[Samba] Samba 4 AD share: Access denied

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 8 10:30:34 MDT 2014

On 08/08/14 15:50, Ryan Ashley wrote:
> Actually, I am quite cool. I am confused with the mountain of 
> information I have been handed. I am very appreciative (as I said 
> before) of the help you and Steve have offered. I do not believe you 
> understand me however. I am a VERY logical person. Telling me 
> something without an understanding of why, I am hesitant to just 
> accept it. Try it? Sure! But I need to understand why it works or does 
> not work. I am honestly not angry and am not trying to get under your 
> skin. I am simply trying to solve a problem that must be over my head.
> As to your question, I answered it in my last post. All of my users 
> have uidNumber and gidNumber set, and they are ALL in the 10001-40000 
> range. I stated this in the last post. The one you replied to. This is 
> why I am confused. I DID go read a lot of information over the past 
> 24hr period and I have all of my uidNumber and gidNumber attributes 
> between 10001 and 40000. In fact, I max these somewhere between 10040 
> and 10050, though I do not remember EXACTLY what it is. I can look if 
> needed.
> Also, I was not using the domain admin as a normal account. We simply 
> rename the account as a security measure. We did not do anything else 
> to it. I do not even login on the boxes with it unless it is 
> absolutely needed. I simply used it because I was not told not to get 
> the information requested from the domain admin account. Had I been 
> told to use a regular account and not the domain admin, I would have 
> happily done so.
> So let me recap. You see my config. Every user and group is assigned a 
> unique ID between 10001 and 40000. They are still being assigned 70001 
> and above. Winbind and all of the S4 utilities appear to be working. 
> SIDs are resolved and can be resolved back to names. My only issue is 
> likely a configuration problem, but based on what you two have told me 
> AND what I have read, my configuration APPEARS to be correct. So from 
> my perspective, I have a correct configuration based on what I have 
> been told, but it is not working. I am sorry if this comes across and 
> being a nuisance, but I am genuinely NOT trying to offend anybody, I 
> just want it working. I am sorry for whatever was said to offend you 
> because I have VERY MUCH appreciated your time which you are not being 
> paid for. Just remember that you are the Samba professional, I am 
> still learning the new S4 stuff.
> uidNumber/gidNumber in AD: 10001-40000 (matches config)
> On 08/08/2014 10:21 AM, Rowland Penny wrote:
>> On 08/08/14 14:45, Ryan Ashley wrote:
>>> Alright, I believe I figured something out, but may be mistaken. 
>>> Again, I don't see anything in plain English explaining, so this is 
>>> my guess. Please let me know if I am right.
>>> [global]
>>>   netbios name = FS01
>>>   workgroup = TRUEVINE
>>>   security = ADS
>>>   realm = TRUEVINE.LAN
>>>   encrypt passwords = yes
>>>   dedicated keytab file = /etc/krb5.keytab
>>>   kerberos method = secrets and keytab
>>>   idmap config *:backend = tdb
>>>   idmap config *:range = 70001-80000
>>>   idmap config TRUEVINE:backend = ad
>>>   idmap config TRUEVINE:schema_mode = rfc2307
>>>   idmap config TRUEVINE:range = 10001-40000
>>>   winbind nss info = rfc2307
>>>   winbind trusted domains only = no
>>>   winbind use default domain = yes
>>>   winbind enum users = yes
>>>   winbind enum groups = yes
>>>   vfs objects = acl_xattr
>>>   map acl inherit = yes
>>>   store dos attributes = yes
>>>   auth methods = winbind
>>> The line "idmap config *:range = 70001-80000" assigns a unique ID to 
>>> anybody who is not in the Truevine domain or who does not have a 
>>> uidNumber/gidNumber attribute set. Is this correct? This is where 
>>> all of my users and groups are getting ID's from.
>>> Now, the line "idmap config TRUEVINE:range = 10001-40000" is the 
>>> range of uidNumber/gidNumber attributes to search. This is the range 
>>> set aside for domain users and groups, so I assume if I set this to 
>>> something over 100k, it would never find anything. However, it is 
>>> not finding the uidNumber/gidNumber attributes in this range (which 
>>> is everybody) for some reason, and the users wind up with 70001 and 
>>> above for their ID's. So what am I doing wrong?
>>> On 08/08/2014 09:14 AM, Ryan Ashley wrote:
>>>> I am still stuck here. Both member servers are ignoring the 
>>>> gidNumber and uidNumber attributes and are assigning their own 
>>>> numbers and I cannot figure out why. Leaving the domain, 
