[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 12 08:34:41 MDT 2014


I may have found the culprit. I attempted to change a group policy this 
morning, as domain admin, and got "Access is denied" when applying the 
change. This led me to the DC. Specifically, the sysvol directory. It 
was owned by root and 3000000. Not good. I restarted S4. Same thing. I 
did "samba-tool ntacl sysvolreset" and now I have this.

root at dc01:/var/lib/samba# l
total 1376
-rw-------  1 root             root    421888 Jun 19 14:32 
account_policy.tdb
drwx------  2 root             root     16384 Jun 19 09:41 lost+found
drwxr-x---  2 root             root      4096 Aug 12 10:29 ntp_signd
drwxr-xr-x  7 root             root      4096 Aug 12 10:29 private
-rw-------  1 root             root    528384 Jun 19 14:32 registry.tdb
-rw-------  1 root             root    421888 Jun 19 14:32 share_info.tdb
drwxrwx---+ 3 TRUEVINE\reachfp 3000000   4096 Aug 12 10:29 sysvol
drwxr-x---  2 root             root      4096 Aug 12 10:29 
winbindd_privileged
root at dc01:/var/lib/samba#

What group is supposed to have access to that and why is it setting it 
to some unknown ID? This is my DC and it is the ONLY DC in the domain. 
Yes, /etc/nsswitch.conf is setup to use winbind, which should be clear 
from the owner. Still, this could be why the domain is acting so 
strange. How do I fix this?

On 08/12/2014 09:28 AM, Ryan Ashley wrote:
> Still stuck. I have even tried giving everybody full permissions and 
> no matter what I do with ACLs, I keep being denied access. I believe 
> the issue is on the network level. In Windows, you normally set 
> network access to "Everyone/Full Control" and then control things via 
> NTFS permissions. Is it possible Samba is somehow stopping me at the 
> network level? How can I check?
>
> Also, I did some thinking and believe we went down a path that was in 
> no way going to help me. Steve and Rowland, you both had me get my 
> ID's mapping the same across all servers, but here is my thinking, and 
> it may be wrong. If I had never fixed that, but server A always saw me 
> as ID 70001 and server B saw me as 70009, who cares? If I always 
> access server A and get ID 70001 then everything with that ID is 
> always owned by me. So what should it matter if the other server has a 
> different ID for me? Everything on that server would be owned by that 
> ID. The only case I could see for having the same ID across servers 
> would be for something like a DFS. Either way, the ID's did not change 
> a thing other than the numbers stored in the ACLs. I am still being 
> denied access by every user EXCEPT the domain admin.
>
> So what should I look at next? I am still lost as to why this won't work.
>
> On 08/11/2014 10:20 PM, Ryan Ashley wrote:
>> Alright, I have spent the day trying various things to get nowhere. 
>> It is like the user being in the group means nothing to Samba. I have 
>> my support user in all groups, the drives map, but I get "Access is 
>> denied" whenever I attempt to click on a mapped drive. I read dozens 
>> of posts about how this could be a Windows 7 thing, so I added the 
>> lines below to the global section, but it does not help. I also 
>> cannot access the share from Linux (KDE4/Dolphin), so I am fairly 
>> sure this isn't a Windows 7 bug. I cannot access them from an iPad 
>> either, or my Android phone. In other words, Samba is denying access 
>> to everybody who is not the actual owner of the share, even if the 
>> user is in any of the groups in the ACL on the Linux filesystem.
>>
>> ntlm auth = no
>> lanman auth = no
>> client ntlmv2 auth = yes
>>
>> The rest has not changed at this point. I did configure with 
>> "--with-ads and --with-shared-modules=idmap_ad". Still no go. What 
>> could cause Samba to not figure out a user is in a group that has 
>> access to a directory? This is where I am stuck.
>>
>> On 8/11/2014 12:44 PM, Ryan Ashley wrote:
>>> Alright, I am back where I started. I now have the correct ID's on 
>>> both servers, but nothing I do allows users and groups access to the 
>>> shares. I keep getting "Access Denied" when any domain user attempts 
>>> to access the shares. I have tried 777/666 and 770/660 for the Linux 
>>> permissions and nothing changes. Here is a dump of the current 
>>> server config and ACLs.
