[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Mon Aug 11 09:52:52 MDT 2014


Just to let everybody know, I rebuilt S4 from scratch using 
"--with-shared-modules=idmap_ad" in the configuration parameters, and 
now I am getting the correct ID's on both member servers. Now my issue 
is that despite this, only the domain admin can browse the mapped 
drives. Permissions are correct on all shares (I redid them by hand) but 
people in those groups are NOT allowed access despite having "full 
control" over the share.

At least we made some progress. Now what should I look at since the ID's 
are being pulled from AD correctly? My nsswitch.conf nis set to use 
winbind and winbind is running. Everything appears to work correctly on 
both servers including same ID and such, but it still denies access to 
everybody EXCEPT the owner.

On 08/11/2014 09:48 AM, Ryan Ashley wrote:
> Thank you for that information. I just ran the command on out 
> print-server and it appears to be using the correct configuration 
> file, but there are LOADS of extra parameters I am assuming are at 
> default settings. However, I do not appear to have /var/run/samba o9r 
> /var/lock/samba directories. I am going to create those and see if it 
> helps, but if it does I do not know why.
>
> Also, I cannot seem to be able to install the S4 packages from 
> backports onto ANY Wheezy system, including my laptop. The 
> "samba4-common-bin" is configured to depend on "python-samba" but the 
> only version available is 4.0.x so it won't install. I am working that 
> issue out on the Debian forums and may result in a bug report.
>
> root at ps01:~# testparm -v /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[Xerox7545]"
> Loaded services file OK.
> ERROR: lock directory /var/lock/samba does not exist
> ERROR: pid directory /var/run/samba does not exist
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
>         dos charset = CP850
>         unix charset = UTF-8
>         workgroup = TRUEVINE
>         realm = TRUEVINE.LAN
>         netbios name = PS01
>         netbios aliases =
>         netbios scope =
>         server string = Samba 4.1.11
>         interfaces =
>         bind interfaces only = No
>         server role = auto
>         security = ADS
>         auth methods = winbind
>         encrypt passwords = Yes
>         client schannel = Auto
>         server schannel = Auto
>         allow trusted domains = Yes
>         map to guest = Never
>         null passwords = No
>         obey pam restrictions = No
>         password server = *
>         smb passwd file = /var/lib/samba/private/smbpasswd
>         private dir = /var/lib/samba/private
>         passdb backend = tdbsam
>         algorithmic rid base = 1000
>         root directory =
>         guest account = nobody
>         enable privileges = Yes
>         pam password change = No
>         passwd program =
>         passwd chat = *new*password* %n\n *new*password* %n\n *changed*
>         passwd chat debug = No
>         passwd chat timeout = 2
>         check password script =
>         username map =
>         username level = 0
>         unix password sync = No
>         restrict anonymous = 0
>         lanman auth = No
>         ntlm auth = Yes
>         client NTLMv2 auth = Yes
>         client lanman auth = No
>         client plaintext auth = No
>         client use spnego principal = No
>         preload modules =
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         map untrusted to domain = No
>         log level = 2
>         syslog = 1
>         syslog only = No
>         log file =
>         max log size = 5000
>         debug timestamp = Yes
>         debug prefix timestamp = No
>         debug hires timestamp = Yes
>         debug pid = No
>         debug uid = No
>         debug class = No
>         enable core files = Yes
>         smb ports = 445, 139
>         large readwrite = Yes
>         server max protocol = SMB3
>         server min protocol = LANMAN1
>         client max protocol = NT1
>         client min protocol = CORE
>         unicode = Yes
>         min receivefile size = 0
>         read raw = Yes
>         write raw = Yes
>         disable netbios = No
>         reset on zero vc = No
>         log writeable files on exit = No
>         defer sharing violations = Yes
>         nt pipe support = Yes
>         nt status support = Yes
>         max mux = 50
>         max xmit = 16644
>         name resolve order = lmhosts, wins, host, bcast
>         max ttl = 259200
>         max wins ttl = 518400
>         min wins ttl = 21600
>         time server = No
>         unix extensions = Yes
>         use spnego = Yes
>         client signing = default
>         server signing = default
>         client use spnego = Yes
>         client ldap sasl wrapping = plain
>         enable asu support = No
>         svcctl list =
>         cldap port = 0
>         dgram port = 0
>         nbt port = 0
>         krb5 port = 0
>         kpasswd port = 0
>         web port = 0
>         rpc big endian = No
>         deadtime = 0
>         getwd cache = Yes
>         keepalive = 300
>         lpq cache time = 30
>         max smbd processes = 0
>         max disk size = 0
>         max open files = 16384
>         socket options = TCP_NODELAY
>         use mmap = Yes
>         use ntdb = No
>         hostname lookups = No
>         name cache timeout = 660
>         ctdbd socket =
>         cluster addresses =
>         clustering = No
>         ctdb timeout = 0
