[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 6 12:33:04 MDT 2014

On 06/08/14 19:20, Ryan Ashley wrote:
> Alright, I already gave every group a gIDNumber using the "advanced 
> features" option via the "Attribute Editor". Each group has a unique 
> ID. There are 16 built-in groups (domain admins, domain users, etc) 
> and five I have. My last group ended with 10021. The first group was 
> 10001. I then stopped S4 on my print-server, deleted 
> "group_mapping.tdb", "winbind_cache.tdb", and "winbind_idmap.tdb", 
> rebooted the server, and (S4 starts automatically) changed group 
> ownership of a directory to "domain admins". When listing the 
> directory with "ls -lAn", it showed 70012, not 10001. So they all have 
> gIDNumber set now, but it isn't pulling through. What could cause that?

OK, can you post the results of these two commands (run on the S4 server):

ldbsearch --url=/usr/local/samba/private/sam.ldb sAMAccountName=<username>

ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

Replace <username> with a valid domain user, you may also have to change 
the path to sam.ldb, you may also have to install ldb-tools, but as I 
think that as you compiled samba yourself, they will be installed in 


> On 08/06/2014 01:58 PM, Rowland Penny wrote:
>> On 06/08/14 18:50, Ryan Ashley wrote:
>>> Sorry Rowland! I accidentally sent this to you the first go around. 
>>> My bad.
>>> I am actually surprised that a few others in the IT field know how 
>>> to toy with carbs and such. My hobby is antique tractors and road 
>>> vehicles. I love how easy it is to work on them. I wouldn't touch my 
>>> 2013 F-150 with a ten-foot pole though. Too many computers and such. 
>>> Also, the engine is covered in plastic guards, but I digress.
>>> What information have I not answered fully? If I did not understand 
>>> what was asked, I asked about it. Like when "ute" was posted. I have 
>>> posted my configs each time they are asked for. Nothing has been 
>>> edited. I asked about NIS and you gave me the link at MS I read a 
>>> while back. It says install the NIS stuff. S4 says NIS is installed. 
>>> Now I am confused. I very obviously cannot install NIS stuff from 
>>> 2008 R2 into a Linux system with S4, and S4 says it is running NIS 
>>> according to the test on the wiki page I linked below. Do you 
>>> understand my confusion now?
>>> To add to that, MS says that once the NIS stuff is on the server 
>>> (again, S4 says it is), I will see the UNIX tab on my ADUC tool. 
>>> This is why I have been very hesitant to use the advanced feature 
>>> and attempt to add ID's. If the tool isn't detecting NIS and I force 
>>> this stuff, will something break? If I can get a guarantee that 
>>> nothing will break if I force ID's via the advanced options, I'll do 
>>> it right now. My thought process is different however. It goes 
>>> something like "I need to get NIS working on the S4 server, then the 
>>> regular tab will show up, and I am golden. Since it is not showing 
>>> up, I probably shouldn't attempt to force ID's through the advanced 
>>> option". Am I wrong here?
>>> As for questions, I asked two or three times if I needed that line 
>>> in my member server configurations, and I was just now told that I 
>>> should only have it on DC's. This is fine, but we all miss or forget 
>>> to answer once in a while, so if I forgot something, kindly remind 
>>> me and I will be happy to answer it. Oh, and what about my question 
>>> for the line that sets a range of 500-40000?
>>> I'm not aggravated with anybody, but I need this fixed. I am a VERY 
>>> BUSY person and I may forget things. Do not take it personally, 
>>> please. I love the S4 project and it has worked fine up until now. I 
>>> believe my issue here is that I must assign an ID to each group and 
>>> each user for file shares to work correctly under Linux. My other 
>>> clients share files from Linux-based NAS devices and that is 
>>> PROBABLY the key difference. Now I know I can add these ID numbers 
>>> without the UNIX tab, but is it safe to do that
>>> On 08/06/2014 04:29 AM, Rowland Penny wrote:
>>>> On 06/08/14 05:24, Ryan Ashley wrote:
>>>>> Plenty of replies since this afternoon! I will try to answer your 
>>>>> questions in order, as well as ask questions.
>>>>> "All provisioning with RFC2307 does is add the ypServ30.ldif, it 
>>>>> does not do anything else, it is up to you to use it. "
