[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Sat Aug 9 14:24:42 MDT 2014

Just wanted to tell you, the files you asked about are right where they 
should be based on my configuration. They're in "/usr/lib". With that 
being known, do you have any ideas as to why some users resolve via 
getent and others don't? That may reveal something key to my whole 
issue. I am researching it now.

On 8/9/2014 3:55 PM, Ryan Ashley wrote:
> As a C/C++ programmer, I love building the latest stable and enjoy 
> having it, but I am beginning to think maybe I should be using the 
> backports S4. I will have to do that on Monday however, since I need 
> physical access to wipe and reinstall the VM. It would be fewer 
> packages to install though, since I would not need the headers and 
> such. Oh wait, it's a VM. I still have to build the virtualized 
> drivers. Still, I may give it a go. The version you stated is only two 
> versions behind what I am running (4.1.11), so no big loss there. For 
> now however, I am going to attempt to make this work. If I have failed 
> then Monday i will try your suggestion when I can get access to the 
> physical system.
> On 8/9/2014 2:20 PM, Rowland Penny wrote:
>> On 09/08/14 18:58, Ryan Ashley wrote:
>>> I have been working on this alone for a while since the thread is so 
>>> long and have tried a few things and discovered others. One REALLY 
>>> strange thing is that when I use getent to look up users, some users 
>>> show the 70001 and up IDs, and others do not show a thing. This is 
>>> normal users now, not my domain admin account. For example, "getent 
>>> passwd yolandab" returns nothing while "getent passwd cynthiaj" 
>>> returns two ID's above 70k. Even my normal user account, 
>>> reach_support, returns nothing. This one has me a tad lost, but the 
>>> next thing I discovered may be the solution.
>>>     If I attempt to install libnss-winbind or libpam-winbind from 
>>> the repos, it tries to install the Samba stuff from the repos. 
>>> Aren't those two built when you build S4? I am currently looking for 
>>> them and have a "find" command running on the system in a screen 
>>> session. I imagine I need to symlink those to /lib, right? Assuming 
>>> they were built, I will try this and if it doesn't work, I will let 
>>> you know. If it does, I will also tell you. I hope this has been my 
>>> issue all along, but we should know soon.
>>>     Finally, I delete both /var/lib/samba AND /var/cache/samba. I 
>>> found the latter afterwards. I also deleted /etc/krb5.keytab once I 
>>> left the domain and before joining again. Just being safe. I do know 
>>> that the keytab does not store ID's or anything, I am just trying to 
>>> be thorough. Thank you again for your help and I do know of the 
>>> manpages, but I normally get headaches reading them. I wish they had 
>>> the info on a wiki page so I could go right to the section I want to 
>>> study.
>>> On 8/8/2014 1:12 PM, Rowland Penny wrote:
>>>> On 08/08/14 17:49, Ryan Ashley wrote:
>>>>> Thanks, Rowland. I do not have some of the things you have on your 
>>>>> laptop. Our server configs are almost identical, and I use BIND9 
>>>>> also. I am going to assume then, based on that, that my issue lies 
>>>>> in my client configuration. I can run getent on the server and get 
>>>>> the correct results. Just not on the two member servers, more 
>>>>> proof that it is indeed an issue on them.
>>>>> If I may ask, you have a LOT of entries not shown in any of the 
>>>>> guides, including the ones you already had me add, such as the 
>>>>> keytab. Several of your entries catch my eye.
>>>> OK, if on the client, you run 'man smb.conf' you will get displayed 
>>>> what is called the 'manpage' for what you can put into smb.conf and 
>>>> what they do.
>>>>> winbind expand groups = 4
>>>>            This option controls the maximum depth that winbindd 
>>>> will traverse
>>>>            when flattening nested group memberships of Windows 
>>>> domain groups.
>>>>> winbind normalize names = yes
>>>>            This parameter controls whether winbindd will replace 
>>>> whitespace in
>>>>            user and group names with an underscore (_) character.
>>>>> printcap name = cups
>>>>            This parameter may be used to override the compiled-in 
>>>> default
>>>>            printcap name used by the server (usually /etc/printcap).
>>>>> cups options = raw
>>>>            This parameter is only applicable if printing is set to 
>>>> cups. Its
>>>>            value is a free form string of options passed directly 
>>>> to the cups
>>>>            library.
>>>>> usershare allow guests = yes
>>>> Controls if usershares can permit guest access.
>>>>> os level = 20
>>>>            This integer value controls what level Samba advertises 
>>>> itself as
>>>>            for browse elections. The value of this parameter 
>>>> determines
>>>>            whether nmbd(8) has a chance of becoming a local master 
>>>> browser for
>>>>            the workgroup in the local broadcast area.
>>>>> map to guest = bad user
>>>>            This parameter can take four different values, which 
>>>> tell smbd(8)
>>>>            what to do with user login requests that don't match a 
>>>> valid UNIX
>>>>            user in some way.
>>>>            ·   Bad User - Means user logins with an invalid 
>>>> password are
>>>>                rejected, unless the username does not exist, in 
>>>> which case it
>>>>                is treated as a guest login and mapped into the 
>>>> guest account.
>>>>> username map = /etc/samba/smbmap
>>>>            This option allows you to specify a file containing a 
>>>> mapping of
>>>>            usernames from the clients to the server.
>>>> This is my smbmap file
>>>> !root = EXAMPLE\Administrator Administrator administrator
>>>> As I said there is more info available in the smb.conf manpage.
>>>>> I have never seen these before. The last entry on my list may be 
>>>>> the key if it does what I think it does. Before I add these lines 
>>>>> I need to ask if there is a cache of ID's to names somewhere. See, 
>>>>> I find it VERY odd that as often as I have removed the system from 
>>>>> the domain, wiped out everything in "/var/lib/samba", and rejoined 
>>>>> the domain, it keeps mapping the EXACT same ID numbers on each box 
>>>>> to the same usernames. My belief is that there is a cache I am not 
>>>>> deleting somewhere. Would you mind telling me if there is a file 
>>>>> somewhere I should delete to remove the old mappings?
>>>> If you are deleting /var/lib/samba then you are deleting the cache, 
>>>> provided of course you are doing this on the client. The fact that 
>>>> you are getting the right uidNumber's on the server shows that this 
>>>> seems to be set up correctly, the problem does seem to be with the 
>>>> client. Do you have all these packages installed on the client:
>>>> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5 
>>>> krb5-user
>>>> After that, I can only think that we are going to have to walk 
>>>> through the setup file by file.
>>>> Rowland
>> This is one of the problems with building samba4 yourself, on the 
>> server you do not need the 'extra' packages, but when it comes to the 
>> clients, you do. As you are using Debian, have you considered using 
>> samba from backports, this would give you samba4 version 4.1.9 (at 
>> the moment).
>> Rowland

More information about the samba mailing list