>>>
>>> root at fs01:~# testparm /etc/samba/smb.conf
>>> Load smb config files from /etc/samba/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[install$]"
>>> Processing section "[staff$]"
>>> Processing section "[fbc$]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
>>> Press enter to see a dump of your service definitions
>>>
>>> [global]
>>>         workgroup = TRUEVINE
>>>         realm = TRUEVINE.LAN
>>>         security = ADS
>>>         dedicated keytab file = /etc/krb5.keytab
>>>         kerberos method = secrets and keytab
>>>         local master = No
>>>         domain master = No
>>>         winbind enum users = Yes
>>>         winbind enum groups = Yes
>>>         winbind use default domain = Yes
>>>         winbind nss info = rfc2307
>>>         idmap config TRUEVINE:range = 10001-40000
>>>         idmap config TRUEVINE:schema_mode = rfc2307
>>>         idmap config TRUEVINE:backend = ad
>>>         idmap config *:range = 70001-80000
>>>         idmap config * : backend = tdb
>>>         map acl inherit = Yes
>>>         store dos attributes = Yes
>>>         vfs objects = acl_xattr
>>>
>>> [install$]
>>>         comment = "Software installation files"
>>>         path = /home/shared/install
>>>         read only = No
>>>
>>> [staff$]
>>>         comment = "Staff file share"
>>>         path = /home/shared/staff
>>>         read only = No
>>>
>>> [fbc$]
>>>         comment = "Family Bible College file share"
>>>         path = /home/shared/fbc
>>>         read only = No
>>>
>>> root at fs01:~# getfacl /home/shared/fbc/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/fbc/
>>> # owner: reachfp
>>> # group: fbc
>>> # flags: -s-
>>> user::rwx
>>> user:reachfp:rwx
>>> group::rwx
>>> group:fbc:rwx
>>> group:70006:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:reachfp:rwx
>>> default:group::---
>>> default:group:fbc:rwx
>>> default:group:70006:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at fs01:~# getfacl /home/shared/staff/
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared/staff/
>>> # owner: reachfp
>>> # group: staff
>>> # flags: -s-
>>> user::rwx
>>> user:reachfp:rwx
>>> group::rwx
>>> group:staff:rwx
>>> group:70006:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:reachfp:rwx
>>> default:group::---
>>> default:group:staff:rwx
>>> default:group:70006:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at fs01:~#
>>>
>>> The 70006 ID is the "SYSTEM" account. The guides recommended using 
>>> this for the printer shares and I have always used it on file shares 
>>> also. Removing it does not fix things, so I added it back. If you 
>>> can give me a good reason to remove it again, I will happily do so.
>>>
>>> On 08/11/2014 12:11 PM, Ryan Ashley wrote:
>>>> Just so it can be avoided, all shares had directory permissions of 
>>>> 777 and file permissions of 666. Still getting access denied. I 
>>>> just changed permissions to 770 and 660 for security. I can change 
>>>> them back if needed.
>>>>
>>>> root at fs01:/home/shared# l
>>>> total 40
>>>> drwxrws---+  6 reachfp fbc            4096 Jul 23 11:31 fbc
>>>> drwxrwsrwx   8 reachfp domain admins  4096 Jul 23 11:14 install
>>>> drwx------   2 root    root          16384 Jul 15 10:00 lost+found
>>>> drwxrws---+ 13 reachfp staff          4096 Jul 23 11:30 staff
>>>> root at fs01:/home/shared# l -n
>>>> total 40
>>>> drwxrws---+  6 10001 10030  4096 Jul 23 11:31 fbc
>>>> drwxrwsrwx   8 10001 10002  4096 Jul 23 11:14 install
>>>> drwx------   2     0     0 16384 Jul 15 10:00 lost+found
>>>> drwxrws---+ 13 10001 10032  4096 Jul 23 11:30 staff
>>>> root at fs01:/home/shared#
>>>>
>>>> root at fs01:/home/shared# getent group
>>>> <snipped out the UNIX groups>
