[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Wed Aug 6 12:20:58 MDT 2014

Alright, I already gave every group a gIDNumber using the "advanced 
features" option via the "Attribute Editor". Each group has a unique ID. 
There are 16 built-in groups (domain admins, domain users, etc) and five 
I have. My last group ended with 10021. The first group was 10001. I 
then stopped S4 on my print-server, deleted "group_mapping.tdb", 
"winbind_cache.tdb", and "winbind_idmap.tdb", rebooted the server, and 
(S4 starts automatically) changed group ownership of a directory to 
"domain admins". When listing the directory with "ls -lAn", it showed 
70012, not 10001. So they all have gIDNumber set now, but it isn't 
pulling through. What could cause that?

On 08/06/2014 01:58 PM, Rowland Penny wrote:
> On 06/08/14 18:50, Ryan Ashley wrote:
>> Sorry Rowland! I accidentally sent this to you the first go around. 
>> My bad.
>> I am actually surprised that a few others in the IT field know how to 
>> toy with carbs and such. My hobby is antique tractors and road 
>> vehicles. I love how easy it is to work on them. I wouldn't touch my 
>> 2013 F-150 with a ten-foot pole though. Too many computers and such. 
>> Also, the engine is covered in plastic guards, but I digress.
>> What information have I not answered fully? If I did not understand 
>> what was asked, I asked about it. Like when "ute" was posted. I have 
>> posted my configs each time they are asked for. Nothing has been 
>> edited. I asked about NIS and you gave me the link at MS I read a 
>> while back. It says install the NIS stuff. S4 says NIS is installed. 
>> Now I am confused. I very obviously cannot install NIS stuff from 
>> 2008 R2 into a Linux system with S4, and S4 says it is running NIS 
>> according to the test on the wiki page I linked below. Do you 
>> understand my confusion now?
>> To add to that, MS says that once the NIS stuff is on the server 
>> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. This 
>> is why I have been very hesitant to use the advanced feature and 
>> attempt to add ID's. If the tool isn't detecting NIS and I force this 
>> stuff, will something break? If I can get a guarantee that nothing 
>> will break if I force ID's via the advanced options, I'll do it right 
>> now. My thought process is different however. It goes something like 
>> "I need to get NIS working on the S4 server, then the regular tab 
>> will show up, and I am golden. Since it is not showing up, I probably 
>> shouldn't attempt to force ID's through the advanced option". Am I 
>> wrong here?
>> As for questions, I asked two or three times if I needed that line in 
>> my member server configurations, and I was just now told that I 
>> should only have it on DC's. This is fine, but we all miss or forget 
>> to answer once in a while, so if I forgot something, kindly remind me 
>> and I will be happy to answer it. Oh, and what about my question for 
>> the line that sets a range of 500-40000?
>> I'm not aggravated with anybody, but I need this fixed. I am a VERY 
>> BUSY person and I may forget things. Do not take it personally, 
>> please. I love the S4 project and it has worked fine up until now. I 
>> believe my issue here is that I must assign an ID to each group and 
>> each user for file shares to work correctly under Linux. My other 
>> clients share files from Linux-based NAS devices and that is PROBABLY 
>> the key difference. Now I know I can add these ID numbers without the 
>> UNIX tab, but is it safe to do that
>> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>>> On 06/08/14 05:24, Ryan Ashley wrote:
>>>> Plenty of replies since this afternoon! I will try to answer your 
>>>> questions in order, as well as ask questions.
>>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it 
>>>> does not do anything else, it is up to you to use it. "
>>>> Alright, how? Remember, all my domains are golden except this. I 
>>>> have never had to use ldif files or assign ID numbers because they 
>>>> always just worked.
>>> By adding whatever RFC2307 attributes that you will need, these are 
>>> usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How 
>>> you add them is up to you, you can use samba-tool, ADUC or even 
>>> write your own scripts around ldb-tools etc.
>>> I think that in the past you must have been using the winbind rid 
>>> backend, only problem with this is that (at the moment) you get 
>>> different id numbers on the server from any client.
>>>> "This is a known windows problem, search Google (other search 
>>>> providers are available) for a solution."
>>>> I have been searching, and I have tried loads of results, to no 
>>>> avail. Some said install libnss-ldapd, which I still don't know 
>>>> what it does, others said to do various config entries, also to no 
>>>> avail, so I am back here. I have reverted my changes since nothing 
>>>> worked.
>>> You cannot have searched very hard, the search term 'no unix 
>>> attributes tab' turns up about 1,910,000 results and the top one is:
>>> http://support.microsoft.com/kb/921913
>>>> "I'd guess you don't have a UNIX tab because the Samba AD schema 
>>>> doesn't have it. I'm not sure why that would be, since I don't use 
>>>> any of the UNIX AD extensions myself."