>>>>> Alright, how? Remember, all my domains are golden except this. I 
>>>>> have never had to use ldif files or assign ID numbers because they 
>>>>> always just worked.
>>>> By adding whatever RFC2307 attributes that you will need, these are 
>>>> usually uidNumber, gidNumber, loginShell and unixHomeDirectory. How 
>>>> you add them is up to you, you can use samba-tool, ADUC or even 
>>>> write your own scripts around ldb-tools etc.
>>>> I think that in the past you must have been using the winbind rid 
>>>> backend, only problem with this is that (at the moment) you get 
>>>> different id numbers on the server from any client.
>>>>> "This is a known windows problem, search Google (other search 
>>>>> providers are available) for a solution."
>>>>> I have been searching, and I have tried loads of results, to no 
>>>>> avail. Some said install libnss-ldapd, which I still don't know 
>>>>> what it does, others said to do various config entries, also to no 
>>>>> avail, so I am back here. I have reverted my changes since nothing 
>>>>> worked.
>>>> You cannot have searched very hard, the search term 'no unix 
>>>> attributes tab' turns up about 1,910,000 results and the top one is:
>>>> http://support.microsoft.com/kb/921913
>>>>> "I'd guess you don't have a UNIX tab because the Samba AD schema 
>>>>> doesn't have it. I'm not sure why that would be, since I don't use 
>>>>> any of the UNIX AD extensions myself."
>>>> That was a very wrong statement, even if you do not provision with 
>>>> rfc2307, you still get the rfc2307 attributes and objectclasses in 
>>>> AD and it is not the reason you haven't got the tab
>>>>> I never have either, it always JUST WORKED. This is not 
>>>>> frustration with the help, it is frustration in that it just 
>>>>> refuses to work for no good reason. That's why I am attempting to 
>>>>> ditch Windows, because things just don't work and nobody knows 
>>>>> why. I actually feel that Rowland and Steve have been great, and 
>>>>> have made me SERIOUSLY question the highly incomplete guides on 
>>>>> the wiki. I mean nowhere does it mention the line that creates the 
>>>>> keytab for Kerberos in any guides. Nowhere does it mention the 
>>>>> ID's or anything else they have talked with me about. I honestly 
>>>>> believe the ID numbers will solve the issue, but I cannot do that 
>>>>> yet.
>>>>> "You do not need to provision with rfc2307 nor do you need a UNIX 
>>>>> tab to allocate uidNumbers. You already have what you need. Please 
>>>>> try it."
>>>>> Alright, how? Again, and this is what I keep repeating, I have 
>>>>> NEVER had to do this before. Up to this very point in time, S4 has 
>>>>> been rock-solid. None of my other domains use the Kerberos keytab. 
>>>>> None of them use uID's or gID's. They all just work. You're 
>>>>> telling me I have the tools to do this, but it is like me telling 
>>>>> you to adjust your main jet to 1.5 turns out. Unless you're into 
>>>>> antiques like I am, you haven't a clue what I mean or how to do 
>>>>> it. I am not trying to be rude, I just literally do not have a 
>>>>> clue how to do this.
>>>> er, I actually do know what you are talking about when it comes to 
>>>> the main jet, this would be the initial setting on the carburettor 
>>>> and you would adjust the high speed running from there, what do you 
>>>> set the slow run jet to ?
>>>> Just how did you setup samba prior to having these problems, did 
>>>> you set it up as a PDC or a standalone or what ?
>>>> You also seem very reticent about answering questions, you never 
>>>> seem to quite answer them fully, sometimes not at all.
>>>>> "You have to activate advanced features in ADUC and edit the 
>>>>> attributes from the attribute editor tab."
>>>>> Yes, I did that and saw it in there, but chose not to edit that 
>>>>> way for one reason. According to many posts I read on search 
>>>>> results from Google, the UNIX tab shows up once the system detects 
>>>>> NIS. I believe NIS is off for some reason, but I did the check at 
>>>>> the link below and it returned one result, indicating that NIS is 
>>>>> supposedly enabled. It would be better to simply show me a yes or 
>>>>> no, but I guess that isn't an option.
>>>>> ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b 
>>>>> CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan
>>>>> Referenced from: 
>>>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>> Ricky:
>>>>> I have NOT pulled any packages from any repos. I cloned the 
>>>>> official repo, configured and built. It turns out that by default 
>>>>> it builds 4.2.0-pre<xyz> instead of 4-1-stable. In an attempt to 
>>>>> rule out a 4.2 bug, I uninstalled (make uninstall) 4.2 and 
>>>>> configured and built 4.1, then installed it. I completely removed 
>>>>> any leftover files and directories by hand, with the exception of 
>>>>> my configuration file. Here's the info you requested.
>>>>> root at fs01:~# getent passwd | grep reachfp
>>>>> reachfp:*:70010:70002:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>> root at fs01:~# getent passwd | grep cynthiaj
>>>>> cynthiaj:*:70016:70002:Cynthia 
>>>>> Jones:/home/TRUEVINE/cynthiaj:/bin/false
>>>>> root at fs01:~# getent passwd | grep daquanm
>>>>> daquanm:*:70002:70002:DaQuan Major:/home/TRUEVINE/daquanm:/bin/false
>>>>> root at fs01:~# getent passwd | grep reach_support
>>>>> reach_support:*:70015:70002:Reach 
>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>> All of those numbers are coming from the 'builtin' range 
>>>> (70001-80000) and shouldn't be and wouldn't be if you gave your 
>>>> users and groups uidNumber's & gidNumber's
>>>> If you do not want to do this, change this line:
>>>> idmap config TRUEVINE:backend = ad
>>>> To this:
>>>> idmap config TRUEVINE:backend = rid
>>>> Remove these:
>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>> idmap_ldb:use rfc2307 = yes # this shouldn't be on the fileserver 
>>>> anyway, it's for the AD server
>>>> auth methods = winbind
>>>> Rowland
>>>>> =====================
>>>>> FS01 Configuration File:
>>>>> =====================
>>>>> [global]
>>>>>   netbios name = FS01
>>>>>   workgroup = TRUEVINE
>>>>>   security = ADS
>>>>>   realm = TRUEVINE.LAN
>>>>>   encrypt passwords = yes
>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>   kerberos method = secrets and keytab
>>>>>   idmap config *:backend = tdb
>>>>>   idmap config *:range = 70001-80000
>>>>>   idmap config TRUEVINE:backend = ad
>>>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>>>   idmap config TRUEVINE:range = 500-40000
>>>>>   idmap_ldb:use rfc2307 = yes
>>>>>   winbind nss info = rfc2307
>>>>>   winbind trusted domains only = no
>>>>>   winbind use default domain = yes
>>>>>   winbind enum users = yes
>>>>>   winbind enum groups = yes
>>>>>   vfs objects = acl_xattr
>>>>>   map acl inherit = yes
>>>>>   store dos attributes = yes
>>>>>   auth methods = winbind
>>>>>   log level = 3
>>>>> [install$]
>>>>>   path = /home/shared/install
>>>>>   comment = "Software installation files"
>>>>>   read only = no
>>>>>   guest ok = no
>>>>> [staff$]
>>>>>   path = /home/shared/staff
>>>>>   comment = "Staff file share"
>>>>>   read only = no
>>>>>   guest ok = no
>>>>> [fbc$]
>>>>>   path = /home/shared/fbc
>>>>>   comment = "Family Bible College file share"
>>>>>   read only = no
>>>>>   guest ok = no
>>>>> One thing I am unclear on is whether or not I need "idmap_ldb:use 
>>>>> rfc2307 = yes" in member server configs or ONLY AD DC configs. 
>>>>> Also, what does "idmap config TRUEVINE:range = 500-40000" specify? 
>>>>> I was trying to set AD users to 70001-80000 for their ID's, but 
>>>>> maybe I misunderstand things. Thanks for your help and input. I'm 
>>>>> not frustrated with you guys, just the fact that ONE server is 
>>>>> acting up and I am having to do all kinds of things I have never 
>>>>> had to do before just to share files. It isn't a bad frustration 
>>>>> however, I enjoy building projects from source and using Linux in 
>>>>> general. If this was Windows I'd have found an alternative by now.
>>>>> On 8/5/2014 11:57 PM, Ricky Nance wrote:
>>>>>> So IF I read the 70+ previous mails correctly, it looks like you 
>>>>>> have
>>>>>> tried both packages and samba source, if this is the case you could
>>>>>> have some seriously screwed up library files, causing various issues
>>>>>> (such as binaries just crashing at certain points). With that said,
>>>>>> there is a fair chance that your libnss_winbind.so (or so.2) is
>>>>>> mismatched from your current winbind causing exactly this issue.
>>>>>> Is there any chance you can give us a current recap of your
>>>>>> issue/setup? Include current configs (if you need to mask something,
>>>>>> make that clear). Also please provide the output of getent passwd |
>>>>>> grep ADUSER (replace ADUSER with an actual user) and which setup
