[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 8 08:21:01 MDT 2014

On 08/08/14 14:45, Ryan Ashley wrote:
> Alright, I believe I figured something out, but may be mistaken. 
> Again, I don't see anything in plain English explaining, so this is my 
> guess. Please let me know if I am right.
> [global]
>   netbios name = FS01
>   workgroup = TRUEVINE
>   security = ADS
>   realm = TRUEVINE.LAN
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   idmap config *:backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config TRUEVINE:backend = ad
>   idmap config TRUEVINE:schema_mode = rfc2307
>   idmap config TRUEVINE:range = 10001-40000
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
>   auth methods = winbind
> The line "idmap config *:range = 70001-80000" assigns a unique ID to 
> anybody who is not in the Truevine domain or who does not have a 
> uidNumber/gidNumber attribute set. Is this correct? This is where all 
> of my users and groups are getting ID's from.
> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the range 
> of uidNumber/gidNumber attributes to search. This is the range set 
> aside for domain users and groups, so I assume if I set this to 
> something over 100k, it would never find anything. However, it is not 
> finding the uidNumber/gidNumber attributes in this range (which is 
> everybody) for some reason, and the users wind up with 70001 and above 
> for their ID's. So what am I doing wrong?
> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>> I am still stuck here. Both member servers are ignoring the gidNumber 
>> and uidNumber attributes and are assigning their own numbers and I 
>> cannot figure out why. Leaving the domain, uninstalling S4, building 
>> the latest, and reinstalling does not fix the issue.
>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>> Alright, I also checked and I was right, I set "uidNumber" and 
>>> "gidNumber". Pictures are attached. So with these set, why are they 
>>> not pulling across to my member servers?
>>> I do have screenshots showing the correct attributes set in ADUC, 
>>> but they're note pulling across to my member servers.
>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>> I figured it out, but it won't let me import it.
>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>> ERR: (Entry already exists) "Entry 
>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already 
>>>> exists" on DN 
>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at block 
>>>> before line 5
>>>> Modify failed after processing 0 records
>>>> root at dc01:~#
>>>> So this means it is already there, right? If so, what must I do 
>>>> here? I am going to check, but I do not remember seeing an 
>>>> attribute called "gidNumber", only "gid".
>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>> Alright, new problem. That ypServ30.ldif file is asking for all 
>>>>> kinds of information I do not know or know how to get. I am 
>>>>> ASSUMING the "domain dn" it is asking for is "dc=truevine,dc=lan". 
>>>>> However, it also needs to know a NISDOMAIN variable and that I do 
>>>>> not have a clue about. Is there a guide dedicated just to editing 
>>>>> this file? I don't have a NIS domain to my knowledge. I just want 
>>>>> to import the file so I can set my attributes. This is kind of 
>>>>> complicated just to add a few (four?) attributes to my schema.
>>>>> So, what do I set all these things in the LDIF file to? Is there a 
>>>>> way I can look them up?
>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>> Thanks, Rowland. I just got in this morning and think it finally 
>>>>>> all fell into place. You mentioned an LDIF file in a prior email. 
>>>>>> I assume that if I import that LDIF file, it creates the 
>>>>>> attributes I need. After that, I should be able to set them as 
>>>>>> you stated. Is this correct?
>>>>>> My current plan is to re-read your emails and find the file you 
>>>>>> mentioned. If it does indeed add those attributes, I will import 
>>>>>> it and try setting them as you stated. If it works, I will report 
>>>>>> success and summarize what this entire thread was about for 
>>>>>> others to learn from without reading it all.
>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>> I have tried your suggestions, and some I had found prior to 
>>>>>>>> falling back on the mailing list so I already knew some would 
>>>>>>>> not work. I was not asked for a response after being pointed to 
>>>>>>>> the material so I did not provide one.
>>>>>>>> Yes, I am very busy as I work as the lead IT and IS specialist 
>>>>>>>> in a small business. I cannot devote weeks to a single problem 
>>>>>>>> as I handle dozens a day, many resolved within 24hrs. This 
>>>>>>>> issue has been on-going due to the fact that I have already 
>>>>>>>> tried a ton of what is out there, and as for your "Google 
>>>>>>>> search", dozens of those are the same posts regurgitated on 
>>>>>>>> numerous sites. I went through an entire page a week or so back 
>>>>>>>> and every single link on the page was to the exact same post, 
>>>>>>>> on numerous sits that have board-readers that simply read the 
>>>>>>>> samba lists among others and duplicate the posts. Useless! I'd 
>>>>>>>> say out of 1.9mil results, about 500k are unique. I am getting 
>>>>>>>> to where I dislike Google for this reason, but that is another 
>>>>>>>> discussion.
>>>>>>>> I am also happy to hear that you can afford to blow thousands 
>>>>>>>> on a simple DVD. Low-income businesses, churches, and what-not 
>>>>>>>> cannot. Yes, we know of open-licensing and manage it for 
>>>>>>>> several clients, but many people are not willing to spend 
>>>>>>>> anything right now if there is a viable alternative. Seeing 
>>>>>>>> that S4 has worked flawlessly for two years at a few locations, 
>>>>>>>> this fit the client's needs and we installed it. Something is 
