[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Thu Aug 7 08:24:57 MDT 2014

Alright, new problem. That ypServ30.ldif file is asking for all kinds of 
information I do not know or know how to get. I am ASSUMING the "domain 
dn" it is asking for is "dc=truevine,dc=lan". However, it also needs to 
know a NISDOMAIN variable and that I do not have a clue about. Is there 
a guide dedicated just to editing this file? I don't have a NIS domain 
to my knowledge. I just want to import the file so I can set my 
attributes. This is kind of complicated just to add a few (four?) 
attributes to my schema.

So, what do I set all these things in the LDIF file to? Is there a way I 
can look them up?

On 08/07/2014 09:42 AM, Ryan Ashley wrote:
> Thanks, Rowland. I just got in this morning and think it finally all 
> fell into place. You mentioned an LDIF file in a prior email. I assume 
> that if I import that LDIF file, it creates the attributes I need. 
> After that, I should be able to set them as you stated. Is this correct?
> My current plan is to re-read your emails and find the file you 
> mentioned. If it does indeed add those attributes, I will import it 
> and try setting them as you stated. If it works, I will report success 
> and summarize what this entire thread was about for others to learn 
> from without reading it all.
> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>> On 06/08/14 22:24, Ryan Ashley wrote:
>>> I have tried your suggestions, and some I had found prior to falling 
>>> back on the mailing list so I already knew some would not work. I 
>>> was not asked for a response after being pointed to the material so 
>>> I did not provide one.
>>> Yes, I am very busy as I work as the lead IT and IS specialist in a 
>>> small business. I cannot devote weeks to a single problem as I 
>>> handle dozens a day, many resolved within 24hrs. This issue has been 
>>> on-going due to the fact that I have already tried a ton of what is 
>>> out there, and as for your "Google search", dozens of those are the 
>>> same posts regurgitated on numerous sites. I went through an entire 
>>> page a week or so back and every single link on the page was to the 
>>> exact same post, on numerous sits that have board-readers that 
>>> simply read the samba lists among others and duplicate the posts. 
>>> Useless! I'd say out of 1.9mil results, about 500k are unique. I am 
>>> getting to where I dislike Google for this reason, but that is 
>>> another discussion.
>>> I am also happy to hear that you can afford to blow thousands on a 
>>> simple DVD. Low-income businesses, churches, and what-not cannot. 
>>> Yes, we know of open-licensing and manage it for several clients, 
>>> but many people are not willing to spend anything right now if there 
>>> is a viable alternative. Seeing that S4 has worked flawlessly for 
>>> two years at a few locations, this fit the client's needs and we 
>>> installed it. Something is just different this time. I am learning a 
>>> lot and intend to apply things like the group and user ID's to other 
>>> domains once we have it working here to avoid future problems.
>>> Also, Windows has MUCH higher resource requirements than Linux. On 
>>> top of that $3k, how much would we have to pay to bring up the 
>>> hardware? Too expensive for such little gain.
>>> Finally, if you have taken some personal offense to something, speak 
>>> up. You offered assistance, I took what I had not already tried and 
>>> tried it. You did not ask for results, so I assumed the fact that I 
>>> was still asking for help would have been a clue that the suggestion 
>>> was no good. Every time anybody asked for anything, including 
>>> configuration files, I posted them, so there's no need to be bitter. 
>>> Simply point out that I may have missed something and I'll try it or 
>>> let you know I already did.
>>> On 8/6/2014 3:57 PM, steve wrote:
>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>> What information have I not answered fully?
>>>> Most of the suggestions and tips we have given. As an example, you 
>>>> said
>>>> that you wanted to add IDs to your users. You were sent a link to help
>>>> you look up what you said you, 'had no idea how'. You ignored that, so
>>>> we sent you concrete examples to try. Still nothing.
>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge everyone
>>>> here to jump on your case. I repeat. With a 2012 R2 licence and 90 
>>>> days
>>>> reduced rate licence, you would have been up days ago for this side of
>>>> $3000
>>>> Cheers, and EOT from us,
>>>> Steve
>> Active Directory works differently from Linux, it uses SID's and 
>> RID's, Linux uses UID's and GID's. To use AD users as Linux users you 
>> somehow have to convert the SID's and RID's to UID's and GID's. There 
>> are several ways to do this by using programs like winbind, nslcd or 
>> sssd, but they all boil down to the same two ways, you either create 
>> a UID/GID from the RID or you give the user/group a uidNumber/gidNumber.
>> That is:
>> A user is given a uidNumber and gidNumber
>> A group is given a gidNumber
>> uidNumber and gidNumber are the attribute names, not uid or gid or 
>> anything else.
>> The only way (at the moment) to ensure that your users/groups get the 
>> same ID everywhere in the domain is to use RFC2307 attributes.
>> see here for info on RFC2307:
>> https://www.ietf.org/rfc/rfc2307.txt
>> How you add these RFC2307 attributes is up to you, the easiest way is 
>> to use ADUC, but you say that you do not have the UNIX-Attributes tab 
>> on your users and groups, I also had this problem and solved it by 
>> searching the internet. I posted a link to one of the pages I used, 
>> so I do not propose to go over old ground yet again.
>> If you cannot get the ADUC tab to work for you, then you can always 
>> use ldb-tools to add the attributes, either by using ldbedit and 
>> directly modifying the user/group or by creating an ldif and using 
>> ldbmodify to add this. A typical ldif for a user called John Doe 
>> created on a windows machine would be:
>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>> changetype: modify
>> add: uid
>> uid: john
>> -
>> add: msSFU30Name
>> msSFU30Name: john
>> -
>> add: msSFU30NisDomain
>> msSFU30NisDomain: example
>> -
>> add: uidNumber
>> uidNumber: 10000
>> -
>> add: gidNumber
>> gidNumber: 10000
>> -
>> add: loginShell
>> loginShell: /bin/bash
>> -
>> add: unixHomeDirectory
>> unixHomeDirectory: /home/john
>> -
>> add: unixUserPassword
>> unixUserPassword: ABCD!efgh12345$67890
>> The above ldif is exactly the way that ADUC does it 
>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives every 
>> unix user), but you only really need the uidNumber & gidNumber. the 
>> uidNumber needs to be a unique number and the gidNumber will be the 
>> users primary Unix group (usually Domain Users) so that number needs 
>> to be what ever you gave to your main Unix group i.e. Domain Users 
>> needs to have the gidNumber '10000'
>> You would add the above ldif like this:
>> root at dc1:~# kinit
>> Password for administrator at EXAMPLE.COM:
>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com --kerberos=yes 
>> --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>> '/path_to/ldif' with the full path and name of your ldif, and of 
>> course you need to run all of this on the S4 AD DC.
>> the uidNumber and gidNumber ranges can be identical, in fact this is 
>> the way that ADUC works, but whatever range you do use, must be 
>> reflected in smb.conf
>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>> Just why you renamed the Administrator account, before you got 
>> everything working, escapes me, in fact most people probably never 
>> bother, so I would suggest that you rename the account back again, at 
>> least until you get everything working correctly.
>> Do not give the Administrator account a uidNumber or gidNumber, 
>> create a new user and give this new user the required RFC2307 
>> attributes.
>> Once you have added the gidNumber to Domain Users and added the ldif 
>> to John Doe, running (on a client joined to the domain) 'getent 
>> passwd' should show a line for John Doe and 'getent group Domain\ 
>> Users' should show the info for Domain Users.
>> This will be my last post on this thread.
>> Rowland

More information about the samba mailing list