>>>> uninstalling S4, building the latest, and reinstalling does not fix 
>>>> the issue.
>>>> On 08/07/2014 02:28 PM, Ryan Ashley wrote:
>>>>> Alright, I also checked and I was right, I set "uidNumber" and 
>>>>> "gidNumber". Pictures are attached. So with these set, why are 
>>>>> they not pulling across to my member servers?
>>>>> I do have screenshots showing the correct attributes set in ADUC, 
>>>>> but they're note pulling across to my member servers.
>>>>> On 08/07/2014 11:22 AM, Ryan Ashley wrote:
>>>>>> I figured it out, but it won't let me import it.
>>>>>> root at dc01:~# ldbmodify -H /var/lib/samba/private/sam.ldb 
>>>>>> /root/ypServ30.ldif --option="dsdb:schema update allowed"=true
>>>>>> ERR: (Entry already exists) "Entry 
>>>>>> CN=ypServ30,CN=RpcServices,CN=System,DC=truevine,DC=lan already 
>>>>>> exists" on DN 
>>>>>> CN=ypServ30,CN=RpcServices,CN=System,dc=truevine,dc=lan at block 
>>>>>> before line 5
>>>>>> Modify failed after processing 0 records
>>>>>> root at dc01:~#
>>>>>> So this means it is already there, right? If so, what must I do 
>>>>>> here? I am going to check, but I do not remember seeing an 
>>>>>> attribute called "gidNumber", only "gid".
>>>>>> On 08/07/2014 10:24 AM, Ryan Ashley wrote:
>>>>>>> Alright, new problem. That ypServ30.ldif file is asking for all 
>>>>>>> kinds of information I do not know or know how to get. I am 
>>>>>>> ASSUMING the "domain dn" it is asking for is 
>>>>>>> "dc=truevine,dc=lan". However, it also needs to know a NISDOMAIN 
>>>>>>> variable and that I do not have a clue about. Is there a guide 
>>>>>>> dedicated just to editing this file? I don't have a NIS domain 
>>>>>>> to my knowledge. I just want to import the file so I can set my 
>>>>>>> attributes. This is kind of complicated just to add a few 
>>>>>>> (four?) attributes to my schema.
>>>>>>> So, what do I set all these things in the LDIF file to? Is there 
>>>>>>> a way I can look them up?
>>>>>>> On 08/07/2014 09:42 AM, Ryan Ashley wrote:
>>>>>>>> Thanks, Rowland. I just got in this morning and think it 
>>>>>>>> finally all fell into place. You mentioned an LDIF file in a 
>>>>>>>> prior email. I assume that if I import that LDIF file, it 
>>>>>>>> creates the attributes I need. After that, I should be able to 
>>>>>>>> set them as you stated. Is this correct?
>>>>>>>> My current plan is to re-read your emails and find the file you 
>>>>>>>> mentioned. If it does indeed add those attributes, I will 
>>>>>>>> import it and try setting them as you stated. If it works, I 
>>>>>>>> will report success and summarize what this entire thread was 
>>>>>>>> about for others to learn from without reading it all.
>>>>>>>> On 08/07/2014 05:16 AM, Rowland Penny wrote:
>>>>>>>>> On 06/08/14 22:24, Ryan Ashley wrote:
>>>>>>>>>> I have tried your suggestions, and some I had found prior to 
>>>>>>>>>> falling back on the mailing list so I already knew some would 
>>>>>>>>>> not work. I was not asked for a response after being pointed 
>>>>>>>>>> to the material so I did not provide one.
>>>>>>>>>> Yes, I am very busy as I work as the lead IT and IS 
>>>>>>>>>> specialist in a small business. I cannot devote weeks to a 
>>>>>>>>>> single problem as I handle dozens a day, many resolved within 
>>>>>>>>>> 24hrs. This issue has been on-going due to the fact that I 
>>>>>>>>>> have already tried a ton of what is out there, and as for 
>>>>>>>>>> your "Google search", dozens of those are the same posts 
>>>>>>>>>> regurgitated on numerous sites. I went through an entire page 
>>>>>>>>>> a week or so back and every single link on the page was to 
>>>>>>>>>> the exact same post, on numerous sits that have board-readers 
>>>>>>>>>> that simply read the samba lists among others and duplicate 
>>>>>>>>>> the posts. Useless! I'd say out of 1.9mil results, about 500k 
>>>>>>>>>> are unique. I am getting to where I dislike Google for this 
>>>>>>>>>> reason, but that is another discussion.
>>>>>>>>>> I am also happy to hear that you can afford to blow thousands 
>>>>>>>>>> on a simple DVD. Low-income businesses, churches, and 
>>>>>>>>>> what-not cannot. Yes, we know of open-licensing and manage it 
>>>>>>>>>> for several clients, but many people are not willing to spend 
>>>>>>>>>> anything right now if there is a viable alternative. Seeing 
>>>>>>>>>> that S4 has worked flawlessly for two years at a few 
>>>>>>>>>> locations, this fit the client's needs and we installed it. 
>>>>>>>>>> Something is just different this time. I am learning a lot 
>>>>>>>>>> and intend to apply things like the group and user ID's to 
>>>>>>>>>> other domains once we have it working here to avoid future 
>>>>>>>>>> problems.