>>>>>> (package or source, and which package you are using) you currently
>>>>>> have (as well as what you have tried there too).
>>>>>> Thanks,
>>>>>> Ricky
>>>>>> On Tue, Aug 5, 2014 at 3:18 PM, Davor Vusir 
>>>>>> <davortvusir at gmail.com> wrote:
>>>>>>> 2014-08-05 20:32 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>> Well, again, no issues until now. I never did the Kerberos 
>>>>>>>> keytab thing
>>>>>>>> before, and everything works. Never did the NIS thing before, 
>>>>>>>> and everything
>>>>>>>> works. Now I am learning these things should be done and I have 
>>>>>>>> been told
>>>>>>>> what to do and have done them as well as documented them in our 
>>>>>>>> technical
>>>>>>>> reference. However, I am now at the point where I cannot set 
>>>>>>>> ID's due to not
>>>>>>>> having the UNIX tab in ADUC. I did provision with 
>>>>>>>> "--use-rfc2307" and it is
>>>>>>>> in all of my S4 configuration files, but no luck yet. What do I 
>>>>>>>> need to
>>>>>>>> check to get that tab to appear? If assigning an ID fixes this, 
>>>>>>>> I will
>>>>>>>> HAPPILY do it on all of our domains as we go out for maintenance.
>>>>>>> You have to activate advanced features in ADUC and edit the 
>>>>>>> attributes
>>>>>>> from the attribute editor tab.
>>>>>>> It's a pity we couldn't help you sort this out. I think it's quite
>>>>>>> strange that it doesn't work at this particular server as you 
>>>>>>> say that
>>>>>>> this is the standard way of yours to configure Samba. Why it 
>>>>>>> doesn't
>>>>>>> work, I really don't know. One thing that springs to mind is, and I
>>>>>>> don't have knowledge enough to back it up, when using the TDB 
>>>>>>> backend
>>>>>>> you're not guaranteed consistent id mapping through the server 
>>>>>>> park. I
>>>>>>> have found nothing that states that winbind populates the
>>>>>>> tdb-databases in a certain order (a-z, ascending SID numbering or
>>>>>>> other mechanism). Which of course might give you different 
>>>>>>> uidnumbers
>>>>>>> (from the *:range) for different accounts. Please correct me if I'm
>>>>>>> wrong. Is there a way to check this?
>>>>>>> But I do think that Rowland and Steve are right to 'push' for
>>>>>>> populating and using uid- and gidnumbers. uid- and gidnumbers 
>>>>>>> with an
>>>>>>> interpretator like winbind, sssd or other is a/the bridge between
>>>>>>> Linux and windows. And it's a low-cost activation and 
>>>>>>> maintenance. I
>>>>>>> think you should consider their advice and rethink your setup.
>>>>>>> Well, I'm out of ideas except that I have noticed that the 
>>>>>>> activation
>>>>>>> of vfs module acl_xattr in the global section of smb.conf does not
>>>>>>> always/ever work on a mounted volume created from LVM. You might 
>>>>>>> need
>>>>>>> to/have to put it in the share section.
>>>>>>> If you find out what caused this, please let us know.
>>>>>>> Regards
>>>>>>> Davor
>>>>>>>> On 08/05/2014 02:16 PM, steve wrote:
>>>>>>>>> On Tue, 2014-08-05 at 13:17 -0400, Ryan Ashley wrote:
>>>>>>>>>> The way that sounds, the "file server" guide is incomplete, 
>>>>>>>>>> because
>>>>>>>>>> nowhere does it mention any of what you're telling me. I also 
>>>>>>>>>> have
>>>>>>>>>> little trouble finding good documentation on every Linux 
>>>>>>>>>> product I use.
>>>>>>>>>> S4 is the one big exception, but with the guides, it 
>>>>>>>>>> eliminates some of
>>>>>>>>>> that need. I do not buy the whole argument of using Windows for
>>>>>>>>>> documentation, because 90% of their documentation is rambling 
>>>>>>>>>> crud. When
>>>>>>>>>> you get an error and have an ID, the docs don't have the ID 
>>>>>>>>>> you want,
>>>>>>>>>> you are hosed.
>>>>>>>>> Unless you know what you're doing, the time it takes to get up on
>>>>>>>>> user-land Linux compared with enterprise or microsoft
>>>>>>>>> out-of-the-box-or-just-call-the-engineer is false economy.
>>>>>>>>>> Again, I am running Debian Wheezy 7.5 64bit under XenServer 
>>>>>>>>>> 6.2 with the
>>>>>>>>>> latest updates. The stable repos have an OLD version of S4, 
>>>>>>>>>> and I do not
>>>>>>>>>> mind building it myself anyway.
>>>>>>>>> Debian doesn't install samba unless you tell it?
>>>>>>>>>> Finally, you have told me I need this and that, but no 
>>>>>>>>>> direction is
>>>>>>>>>> noted.
>>>>>>>>> http://bit.ly/1s8LTZc
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>> Too late, I already replied ;-)
>> Rowland

More information about the samba mailing list