[Samba] Samba 4 AD share: Access denied

Davor Vusir davortvusir at gmail.com
Sun Aug 10 00:54:49 MDT 2014

2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
> Alright, I am calling it quits for the day unless somebody knows what I have
> screwed up here. If I do "getent passwd" it shows all local and domain
> users, and the domain users have the wrong ID's. If I do "getent passwd
> <domain user>" I get absolutely nothing. Obviously I have done something
> wrong here, but I have no clue what. This behavior started after modifying
> the configuration file though. The modifications Rowland showed me in his.
> That tells me that maybe it is trying to do something right and cannot. I
> have one last idea of my own, then I will be installing the backports
> version Monday on a clean VM.

Hey Ryan!

I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
samba is using the directories (lock directory =
/usr/local/samba/var/lock) from the old selfcompiled  installation.
Now I'm using the Sernet package.

When i run ''testparm -v | more' it reads
/usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf and shows
only one out of two share definitions.

The file /etc/samba/smb.conf is copied from an old AD DC serverconfig
and later edited. The hidden entries like "lock directory =" above are

Are you perhaps experienceing the same?


> On 8/9/2014 4:24 PM, Ryan Ashley wrote:
>> Just wanted to tell you, the files you asked about are right where they
>> should be based on my configuration. They're in "/usr/lib". With that being
>> known, do you have any ideas as to why some users resolve via getent and
>> others don't? That may reveal something key to my whole issue. I am
>> researching it now.
>> On 8/9/2014 3:55 PM, Ryan Ashley wrote:
>>> As a C/C++ programmer, I love building the latest stable and enjoy having
>>> it, but I am beginning to think maybe I should be using the backports S4. I
>>> will have to do that on Monday however, since I need physical access to wipe
>>> and reinstall the VM. It would be fewer packages to install though, since I
>>> would not need the headers and such. Oh wait, it's a VM. I still have to
>>> build the virtualized drivers. Still, I may give it a go. The version you
>>> stated is only two versions behind what I am running (4.1.11), so no big
>>> loss there. For now however, I am going to attempt to make this work. If I
>>> have failed then Monday i will try your suggestion when I can get access to
>>> the physical system.
>>> On 8/9/2014 2:20 PM, Rowland Penny wrote:
>>>> On 09/08/14 18:58, Ryan Ashley wrote:
>>>>> I have been working on this alone for a while since the thread is so
>>>>> long and have tried a few things and discovered others. One REALLY strange
>>>>> thing is that when I use getent to look up users, some users show the 70001
>>>>> and up IDs, and others do not show a thing. This is normal users now, not my
>>>>> domain admin account. For example, "getent passwd yolandab" returns nothing
>>>>> while "getent passwd cynthiaj" returns two ID's above 70k. Even my normal
>>>>> user account, reach_support, returns nothing. This one has me a tad lost,
>>>>> but the next thing I discovered may be the solution.
>>>>>     If I attempt to install libnss-winbind or libpam-winbind from the
>>>>> repos, it tries to install the Samba stuff from the repos. Aren't those two
>>>>> built when you build S4? I am currently looking for them and have a "find"
>>>>> command running on the system in a screen session. I imagine I need to
>>>>> symlink those to /lib, right? Assuming they were built, I will try this and
>>>>> if it doesn't work, I will let you know. If it does, I will also tell you. I
>>>>> hope this has been my issue all along, but we should know soon.
>>>>>     Finally, I delete both /var/lib/samba AND /var/cache/samba. I found
>>>>> the latter afterwards. I also deleted /etc/krb5.keytab once I left the
>>>>> domain and before joining again. Just being safe. I do know that the keytab
>>>>> does not store ID's or anything, I am just trying to be thorough. Thank you
>>>>> again for your help and I do know of the manpages, but I normally get
>>>>> headaches reading them. I wish they had the info on a wiki page so I could
>>>>> go right to the section I want to study.
>>>>> On 8/8/2014 1:12 PM, Rowland Penny wrote:
>>>>>> On 08/08/14 17:49, Ryan Ashley wrote:
>>>>>>> Thanks, Rowland. I do not have some of the things you have on your