>>>>>>>>>> Also, Windows has MUCH higher resource requirements than 
>>>>>>>>>> Linux. On top of that $3k, how much would we have to pay to 
>>>>>>>>>> bring up the hardware? Too expensive for such little gain.
>>>>>>>>>> Finally, if you have taken some personal offense to 
>>>>>>>>>> something, speak up. You offered assistance, I took what I 
>>>>>>>>>> had not already tried and tried it. You did not ask for 
>>>>>>>>>> results, so I assumed the fact that I was still asking for 
>>>>>>>>>> help would have been a clue that the suggestion was no good. 
>>>>>>>>>> Every time anybody asked for anything, including 
>>>>>>>>>> configuration files, I posted them, so there's no need to be 
>>>>>>>>>> bitter. Simply point out that I may have missed something and 
>>>>>>>>>> I'll try it or let you know I already did.
>>>>>>>>>> On 8/6/2014 3:57 PM, steve wrote:
>>>>>>>>>>> On Wed, 2014-08-06 at 13:50 -0400, Ryan Ashley wrote:
>>>>>>>>>>>> What information have I not answered fully?
>>>>>>>>>>> Most of the suggestions and tips we have given. As an 
>>>>>>>>>>> example, you said
>>>>>>>>>>> that you wanted to add IDs to your users. You were sent a 
>>>>>>>>>>> link to help
>>>>>>>>>>> you look up what you said you, 'had no idea how'. You 
>>>>>>>>>>> ignored that, so
>>>>>>>>>>> we sent you concrete examples to try. Still nothing.
>>>>>>>>>>> You are a, 'VERY BUSY person', are you? Well, I can only 
>>>>>>>>>>> urge everyone
>>>>>>>>>>> here to jump on your case. I repeat. With a 2012 R2 licence 
>>>>>>>>>>> and 90 days
>>>>>>>>>>> reduced rate licence, you would have been up days ago for 
>>>>>>>>>>> this side of
>>>>>>>>>>> $3000
>>>>>>>>>>> Cheers, and EOT from us,
>>>>>>>>>>> Steve
>>>>>>>>> Active Directory works differently from Linux, it uses SID's 
>>>>>>>>> and RID's, Linux uses UID's and GID's. To use AD users as 
>>>>>>>>> Linux users you somehow have to convert the SID's and RID's to 
>>>>>>>>> UID's and GID's. There are several ways to do this by using 
>>>>>>>>> programs like winbind, nslcd or sssd, but they all boil down 
>>>>>>>>> to the same two ways, you either create a UID/GID from the RID 
>>>>>>>>> or you give the user/group a uidNumber/gidNumber.
>>>>>>>>> That is:
>>>>>>>>> A user is given a uidNumber and gidNumber
>>>>>>>>> A group is given a gidNumber
>>>>>>>>> uidNumber and gidNumber are the attribute names, not uid or 
>>>>>>>>> gid or anything else.
>>>>>>>>> The only way (at the moment) to ensure that your users/groups 
>>>>>>>>> get the same ID everywhere in the domain is to use RFC2307 
>>>>>>>>> attributes.
>>>>>>>>> see here for info on RFC2307:
>>>>>>>>> https://www.ietf.org/rfc/rfc2307.txt
>>>>>>>>> How you add these RFC2307 attributes is up to you, the easiest 
>>>>>>>>> way is to use ADUC, but you say that you do not have the 
>>>>>>>>> UNIX-Attributes tab on your users and groups, I also had this 
>>>>>>>>> problem and solved it by searching the internet. I posted a 
>>>>>>>>> link to one of the pages I used, so I do not propose to go 
>>>>>>>>> over old ground yet again.
>>>>>>>>> If you cannot get the ADUC tab to work for you, then you can 
>>>>>>>>> always use ldb-tools to add the attributes, either by using 
>>>>>>>>> ldbedit and directly modifying the user/group or by creating 
>>>>>>>>> an ldif and using ldbmodify to add this. A typical ldif for a 
>>>>>>>>> user called John Doe created on a windows machine would be:
>>>>>>>>> dn: CN=John Doe,CN=Users,DC=example,DC=com
>>>>>>>>> changetype: modify
>>>>>>>>> add: uid
>>>>>>>>> uid: john
>>>>>>>>> -
>>>>>>>>> add: msSFU30Name
>>>>>>>>> msSFU30Name: john
>>>>>>>>> -
>>>>>>>>> add: msSFU30NisDomain
>>>>>>>>> msSFU30NisDomain: example
>>>>>>>>> -
>>>>>>>>> add: uidNumber
>>>>>>>>> uidNumber: 10000
>>>>>>>>> -
>>>>>>>>> add: gidNumber
>>>>>>>>> gidNumber: 10000
>>>>>>>>> -
>>>>>>>>> add: loginShell
>>>>>>>>> loginShell: /bin/bash
>>>>>>>>> -
>>>>>>>>> add: unixHomeDirectory
>>>>>>>>> unixHomeDirectory: /home/john
>>>>>>>>> -
>>>>>>>>> add: unixUserPassword
>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>> The above ldif is exactly the way that ADUC does it 
>>>>>>>>> (ABCD!efgh12345$67890 is the unixUserPassword that ADUC gives 
>>>>>>>>> every unix user), but you only really need the uidNumber & 
>>>>>>>>> gidNumber. the uidNumber needs to be a unique number and the 
>>>>>>>>> gidNumber will be the users primary Unix group (usually Domain 
>>>>>>>>> Users) so that number needs to be what ever you gave to your 
>>>>>>>>> main Unix group i.e. Domain Users needs to have the gidNumber 
>>>>>>>>> '10000'
>>>>>>>>> You would add the above ldif like this:
>>>>>>>>> root at dc1:~# kinit
>>>>>>>>> Password for administrator at EXAMPLE.COM:
>>>>>>>>> root at dc1:~# ldbmodify --url=ldap://dc1.example.com 
>>>>>>>>> --kerberos=yes --krb5-ccache=/tmp/krb5cc_0" /path_to/ldif
>>>>>>>>> Replacing 'dc1.example.com' with your S4 AD DC FQDN and 
>>>>>>>>> '/path_to/ldif' with the full path and name of your ldif, and 
>>>>>>>>> of course you need to run all of this on the S4 AD DC.
>>>>>>>>> the uidNumber and gidNumber ranges can be identical, in fact 
>>>>>>>>> this is the way that ADUC works, but whatever range you do 
>>>>>>>>> use, must be reflected in smb.conf
>>>>>>>>> i.e. 'idmap config EXAMPLE : range = 10000-999999'.
>>>>>>>>> Just why you renamed the Administrator account, before you got 
>>>>>>>>> everything working, escapes me, in fact most people probably 
>>>>>>>>> never bother, so I would suggest that you rename the account 
>>>>>>>>> back again, at least until you get everything working correctly.
>>>>>>>>> Do not give the Administrator account a uidNumber or 
>>>>>>>>> gidNumber, create a new user and give this new user the 
>>>>>>>>> required RFC2307 attributes.
>>>>>>>>> Once you have added the gidNumber to Domain Users and added 
>>>>>>>>> the ldif to John Doe, running (on a client joined to the 
>>>>>>>>> domain) 'getent passwd' should show a line for John Doe and 
>>>>>>>>> 'getent group Domain\ Users' should show the info for Domain 
>>>>>>>>> Users.
>>>>>>>>> This will be my last post on this thread.
>>>>>>>>> Rowland
>> I know I said that I wouldn't post on this thread again, but you are 
>> doing my head in, you have taken a simple task and turned it into a 
>> farce!!!
>> I advised you at least once to remove this line:
>> auth methods = winbind
>> Here is why (taken from 'man smb.conf')
>>       auth methods (G)
>>            This option allows the administrator to chose what 
>> authentication
>>            methods smbd will use when authenticating a user. This option
>>            defaults to sensible values based on security. This should be
>>            considered a developer option and used only in rare 
>> circumstances.
>>            In the majority (if not all) of production servers, the 
>> default
>>            setting should be adequate.
>>            Default: auth methods =
>> This is also from 'man smb.conf' (abridged):
>>        idmap config:OPTION (G)
>>            ID mapping in Samba is the mapping between Windows SIDs 
>> and Unix
>>            user and group IDs. This is performed by Winbindd with a
>>            configurable plugin interface. Samba's ID mapping is 
>> configured by
>>            options starting with the idmap config prefix. An idmap 
>> option
>>            consists of the idmap config prefix, followed by a domain 
>> name or
>>            the asterisk character (*), a colon, and the name of an idmap
>>            setting for the chosen domain.
>>            The following example illustrates how to configure the 
>> idmap_ad(8)
>>            backend for the CORP domain and the idmap_tdb(8) backend 
>> for all
>>            other domains. This configuration assumes that the admin 
>> of CORP
>>            assigns unix ids below 1000000 via the SFU extensions, and 
>> winbind
>>            is supposed to use the next million entries for its own 
>> mappings
>>            from trusted domains and for local groups for example.
>>                     idmap config * : backend = tdb
>>                     idmap config * : range = 1000000-1999999
>>                     idmap config CORP : backend  = ad
>>                     idmap config CORP : range = 1000-999999
>>                      idmap config *:backend = tdb
>>                       idmap config *:range = 70001-80000
>>                       idmap config TRUEVINE:backend = ad
>>                       idmap config TRUEVINE:schema_mode = rfc2307
>>                       idmap config TRUEVINE:range = 10001-40000
>> What the above means is that trusted domains and local groups will 
>> get mapped to numbers between 70001 and 80000, local groups etc being 
>> the windows builtin ones not UNIX ones.
>> Your AD users will ONLY get pulled from AD if the 
>> uidNumber's/gidNumber's are between 10001 and 40000, ARE THEY ????
>> Have you actually got any normal users with uidNumber's & 
>> gidNumber's, the last time I heard, you were trying to use the 
>> renamed Administrator account as a normal account.
>> I would suggest that you go and take a running jump into Glenville 
>> Lake to cool off, then come back and re-read your posts again, you 
>> might then realise just what a Prat you are coming over as.
>> This is definitely my last post on this thread
>> Rowland
Hopefully this is definitely going to be my last post on this thread.