>>>> allowed rodc password replication group:x:10007:
>>>> enterprise read-only domain controllers:x:10013:
>>>> denied rodc password replication group:x:10009:krbtgt
>>>> read-only domain controllers:x:10015:
>>>> audiovideo:x:10029:reach_support,yolandab,daquanm,richards
>>>> group policy creator owners:x:10014:reachfp
>>>> newmembers:x:10031:cynthiaj,joyces,yolandab,jovanm,thomasa
>>>> vpn users:x:10033:reach_support
>>>> staff:x:10032:reach_support,ernestj,cynthiaj,joyces,yolandab,jovanm,daquanm,patriceb,jessicaj,shamekias,thomasa,richards 
>>>>
>>>> fbc:x:10030:reach_support,ernestj,cynthiaj,joyces,jessicaj
>>>> ras and ias servers:x:10015:
>>>> domain controllers:x:10005:
>>>> enterprise admins:x:10012:reachfp
>>>> domain computers:x:10004:
>>>> cert publishers:x:10008:
>>>> dnsupdateproxy:x:10011:
>>>> domain admins:x:10002:reachfp
>>>> domain guests:x:10006:
>>>> schema admins:x:10016:reachfp
>>>> domain users:x:10003:
>>>> dnsadmins:x:10010:
>>>> root at fs01:/home/shared# getent passwd
>>>> <snipped the UNIX stuff again>
>>>> shamekias:*:10011:10003:<???>:/home/TRUEVINE/shamekias:/bin/false
>>>> richards:*:10010:10003:<???>:/home/TRUEVINE/richards:/bin/false
>>>> yolandab:*:10013:10003:<???>:/home/TRUEVINE/yolandab:/bin/false
>>>> joyces:*:10008:10003:<???>:/home/TRUEVINE/joyces:/bin/false
>>>> patriceb:*:10009:10003:<???>:/home/TRUEVINE/patriceb:/bin/false
>>>> cynthiaj:*:10003:10003:<???>:/home/TRUEVINE/cynthiaj:/bin/false
>>>> jessicaj:*:10006:10003:<???>:/home/TRUEVINE/jessicaj:/bin/false
>>>> reach_support:*:10002:10003:Reach 
>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>> daquanm:*:10004:10003:<???>:/home/TRUEVINE/daquanm:/bin/false
>>>> ernestj:*:10005:10003:<???>:/home/TRUEVINE/ernestj:/bin/false
>>>> jovanm:*:10007:10003:<???>:/home/TRUEVINE/jovanm:/bin/false
>>>> thomasa:*:10012:10003:<???>:/home/TRUEVINE/thomasa:/bin/false
>>>> reachfp:*:10001:10003:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>> root at fs01:/home/shared#
>>>>
>>>> On 08/11/2014 11:52 AM, Ryan Ashley wrote:
>>>>> Just to let everybody know, I rebuilt S4 from scratch using 
>>>>> "--with-shared-modules=idmap_ad" in the configuration parameters, 
>>>>> and now I am getting the correct ID's on both member servers. Now 
>>>>> my issue is that despite this, only the domain admin can browse 
>>>>> the mapped drives. Permissions are correct on all shares (I redid 
>>>>> them by hand) but people in those groups are NOT allowed access 
>>>>> despite having "full control" over the share.
>>>>>
>>>>> At least we made some progress. Now what should I look at since 
>>>>> the ID's are being pulled from AD correctly? My nsswitch.conf nis 
>>>>> set to use winbind and winbind is running. Everything appears to 
>>>>> work correctly on both servers including same ID and such, but it 
>>>>> still denies access to everybody EXCEPT the owner.
>>>>>
>>>>> On 08/11/2014 09:48 AM, Ryan Ashley wrote:
>>>>>> Thank you for that information. I just ran the command on out 
>>>>>> print-server and it appears to be using the correct configuration 
>>>>>> file, but there are LOADS of extra parameters I am assuming are 
>>>>>> at default settings. However, I do not appear to have 
>>>>>> /var/run/samba o9r /var/lock/samba directories. I am going to 
>>>>>> create those and see if it helps, but if it does I do not know why.
>>>>>>
>>>>>> Also, I cannot seem to be able to install the S4 packages from 
>>>>>> backports onto ANY Wheezy system, including my laptop. The 
>>>>>> "samba4-common-bin" is configured to depend on "python-samba" but 
>>>>>> the only version available is 4.0.x so it won't install. I am 
>>>>>> working that issue out on the Debian forums and may result in a 
>>>>>> bug report.