>>>>>>> laptop. Our server configs are almost identical, and I use BIND9 also. I am
>>>>>>> going to assume then, based on that, that my issue lies in my client
>>>>>>> configuration. I can run getent on the server and get the correct results.
>>>>>>> Just not on the two member servers, more proof that it is indeed an issue on
>>>>>>> them.
>>>>>>> If I may ask, you have a LOT of entries not shown in any of the
>>>>>>> guides, including the ones you already had me add, such as the keytab.
>>>>>>> Several of your entries catch my eye.
>>>>>> OK, if on the client, you run 'man smb.conf' you will get displayed
>>>>>> what is called the 'manpage' for what you can put into smb.conf and what
>>>>>> they do.
>>>>>>> winbind expand groups = 4
>>>>>>            This option controls the maximum depth that winbindd will
>>>>>> traverse
>>>>>>            when flattening nested group memberships of Windows domain
>>>>>> groups.
>>>>>>> winbind normalize names = yes
>>>>>>            This parameter controls whether winbindd will replace
>>>>>> whitespace in
>>>>>>            user and group names with an underscore (_) character.
>>>>>>> printcap name = cups
>>>>>>            This parameter may be used to override the compiled-in
>>>>>> default
>>>>>>            printcap name used by the server (usually /etc/printcap).
>>>>>>> cups options = raw
>>>>>>            This parameter is only applicable if printing is set to
>>>>>> cups. Its
>>>>>>            value is a free form string of options passed directly to
>>>>>> the cups
>>>>>>            library.
>>>>>>> usershare allow guests = yes
>>>>>> Controls if usershares can permit guest access.
>>>>>>> os level = 20
>>>>>>            This integer value controls what level Samba advertises
>>>>>> itself as
>>>>>>            for browse elections. The value of this parameter
>>>>>> determines
>>>>>>            whether nmbd(8) has a chance of becoming a local master
>>>>>> browser for
>>>>>>            the workgroup in the local broadcast area.
>>>>>>> map to guest = bad user
>>>>>>            This parameter can take four different values, which tell
>>>>>> smbd(8)
>>>>>>            what to do with user login requests that don't match a
>>>>>> valid UNIX
>>>>>>            user in some way.
>>>>>>            ·   Bad User - Means user logins with an invalid password
>>>>>> are
>>>>>>                rejected, unless the username does not exist, in which
>>>>>> case it
>>>>>>                is treated as a guest login and mapped into the guest
>>>>>> account.
>>>>>>> username map = /etc/samba/smbmap
>>>>>>            This option allows you to specify a file containing a
>>>>>> mapping of
>>>>>>            usernames from the clients to the server.
>>>>>> This is my smbmap file
>>>>>> !root = EXAMPLE\Administrator Administrator administrator
>>>>>> As I said there is more info available in the smb.conf manpage.
>>>>>>> I have never seen these before. The last entry on my list may be the
>>>>>>> key if it does what I think it does. Before I add these lines I need to ask
>>>>>>> if there is a cache of ID's to names somewhere. See, I find it VERY odd that
>>>>>>> as often as I have removed the system from the domain, wiped out everything
>>>>>>> in "/var/lib/samba", and rejoined the domain, it keeps mapping the EXACT
>>>>>>> same ID numbers on each box to the same usernames. My belief is that there
>>>>>>> is a cache I am not deleting somewhere. Would you mind telling me if there
>>>>>>> is a file somewhere I should delete to remove the old mappings?
>>>>>> If you are deleting /var/lib/samba then you are deleting the cache,
>>>>>> provided of course you are doing this on the client. The fact that you are
>>>>>> getting the right uidNumber's on the server shows that this seems to be set
>>>>>> up correctly, the problem does seem to be with the client. Do you have all
>>>>>> these packages installed on the client:
>>>>>> samba libnss-winbind winbind libpam-winbind krb5-config libpam-krb5
>>>>>> krb5-user
>>>>>> After that, I can only think that we are going to have to walk through
>>>>>> the setup file by file.
>>>>>> Rowland
>>>> This is one of the problems with building samba4 yourself, on the server
>>>> you do not need the 'extra' packages, but when it comes to the clients, you
>>>> do. As you are using Debian, have you considered using samba from backports,
>>>> this would give you samba4 version 4.1.9 (at the moment).
>>>> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list