>>> That was a very wrong statement, even if you do not provision with 
>>> rfc2307, you still get the rfc2307 attributes and objectclasses in 
>>> AD and it is not the reason you haven't got the tab
>>>> I never have either, it always JUST WORKED. This is not frustration 
>>>> with the help, it is frustration in that it just refuses to work 
>>>> for no good reason. That's why I am attempting to ditch Windows, 
>>>> because things just don't work and nobody knows why. I actually 
>>>> feel that Rowland and Steve have been great, and have made me 
>>>> SERIOUSLY question the highly incomplete guides on the wiki. I mean 
>>>> nowhere does it mention the line that creates the keytab for 
>>>> Kerberos in any guides. Nowhere does it mention the ID's or 
>>>> anything else they have talked with me about. I honestly believe 
>>>> the ID numbers will solve the issue, but I cannot do that yet.
>>>> "You do not need to provision with rfc2307 nor do you need a UNIX 
>>>> tab to allocate uidNumbers. You already have what you need. Please 
>>>> try it."
>>>> Alright, how? Again, and this is what I keep repeating, I have 
>>>> NEVER had to do this before. Up to this very point in time, S4 has 
>>>> been rock-solid. None of my other domains use the Kerberos keytab. 
>>>> None of them use uID's or gID's. They all just work. You're telling 
>>>> me I have the tools to do this, but it is like me telling you to 
>>>> adjust your main jet to 1.5 turns out. Unless you're into antiques 
>>>> like I am, you haven't a clue what I mean or how to do it. I am not 
>>>> trying to be rude, I just literally do not have a clue how to do this.
>>> er, I actually do know what you are talking about when it comes to 
>>> the main jet, this would be the initial setting on the carburettor 
>>> and you would adjust the high speed running from there, what do you 
>>> set the slow run jet to ?
>>> Just how did you setup samba prior to having these problems, did you 
>>> set it up as a PDC or a standalone or what ?
>>> You also seem very reticent about answering questions, you never 
>>> seem to quite answer them fully, sometimes not at all.
>>>> "You have to activate advanced features in ADUC and edit the 
>>>> attributes from the attribute editor tab."
>>>> Yes, I did that and saw it in there, but chose not to edit that way 
>>>> for one reason. According to many posts I read on search results 
>>>> from Google, the UNIX tab shows up once the system detects NIS. I 
>>>> believe NIS is off for some reason, but I did the check at the link 
>>>> below and it returned one result, indicating that NIS is supposedly 
>>>> enabled. It would be better to simply show me a yes or no, but I 
>>>> guess that isn't an option.
>>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
>>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>> Referenced from: 
>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>> Ricky:
>>>> I have NOT pulled any packages from any repos. I cloned the 
>>>> official repo, configured and built. It turns out that by default 
>>>> it builds 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to 
>>>> rule out a 4.2 bug, I uninstalled (make uninstall) 4.2 and 
>>>> configured and built 4.1, then installed it. I completely removed 
>>>> any leftover files and directories by hand, with the exception of 
>>>> my configuration file. Here's the info you requested.
>>>> root at fs01:~# getent passwd | grep reachfp
>>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>> root at fs01:~# getent passwd | grep cynthiaj
>>>> cynthiaj:*:70016:70002:Cynthia 
>>>> Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>>> root at fs01:~# getent passwd | grep daquanm
>>>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>>>> root at fs01:~# getent passwd | grep reach_support
>>>> reach_support:*:70015:70002:Reach 
>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>> All of those numbers are coming from the 'builtin' range 
>>> (70001-80000) and shouldn't be and wouldn't be if you gave your 
>>> users and groups uidNumber's & gidNumber's
>>> If you do not want to do this, change this line:
>>> idmap config TRUEVINE:backend = ad
>>> To this:
>>> idmap config TRUEVINE:backend = rid
>>> Remove these:
>>> idmap config TRUEVINE:schema_mode = rfc2307
>>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver 
>>> anyway, it's for the AD server
>>> auth methods = winbind
>>> Rowland
>>>> =====================
>>>> FS01 Configuration File:
>>>> =====================
>>>> [global]
>>>>   netbios name = FS01
>>>>   workgroup = TRUEVINE
>>>>   security = ADS
>>>>   realm = TRUEVINE.LAN
>>>>   encrypt passwords = yes
>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>   kerberos method = secrets and keytab
>>>>   idmap config *:backend = tdb
>>>>   idmap config *:range = 70001-80000
>>>>   idmap config TRUEVINE:backend = ad
>>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>>   idmap config TRUEVINE:range = 500-40000
>>>>   idmap_ldb:use rfc2307 = yes
>>>>   winbind nss info = rfc2307
>>>>   winbind trusted domains only = no
>>>>   winbind use default domain = yes
>>>>   winbind enum users = yes
>>>>   winbind enum groups = yes
>>>>   vfs objects = acl_xattr
>>>>   map acl inherit = yes
>>>>   store dos attributes = yes
>>>>   auth methods = winbind
>>>>   log level = 3
>>>> [install$]
>>>>   path = /home/shared/install
>>>>   comment = "Software installation files"
>>>>   read only = no
>>>>   guest ok = no
>>>> [staff$]
>>>>   path = /home/shared/staff
>>>>   comment = "Staff file share"
>>>>   read only = no
>>>>   guest ok = no
>>>> [fbc$]
>>>>   path = /home/shared/fbc
>>>>   comment = "Family Bible College file share"
>>>>   read only = no
>>>>   guest ok = no
>>>> One thing I am unclear on is whether or not I need "idmap_ldb:use 
>>>> rfc2307 = yes" in member server configs or ONLY AD DC configs. 