>>>>>>
>>>>>> root at ps01:~# testparm -v /etc/samba/smb.conf
>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>>>>> (16384)
>>>>>> Processing section "[printers]"
>>>>>> Processing section "[print$]"
>>>>>> Processing section "[Xerox7545]"
>>>>>> Loaded services file OK.
>>>>>> ERROR: lock directory /var/lock/samba does not exist
>>>>>> ERROR: pid directory /var/run/samba does not exist
>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>> Press enter to see a dump of your service definitions
>>>>>>
>>>>>> [global]
>>>>>>         dos charset = CP850
>>>>>>         unix charset = UTF-8
>>>>>>         workgroup = TRUEVINE
>>>>>>         realm = TRUEVINE.LAN
>>>>>>         netbios name = PS01
>>>>>>         netbios aliases =
>>>>>>         netbios scope =
>>>>>>         server string = Samba 4.1.11
>>>>>>         interfaces =
>>>>>>         bind interfaces only = No
>>>>>>         server role = auto
>>>>>>         security = ADS
>>>>>>         auth methods = winbind
>>>>>>         encrypt passwords = Yes
>>>>>>         client schannel = Auto
>>>>>>         server schannel = Auto
>>>>>>         allow trusted domains = Yes
>>>>>>         map to guest = Never
>>>>>>         null passwords = No
>>>>>>         obey pam restrictions = No
>>>>>>         password server = *
>>>>>>         smb passwd file = /var/lib/samba/private/smbpasswd
>>>>>>         private dir = /var/lib/samba/private
>>>>>>         passdb backend = tdbsam
>>>>>>         algorithmic rid base = 1000
>>>>>>         root directory =
>>>>>>         guest account = nobody
>>>>>>         enable privileges = Yes
>>>>>>         pam password change = No
>>>>>>         passwd program =
>>>>>>         passwd chat = *new*password* %n\n *new*password* %n\n 
>>>>>> *changed*
>>>>>>         passwd chat debug = No
>>>>>>         passwd chat timeout = 2
>>>>>>         check password script =
>>>>>>         username map =
>>>>>>         username level = 0
>>>>>>         unix password sync = No
>>>>>>         restrict anonymous = 0
>>>>>>         lanman auth = No
>>>>>>         ntlm auth = Yes
>>>>>>         client NTLMv2 auth = Yes
>>>>>>         client lanman auth = No
>>>>>>         client plaintext auth = No
>>>>>>         client use spnego principal = No
>>>>>>         preload modules =
>>>>>>         dedicated keytab file = /etc/krb5.keytab
>>>>>>         kerberos method = secrets and keytab
>>>>>>         map untrusted to domain = No
>>>>>>         log level = 2
>>>>>>         syslog = 1
>>>>>>         syslog only = No
>>>>>>         log file =
>>>>>>         max log size = 5000
>>>>>>         debug timestamp = Yes
>>>>>>         debug prefix timestamp = No
>>>>>>         debug hires timestamp = Yes
>>>>>>         debug pid = No
>>>>>>         debug uid = No
>>>>>>         debug class = No
>>>>>>         enable core files = Yes
>>>>>>         smb ports = 445, 139
>>>>>>         large readwrite = Yes
>>>>>>         server max protocol = SMB3
>>>>>>         server min protocol = LANMAN1
>>>>>>         client max protocol = NT1
>>>>>>         client min protocol = CORE
>>>>>>         unicode = Yes
>>>>>>         min receivefile size = 0
>>>>>>         read raw = Yes
>>>>>>         write raw = Yes
>>>>>>         disable netbios = No
>>>>>>         reset on zero vc = No
>>>>>>         log writeable files on exit = No
>>>>>>         defer sharing violations = Yes
>>>>>>         nt pipe support = Yes
>>>>>>         nt status support = Yes
>>>>>>         max mux = 50
>>>>>>         max xmit = 16644
>>>>>>         name resolve order = lmhosts, wins, host, bcast
>>>>>>         max ttl = 259200
>>>>>>         max wins ttl = 518400
>>>>>>         min wins ttl = 21600
>>>>>>         time server = No
>>>>>>         unix extensions = Yes
>>>>>>         use spnego = Yes
>>>>>>         client signing = default
>>>>>>         server signing = default
>>>>>>         client use spnego = Yes
>>>>>>         client ldap sasl wrapping = plain