>>>>>>>> just different this time. I am learning a lot and intend to 
>>>>>>>> apply things like the group and user ID's to other domains once 
>>>>>>>> we have it working here to avoid future problems.
>>>>>>>> Also, Windows has MUCH higher resource requirements than Linux. 
>>>>>>>> On top of that $3k, how much would we have to pay to bring up 
>>>>>>>> the hardware? Too expensive for such little gain.
>>>>>>>> Finally, if you have taken some personal offense to something, 
>>>>>>>> speak up. You offered assistance, I took what I had not already 
>>>>>>>> tried and tried it. You did not ask for results, so I assumed 
>>>>>>>> the fact that I was still asking for help would have been a 
>>>>>>>> clue that the suggestion was no good. Every time anybody asked 
>>>>>>>> for anything, including configuration files, I posted them, so 
>>>>>>>> there's no need to be bitter. Simply point out that I may have 
>>>>>>>> missed something and I'll try it or let you know I already did.
>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>> What information have I not answered fully?
>>>>>>>>> Most of the suggestions and tips we have given. As an example, 
>>>>>>>>> you said
>>>>>>>>> that you wanted to add IDs to your users. You were sent a link 
>>>>>>>>> to help
>>>>>>>>> you look up what you said you, 'had no idea how'. You ignored 
>>>>>>>>> that, so
>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only urge 
>>>>>>>>> everyone
>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 licence 
>>>>>>>>> and 90 days
>>>>>>>>> reduced rate licence, you would have been up days ago for this 
>>>>>>>>> side of
>>>>>>>>> $3000
>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>> Steve
>>>>>>> Active Directory works differently from Linux, it uses SID's and 
>>>>>>> RID's, Linux uses UID's and GID's. To use AD users as Linux 
>>>>>>> users you somehow have to convert the SID's and RID's to UID's 
>>>>>>> and GID's. There are several ways to do this by using programs 
>>>>>>> like winbind, nslcd or sssd, but they all boil down to the same 
>>>>>>> two ways, you either create a UID/GID from the RID or you give 
>>>>>>> the user/group a uidNumber/gidNumber.
>>>>>>> That is:
>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>> A group is given a gidNumber
>>>>>>> uidNumber and gidNumber are the attribute names, not uid or gid 
>>>>>>> or anything else.
>>>>>>> The only way (at the moment) to ensure that your users/groups 
>>>>>>> get the same ID everywhere in the domain is to use RFC2307 
>>>>>>> attributes.
>>>>>>> see here for info on RFC2307:
>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>> How you add these RFC2307 attributes is up to you, the easiest 
>>>>>>> way is to use ADUC, but you say that you do not have the 
>>>>>>> UNIX-Attributes tab on your users and groups, I also had this 
>>>>>>> problem and solved it by searching the internet. I posted a link 
>>>>>>> to one of the pages I used, so I do not propose to go over old 
>>>>>>> ground yet again.
>>>>>>> If you cannot get the ADUC tab to work for you, then you can 
>>>>>>> always use ldb-tools to add the attributes, either by using 
>>>>>>> ldbedit and directly modifying the user/group or by creating an 
>>>>>>> ldif and using ldbmodify to add this. A typical ldif for a user 
>>>>>>> called John Doe created on a windows machine would be:
>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>> changetype: modify
>>>>>>> add: uid
>>>>>>> uid: john
>>>>>>> -
>>>>>>> add: msSFU30Name
>>>>>>> msSFU30Name: john
>>>>>>> -
>>>>>>> add: msSFU30NisDomain
>>>>>>> msSFU30NisDomain: example
>>>>>>> -
>>>>>>> add: uidNumber
>>>>>>> uidNumber: 10000
>>>>>>> -
>>>>>>> add: gidNumber
>>>>>>> gidNumber: 10000
>>>>>>> -
>>>>>>> add: loginShell
>>>>>>> loginShell: /bin/bash
>>>>>>> -
>>>>>>> add: unixHomeDirectory
>>>>>>> unixHomeDirectory: /home/john
>>>>>>> -
>>>>>>> add: unixUserPassword
>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives 
>>>>>>> every unix user), but you only really need the uidNumber & 
>>>>>>> gidNumber. the uidNumber needs to be a unique number and the 
>>>>>>> gidNumber will be the users primary Unix group (usually Domain 
>>>>>>> Users) so that number needs to be what ever you gave to your 
>>>>>>> main Unix group i.e. Domain Users needs to have the gidNumber 
>>>>>>> '10000'
>>>>>>> You would add the above ldif like this:
>>>>>>> root at dc1:~# kinit
>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com 
>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>>> '/path_to/ldif' with the full path and name of your ldif, and of 
>>>>>>> course you need to run all of this on the S4 AD DC.
>>>>>>> the uidNumber and gidNumber ranges can be identical, in fact 
>>>>>>> this is the way that ADUC works, but whatever range you do use, 
>>>>>>> must be reflected in smb.conf
>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>> Just why you renamed the Administrator account, before you got 
>>>>>>> everything working, escapes me, in fact most people probably 
>>>>>>> never bother, so I would suggest that you rename the account 
>>>>>>> back again, at least until you get everything working correctly.
>>>>>>> Do not give the Administrator account a uidNumber or gidNumber, 
>>>>>>> create a new user and give this new user the required RFC2307 
>>>>>>> attributes.
>>>>>>> Once you have added the gidNumber to Domain Users and added the 
>>>>>>> ldif to John Doe, running (on a client joined to the domain) 
>>>>>>> 'getent passwd' should show a line for John Doe and 'getent 
>>>>>>> group Domain\ Users' should show the info for Domain Users.
>>>>>>> This will be my last post on this thread.
>>>>>>> Rowland
I know I said that I wouldn't post on this thread again, but you are 
doing my head in, you have taken a simple task and turned it into a farce!!!