My S4 AD DC runs on Debian Wheezy 7.5 with samba 4.1.7 from backports 
and was provisioned with rfc2307.

My laptop runs Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6

This is smb.conf on the S4 server:

         workgroup = EXAMPLE
         realm = example.com
         netbios name = DC1
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

NOTE: I use Bind9 instead of the internal DNS server.

This is my AD entry:

dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Rowland Penny
sn: Penny
givenName: Rowland
instanceType: 4
whenCreated: 20140604153749.0Z
displayName: Rowland Penny
uSNCreated: 3812
name: Rowland Penny
objectGUID: 79e251c6-70c0-4b8b-8fa7-e10eb1d603ae
badPwdCount: 0
codePage: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-2624802715-3731723941-638006480-1106
logonCount: 0
sAMAccountName: rowland
sAMAccountType: 805306368
userPrincipalName: rowland at example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com
pwdLastSet: 130463698700000000
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: example
uidNumber: 10000
gidNumber: 10000
loginShell: /bin/bash
unixHomeDirectory: /home/rowland
unixUserPassword: ABCD!efgh123457890
userAccountControl: 66048
accountExpires: 0
co: United Kingdom
countryCode: 826
c: GB
l: Clitheroe
postalCode: BB7 1ND
st: Lancashire
profilePath: \\dc1\profiles\rowland
homeDirectory: \\dc1\rowland
homeDrive: G:
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=com
memberOf: CN=administration,CN=Users,DC=example,DC=com
description: A Unix User
whenChanged: 20140707145726.0Z
uSNChanged: 8309
distinguishedName: CN=Rowland Penny,CN=Users,DC=example,DC=com

This is smb.conf on the laptop

         workgroup = EXAMPLE
         security = ADS
         realm = EXAMPLE.COM
         #client signing = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = Samba 4 Client %h
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config EXAMPLE : backend  = ad
         idmap config EXAMPLE : range = 10000-999999
         idmap config EXAMPLE : schema_mode = rfc2307
         printcap name = cups
         cups options = raw
         usershare allow guests = yes
         domain master = no
         local master = no
         preferred master = no
         os level = 20
         map to guest = bad user
         username map = /etc/samba/smbmap
         vfs objects = acl_xattr
         map acl inherit = Yes
         store dos attributes = Yes

If, on the laptop, I run 'getent passwd rowland' I get this:


If I also run 'getent group Domain\ Users' I get this:


I have also this afternoon set up a new linux computer, just as the 
laptop and it just works, so somewhere you are doing something very 
wrong, It is easy to set up a linux client, well easy for everybody else 
except you, it would seem.

I repeat that you have something very wrong, you need to check your set 
up, both the S4 server and the client, compare everything with mine and 
try and see just where you are going wrong.


More information about the samba mailing list