>>>>>>         enable asu support = No
>>>>>>         svcctl list =
>>>>>>         cldap port = 0
>>>>>>         dgram port = 0
>>>>>>         nbt port = 0
>>>>>>         krb5 port = 0
>>>>>>         kpasswd port = 0
>>>>>>         web port = 0
>>>>>>         rpc big endian = No
>>>>>>         deadtime = 0
>>>>>>         getwd cache = Yes
>>>>>>         keepalive = 300
>>>>>>         lpq cache time = 30
>>>>>>         max smbd processes = 0
>>>>>>         max disk size = 0
>>>>>>         max open files = 16384
>>>>>>         socket options = TCP_NODELAY
>>>>>>         use mmap = Yes
>>>>>>         use ntdb = No
>>>>>>         hostname lookups = No
>>>>>>         name cache timeout = 660
>>>>>>         ctdbd socket =
>>>>>>         cluster addresses =
>>>>>>         clustering = No
>>>>>>         ctdb timeout = 0
>>>>>>         ctdb locktime warn threshold = 0
>>>>>>         smb2 max read = 1048576
>>>>>>         smb2 max write = 1048576
>>>>>>         smb2 max trans = 1048576
>>>>>>         smb2 max credits = 8192
>>>>>>         load printers = Yes
>>>>>>         printcap cache time = 750
>>>>>>         printcap name =
>>>>>>         cups server =
>>>>>>         cups encrypt = No
>>>>>>         cups connection timeout = 30
>>>>>>         iprint server =
>>>>>>         disable spoolss = No
>>>>>>         addport command =
>>>>>>         enumports command =
>>>>>>         addprinter command =
>>>>>>         deleteprinter command =
>>>>>>         show add printer wizard = Yes
>>>>>>         os2 driver map =
>>>>>>         mangling method = hash2
>>>>>>         mangle prefix = 1
>>>>>>         max stat cache size = 256
>>>>>>         stat cache = Yes
>>>>>>         machine password timeout = 604800
>>>>>>         add user script =
>>>>>>         rename user script =
>>>>>>         delete user script =
>>>>>>         add group script =
>>>>>>         delete group script =
>>>>>>         add user to group script =
>>>>>>         delete user from group script =
>>>>>>         set primary group script =
>>>>>>         add machine script =
>>>>>>         shutdown script =
>>>>>>         abort shutdown script =
>>>>>>         username map script =
>>>>>>         username map cache time = 0
>>>>>>         logon script =
>>>>>>         logon path = \\%N\%U\profile
>>>>>>         logon drive =
>>>>>>         logon home = \\%N\%U
>>>>>>         domain logons = No
>>>>>>         init logon delayed hosts =
>>>>>>         init logon delay = 100
>>>>>>         os level = 20
>>>>>>         lm announce = Auto
>>>>>>         lm interval = 60
>>>>>>         preferred master = No
>>>>>>         local master = Yes
>>>>>>         domain master = Auto
>>>>>>         browse list = Yes
>>>>>>         enhanced browsing = Yes
>>>>>>         dns proxy = Yes
>>>>>>         wins proxy = No
>>>>>>         wins server =
>>>>>>         wins support = No
>>>>>>         wins hook =
>>>>>>         lock spin time = 200
>>>>>>         oplock break wait time = 0
>>>>>>         ldap admin dn =
>>>>>>         ldap delete dn = No
>>>>>>         ldap group suffix =
>>>>>>         ldap idmap suffix =
>>>>>>         ldap machine suffix =
>>>>>>         ldap passwd sync = no
>>>>>>         ldap replication sleep = 1000
>>>>>>         ldap suffix =
>>>>>>         ldap ssl = start tls
>>>>>>         ldap ssl ads = No
>>>>>>         ldap deref = auto
>>>>>>         ldap follow referral = Auto
>>>>>>         ldap timeout = 15
>>>>>>         ldap connection timeout = 2
>>>>>>         ldap page size = 1024
>>>>>>         ldap user suffix =
>>>>>>         ldap debug level = 0
>>>>>>         ldap debug threshold = 10
>>>>>>         eventlog list =
>>>>>>         add share command =
>>>>>>         change share command =
>>>>>>         delete share command =
>>>>>>         preload =
>>>>>>         lock directory = /var/lock/samba
>>>>>>         state directory = /var/lib/samba
>>>>>>         cache directory = /var/cache/samba
