the
>>>>>>> latest updates. The stable repos have an OLD version of S4, and 
>>>>>>> I do not
>>>>>>> mind building it myself anyway.
>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>> Finally, you have told me I need this and that, but no direction is
>>>>>>> noted.
>>>>>> http://bit.ly/1s8LTZc
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list