>         ctdb locktime warn threshold = 0
>         smb2 max read = 1048576
>         smb2 max write = 1048576
>         smb2 max trans = 1048576
>         smb2 max credits = 8192
>         load printers = Yes
>         printcap cache time = 750
>         printcap name =
>         cups server =
>         cups encrypt = No
>         cups connection timeout = 30
>         iprint server =
>         disable spoolss = No
>         addport command =
>         enumports command =
>         addprinter command =
>         deleteprinter command =
>         show add printer wizard = Yes
>         os2 driver map =
>         mangling method = hash2
>         mangle prefix = 1
>         max stat cache size = 256
>         stat cache = Yes
>         machine password timeout = 604800
>         add user script =
>         rename user script =
>         delete user script =
>         add group script =
>         delete group script =
>         add user to group script =
>         delete user from group script =
>         set primary group script =
>         add machine script =
>         shutdown script =
>         abort shutdown script =
>         username map script =
>         username map cache time = 0
>         logon script =
>         logon path = \\%N\%U\profile
>         logon drive =
>         logon home = \\%N\%U
>         domain logons = No
>         init logon delayed hosts =
>         init logon delay = 100
>         os level = 20
>         lm announce = Auto
>         lm interval = 60
>         preferred master = No
>         local master = Yes
>         domain master = Auto
>         browse list = Yes
>         enhanced browsing = Yes
>         dns proxy = Yes
>         wins proxy = No
>         wins server =
>         wins support = No
>         wins hook =
>         lock spin time = 200
>         oplock break wait time = 0
>         ldap admin dn =
>         ldap delete dn = No
>         ldap group suffix =
>         ldap idmap suffix =
>         ldap machine suffix =
>         ldap passwd sync = no
>         ldap replication sleep = 1000
>         ldap suffix =
>         ldap ssl = start tls
>         ldap ssl ads = No
>         ldap deref = auto
>         ldap follow referral = Auto
>         ldap timeout = 15
>         ldap connection timeout = 2
>         ldap page size = 1024
>         ldap user suffix =
>         ldap debug level = 0
>         ldap debug threshold = 10
>         eventlog list =
>         add share command =
>         change share command =
>         delete share command =
>         preload =
>         lock directory = /var/lock/samba
>         state directory = /var/lib/samba
>         cache directory = /var/cache/samba
>         pid directory = /var/run/samba
>         ntp signd socket directory =
>         utmp directory =
>         wtmp directory =
>         utmp = No
>         default service =
>         message command =
>         get quota command =
>         set quota command =
>         remote announce =
>         remote browse sync =
>         nbt client socket address = 0.0.0.0
>         nmbd bind explicit broadcast = Yes
>         homedir map = auto.home
>         afs username map =
>         afs token lifetime = 604800
>         log nt token command =
>         NIS homedir = No
>         registry shares = No
>         usershare allow guests = No
>         usershare max shares = 0
>         usershare owner only = Yes
>         usershare path = /var/lib/samba/usershares
>         usershare prefix allow list =
>         usershare prefix deny list =
>         usershare template share =
>         async smb echo handler = No
>         panic action =
>         perfcount module =
>         host msdfs = Yes
>         passdb expand explicit = No
>         idmap backend = tdb
>         idmap cache time = 604800
>         idmap negative cache time = 120
>         idmap uid =
>         idmap gid =
>         template homedir = /home/%D/%U
>         template shell = /bin/false
>         winbind separator = \
>         winbind cache time = 300
>         winbind reconnect delay = 30
>         winbind max clients = 200
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         winbind trusted domains only = No
>         winbind nested groups = Yes
>         winbind expand groups = 1
>         winbind nss info = rfc2307
>         winbind refresh tickets = No
>         winbind offline logon = No
>         winbind normalize names = No
>         winbind rpc only = No
>         create krb5 conf = Yes
>         ncalrpc dir = /var/run/samba/ncalrpc
>         winbind max domain connections = 1
>         winbindd socket directory =
>         winbindd privileged socket directory =
>         winbind sealed pipes = No
>         allow dns updates = disabled
>         dns forwarder =
>         dns update command =
>         nsupdate command =
>         rndc command =
>         multicast dns register = Yes
>         samba kcc command =
>         server services =
>         dcerpc endpoint servers =
>         spn update command =
>         share backend =
>         tls enabled = No
>         tls keyfile =
>         tls certfile =
>         tls cafile =
>         tls crlfile =
>         tls dh params file =
>         spoolss: architecture = Windows x64
>         rpc_daemon:spoolssd = fork
>         rpc_server:spoolss = external
>         idmap config TRUEVINE:range = 10000-40000
>         idmap config TRUEVINE:schema_mode = rfc2307
>         idmap config TRUEVINE:backend = ad
>         idmap config *:range = 70001-80000