I advised you at least once to remove this line:

auth methods = winbind

Here is why (taken from 'man smb.conf')

       auth methods (G)

            This option allows the administrator to chose what 
            methods smbd will use when authenticating a user. This option
            defaults to sensible values based on security. This should be
            considered a developer option and used only in rare 
            In the majority (if not all) of production servers, the default
            setting should be adequate.

            Default: auth methods =

This is also from 'man smb.conf' (abridged):

        idmap config:OPTION (G)

            ID mapping in Samba is the mapping between Windows SIDs and Unix
            user and group IDs. This is performed by Winbindd with a
            configurable plugin interface. Samba's ID mapping is 
configured by
            options starting with the idmap config prefix. An idmap option
            consists of the idmap config prefix, followed by a domain 
name or
            the asterisk character (*), a colon, and the name of an idmap
            setting for the chosen domain.

            The following example illustrates how to configure the 
            backend for the CORP domain and the idmap_tdb(8) backend for all
            other domains. This configuration assumes that the admin of CORP
            assigns unix ids below 1000000 via the SFU extensions, and 
            is supposed to use the next million entries for its own mappings
            from trusted domains and for local groups for example.

                     idmap config * : backend = tdb
                     idmap config * : range = 1000000-1999999

                     idmap config CORP : backend  = ad
                     idmap config CORP : range = 1000-999999


                      idmap config *:backend = tdb
                       idmap config *:range = 70001-80000
                       idmap config TRUEVINE:backend = ad
                       idmap config TRUEVINE:schema_mode = rfc2307
                       idmap config TRUEVINE:range = 10001-40000

What the above means is that trusted domains and local groups will get 
mapped to numbers between 70001 and 80000, local groups etc being the 
windows builtin ones not UNIX ones.

Your AD users will ONLY get pulled from AD if the 
uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????

Have you actually got any normal users with uidNumber's & gidNumber's, 
the last time I heard, you were trying to use the renamed Administrator 
account as a normal account.

I would suggest that you go and take a running jump into Glenville Lake 
to cool off, then come back and re-read your posts again, you might then 
realise just what a Prat you are coming over as.

This is definitely my last post on this thread


More information about the samba mailing list