>>>>>>         pid directory = /var/run/samba
>>>>>>         ntp signd socket directory =
>>>>>>         utmp directory =
>>>>>>         wtmp directory =
>>>>>>         utmp = No
>>>>>>         default service =
>>>>>>         message command =
>>>>>>         get quota command =
>>>>>>         set quota command =
>>>>>>         remote announce =
>>>>>>         remote browse sync =
>>>>>>         nbt client socket address = 0.0.0.0
>>>>>>         nmbd bind explicit broadcast = Yes
>>>>>>         homedir map = auto.home
>>>>>>         afs username map =
>>>>>>         afs token lifetime = 604800
>>>>>>         log nt token command =
>>>>>>         NIS homedir = No
>>>>>>         registry shares = No
>>>>>>         usershare allow guests = No
>>>>>>         usershare max shares = 0
>>>>>>         usershare owner only = Yes
>>>>>>         usershare path = /var/lib/samba/usershares
>>>>>>         usershare prefix allow list =
>>>>>>         usershare prefix deny list =
>>>>>>         usershare template share =
>>>>>>         async smb echo handler = No
>>>>>>         panic action =
>>>>>>         perfcount module =
>>>>>>         host msdfs = Yes
>>>>>>         passdb expand explicit = No
>>>>>>         idmap backend = tdb
>>>>>>         idmap cache time = 604800
>>>>>>         idmap negative cache time = 120
>>>>>>         idmap uid =
>>>>>>         idmap gid =
>>>>>>         template homedir = /home/%D/%U
>>>>>>         template shell = /bin/false
>>>>>>         winbind separator = \
>>>>>>         winbind cache time = 300
>>>>>>         winbind reconnect delay = 30
>>>>>>         winbind max clients = 200
>>>>>>         winbind enum users = Yes
>>>>>>         winbind enum groups = Yes
>>>>>>         winbind use default domain = Yes
>>>>>>         winbind trusted domains only = No
>>>>>>         winbind nested groups = Yes
>>>>>>         winbind expand groups = 1
>>>>>>         winbind nss info = rfc2307
>>>>>>         winbind refresh tickets = No
>>>>>>         winbind offline logon = No
>>>>>>         winbind normalize names = No
>>>>>>         winbind rpc only = No
>>>>>>         create krb5 conf = Yes
>>>>>>         ncalrpc dir = /var/run/samba/ncalrpc
>>>>>>         winbind max domain connections = 1
>>>>>>         winbindd socket directory =
>>>>>>         winbindd privileged socket directory =
>>>>>>         winbind sealed pipes = No
>>>>>>         allow dns updates = disabled
>>>>>>         dns forwarder =
>>>>>>         dns update command =
>>>>>>         nsupdate command =
>>>>>>         rndc command =
>>>>>>         multicast dns register = Yes
>>>>>>         samba kcc command =
>>>>>>         server services =
>>>>>>         dcerpc endpoint servers =
>>>>>>         spn update command =
>>>>>>         share backend =
>>>>>>         tls enabled = No
>>>>>>         tls keyfile =
>>>>>>         tls certfile =
>>>>>>         tls cafile =
>>>>>>         tls crlfile =
>>>>>>         tls dh params file =
>>>>>>         spoolss: architecture = Windows x64
>>>>>>         rpc_daemon:spoolssd = fork
>>>>>>         rpc_server:spoolss = external
>>>>>>         idmap config TRUEVINE:range = 10000-40000
>>>>>>         idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>         idmap config TRUEVINE:backend = ad
>>>>>>         idmap config *:range = 70001-80000
>>>>>>         idmap config * : backend = tdb
>>>>>>         comment =
>>>>>>         path =
>>>>>>         username =
>>>>>>         invalid users =
>>>>>>         valid users =
>>>>>>         admin users =
>>>>>>         read list =
>>>>>>         write list =
>>>>>>         force user =
>>>>>>         force group =
>>>>>>         read only = Yes
>>>>>>         acl check permissions = Yes
>>>>>>         acl group control = No
>>>>>>         acl map full control = Yes
>>>>>>         acl allow execute always = No
>>>>>>         create mask = 0744
>>>>>>         force create mode = 00
>>>>>>         directory mask = 0755