>         idmap config * : backend = tdb
>         comment =
>         path =
>         username =
>         invalid users =
>         valid users =
>         admin users =
>         read list =
>         write list =
>         force user =
>         force group =
>         read only = Yes
>         acl check permissions = Yes
>         acl group control = No
>         acl map full control = Yes
>         acl allow execute always = No
>         create mask = 0744
>         force create mode = 00
>         directory mask = 0755
>         force directory mode = 00
>         force unknown acl user = No
>         inherit permissions = No
>         inherit acls = No
>         inherit owner = No
>         guest only = No
>         administrative share = No
>         guest ok = No
>         only user = No
>         hosts allow =
>         hosts deny =
>         allocation roundup size = 1048576
>         aio read size = 0
>         aio write size = 0
>         aio write behind =
>         ea support = No
>         nt acl support = Yes
>         profile acls = No
>         map acl inherit = Yes
>         afs share = No
>         smb encrypt = default
>         durable handles = Yes
>         block size = 1024
>         change notify = Yes
>         directory name cache size = 100
>         kernel change notify = Yes
>         max connections = 0
>         min print space = 0
>         strict allocate = No
>         strict sync = No
>         sync always = No
>         use sendfile = No
>         write cache size = 0
>         max reported print jobs = 0
>         max print jobs = 1000
>         printable = No
>         print notify backchannel = Yes
>         print ok = No
>         printing = cups
>         cups options =
>         print command =
>         lpq command = %p
>         lprm command =
>         lppause command =
>         lpresume command =
>         queuepause command =
>         queueresume command =
>         printer name =
>         use client driver = No
>         default devmode = Yes
>         force printername = No
>         printjob username = %U
>         default case = lower
>         case sensitive = Auto
>         preserve case = Yes
>         short preserve case = Yes
>         mangling char = ~
>         hide dot files = Yes
>         hide special files = No
>         hide unreadable = No
>         hide unwriteable files = No
>         delete veto files = No
>         veto files =
>         hide files =
>         veto oplock files =
>         map archive = Yes
>         map hidden = No
>         map system = No
>         map readonly = yes
>         mangled names = Yes
>         store dos attributes = Yes
>         dmapi support = No
>         browseable = Yes
>         access based share enum = No
>         blocking locks = Yes
>         csc policy = manual
>         fake oplocks = No
>         kernel oplocks = No
>         kernel share modes = Yes
>         locking = Yes
>         oplocks = Yes
>         level2 oplocks = Yes
>         oplock contention limit = 2
>         posix locking = Yes
>         strict locking = Auto
>         dfree cache time = 0
>         dfree command =
>         copy =
>         preexec =
>         preexec close = No
>         postexec =
>         root preexec =
>         root preexec close = No
>         root postexec =
>         available = Yes
>         volume =
>         fstype = NTFS
>         wide links = No
>         follow symlinks = Yes
>         dont descend =
>         magic script =
>         magic output =
>         delete readonly = No
>         dos filemode = No
>         dos filetimes = Yes
>         dos filetime resolution = No
>         fake directory create times = No
>         vfs objects = acl_xattr
>         msdfs root = No
>         msdfs proxy =
>         ntvfs handler =
>
> [printers]
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         browseable = No
>
> [print$]
>         comment = Printer drivers
>         path = /srv/samba/printer_drivers
>         read only = No
>
> [Xerox7545]
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         printer name = Xerox_WC_7545
>
> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>> Alright, I am calling it quits for the day unless somebody knows 
>>> what I have
>>> screwed up here. If I do "getent passwd" it shows all local and domain
>>> users, and the domain users have the wrong ID's. If I do "getent passwd
>>> <domain user>" I get absolutely nothing. Obviously I have done 
>>> something
>>> wrong here, but I have no clue what. This behavior started after 
>>> modifying
>>> the configuration file though. The modifications Rowland showed me 
>>> in his.
>>> That tells me that maybe it is trying to do something right and 
>>> cannot. I
>>> have one last idea of my own, then I will be installing the backports
>>> version Monday on a clean VM.
>>>
>> Hey Ryan!
>>
>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
>> samba is using the directories (lock directory =
>> /usr/local/samba/var/lock) from the old selfcompiled installation.
>> Now I'm using the Sernet package.
>>
>> When i run ''testparm -v | more' it reads
>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf and shows
>> only one out of two share definitions.
>>
>> The file /etc/samba/smb.conf is copied from an old AD DC serverconfig
>> and later edited. The hidden entries like "lock directory =" above are
>> present.
>>
>> Are you perhaps experienceing the same?
>>
>> Regards
>> Davor
>>
>



More information about the samba mailing list