>>>> Also, what does "idmap config TRUEVINE:range = 500-40000" specify? 
>>>> I was trying to set AD users to 70001-80000 for their ID's, but 
>>>> maybe I misunderstand things. Thanks for your help and input. I'm 
>>>> not frustrated with you guys, just the fact that ONE server is 
>>>> acting up and I am having to do all kinds of things I have never 
>>>> had to do before just to share files. It isn't a bad frustration 
>>>> however, I enjoy building projects from source and using Linux in 
>>>> general. If this was Windows I'd have found an alternative by now.
>>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>>> So IF I read the 70+ previous mails correctly, it looks like you have
>>>>> tried both packages and samba source, if this is the case you could
>>>>> have some seriously screwed up library files, causing various issues
>>>>> (such as binaries just crashing at certain points). With that said,
>>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>>> mismatched from your current winbind causing exactly this issue.
>>>>> Is there any chance you can give us a current recap of your
>>>>> issue/setup? Include current configs (if you need to mask something,
>>>>> make that clear). Also please provide the output of getent passwd |
>>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>>> (package or source, and which package you are using) you currently
>>>>> have (as well as what you have tried there too).
>>>>> Thanks,
>>>>> Ricky
>>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir 
>>>>> <davortvusir at gmail.com> wrote:
>>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>> Well, again, no issues until now. I never did the Kerberos 
>>>>>>> keytab thing
>>>>>>> before, and everything works. Never did the NIS thing before, 
>>>>>>> and everything
>>>>>>> works. Now I am learning these things should be done and I have 
>>>>>>> been told
>>>>>>> what to do and have done them as well as documented them in our 
>>>>>>> technical
>>>>>>> reference. However, I am now at the point where I cannot set 
>>>>>>> ID's due to not
>>>>>>> having the UNIX tab in ADUC. I did provision with 
>>>>>>> "--use-rfc2307" and it is
>>>>>>> in all of my S4 configuration files, but no luck yet. What do I 
>>>>>>> need to
>>>>>>> check to get that tab to appear? If assigning an ID fixes this, 
>>>>>>> I will
>>>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>>>> You have to activate advanced features in ADUC and edit the 
>>>>>> attributes
>>>>>> from the attribute editor tab.
>>>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>>>> strange that it doesn't work at this particular server as you say 
>>>>>> that
>>>>>> this is the standard way of yours to configure Samba. Why it doesn't
>>>>>> work, I really don't know. One thing that springs to mind is, and I
>>>>>> don't have knowledge enough to back it up, when using the TDB 
>>>>>> backend
>>>>>> you're not guaranteed consistent id mapping through the server 
>>>>>> park. I
>>>>>> have found nothing that states that winbind populates the
>>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>>> other mechanism). Which of course might give you different 
>>>>>> uidnumbers
>>>>>> (from the *:range) for different accounts. Please correct me if I'm
>>>>>> wrong. Is there a way to check this?
>>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers 
>>>>>> with an
>>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>>> Linux and windows. And it's a low-cost activation and maintenance. I
>>>>>> think you should consider their advice and rethink your setup.
>>>>>> Well, I'm out of ideas except that I have noticed that the 
>>>>>> activation
>>>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>>>> always/ever work on a mounted volume created from LVM. You might 
>>>>>> need
>>>>>> to/have to put it in the share section.
>>>>>> If you find out what caused this, please let us know.
>>>>>> Regards
>>>>>> Davor
>>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>>> The way that sounds, the "file server" guide is incomplete, 
>>>>>>>>> because
>>>>>>>>> nowhere does it mention any of what you're telling me. I also 
>>>>>>>>> have
>>>>>>>>> little trouble finding good documentation on every Linux 
>>>>>>>>> product I use.
>>>>>>>>> S4 is the one big exception, but with the guides, it 
>>>>>>>>> eliminates some of
>>>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>>>> documentation, because 90% of their documentation is rambling 
>>>>>>>>> crud. When
>>>>>>>>> you get an error and have an ID, the docs don't have the ID 
>>>>>>>>> you want,
>>>>>>>>> you are hosed.
>>>>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 
>>>>>>>>> 6.2 with the
>>>>>>>>> latest updates. The stable repos have an OLD version of S4, 
>>>>>>>>> and I do not
>>>>>>>>> mind building it myself anyway.
>>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>>> Finally, you have told me I need this and that, but no 
>>>>>>>>> direction is
>>>>>>>>> noted.
>>>>>>>> http://bit.ly/1s8LTZc
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> Too late, I already replied ;-)
> Rowland

More information about the samba mailing list