>>>>>>         force directory mode = 00
>>>>>>         force unknown acl user = No
>>>>>>         inherit permissions = No
>>>>>>         inherit acls = No
>>>>>>         inherit owner = No
>>>>>>         guest only = No
>>>>>>         administrative share = No
>>>>>>         guest ok = No
>>>>>>         only user = No
>>>>>>         hosts allow =
>>>>>>         hosts deny =
>>>>>>         allocation roundup size = 1048576
>>>>>>         aio read size = 0
>>>>>>         aio write size = 0
>>>>>>         aio write behind =
>>>>>>         ea support = No
>>>>>>         nt acl support = Yes
>>>>>>         profile acls = No
>>>>>>         map acl inherit = Yes
>>>>>>         afs share = No
>>>>>>         smb encrypt = default
>>>>>>         durable handles = Yes
>>>>>>         block size = 1024
>>>>>>         change notify = Yes
>>>>>>         directory name cache size = 100
>>>>>>         kernel change notify = Yes
>>>>>>         max connections = 0
>>>>>>         min print space = 0
>>>>>>         strict allocate = No
>>>>>>         strict sync = No
>>>>>>         sync always = No
>>>>>>         use sendfile = No
>>>>>>         write cache size = 0
>>>>>>         max reported print jobs = 0
>>>>>>         max print jobs = 1000
>>>>>>         printable = No
>>>>>>         print notify backchannel = Yes
>>>>>>         print ok = No
>>>>>>         printing = cups
>>>>>>         cups options =
>>>>>>         print command =
>>>>>>         lpq command = %p
>>>>>>         lprm command =
>>>>>>         lppause command =
>>>>>>         lpresume command =
>>>>>>         queuepause command =
>>>>>>         queueresume command =
>>>>>>         printer name =
>>>>>>         use client driver = No
>>>>>>         default devmode = Yes
>>>>>>         force printername = No
>>>>>>         printjob username = %U
>>>>>>         default case = lower
>>>>>>         case sensitive = Auto
>>>>>>         preserve case = Yes
>>>>>>         short preserve case = Yes
>>>>>>         mangling char = ~
>>>>>>         hide dot files = Yes
>>>>>>         hide special files = No
>>>>>>         hide unreadable = No
>>>>>>         hide unwriteable files = No
>>>>>>         delete veto files = No
>>>>>>         veto files =
>>>>>>         hide files =
>>>>>>         veto oplock files =
>>>>>>         map archive = Yes
>>>>>>         map hidden = No
>>>>>>         map system = No
>>>>>>         map readonly = yes
>>>>>>         mangled names = Yes
>>>>>>         store dos attributes = Yes
>>>>>>         dmapi support = No
>>>>>>         browseable = Yes
>>>>>>         access based share enum = No
>>>>>>         blocking locks = Yes
>>>>>>         csc policy = manual
>>>>>>         fake oplocks = No
>>>>>>         kernel oplocks = No
>>>>>>         kernel share modes = Yes
>>>>>>         locking = Yes
>>>>>>         oplocks = Yes
>>>>>>         level2 oplocks = Yes
>>>>>>         oplock contention limit = 2
>>>>>>         posix locking = Yes
>>>>>>         strict locking = Auto
>>>>>>         dfree cache time = 0
>>>>>>         dfree command =
>>>>>>         copy =
>>>>>>         preexec =
>>>>>>         preexec close = No
>>>>>>         postexec =
>>>>>>         root preexec =
>>>>>>         root preexec close = No
>>>>>>         root postexec =
>>>>>>         available = Yes
>>>>>>         volume =
>>>>>>         fstype = NTFS
>>>>>>         wide links = No
>>>>>>         follow symlinks = Yes
>>>>>>         dont descend =
>>>>>>         magic script =
>>>>>>         magic output =
>>>>>>         delete readonly = No
>>>>>>         dos filemode = No
>>>>>>         dos filetimes = Yes
>>>>>>         dos filetime resolution = No
>>>>>>         fake directory create times = No
>>>>>>         vfs objects = acl_xattr
>>>>>>         msdfs root = No
>>>>>>         msdfs proxy =
>>>>>>         ntvfs handler =
>>>>>>
>>>>>> [printers]
>>>>>>         path = /var/spool/samba
>>>>>>         printable = Yes
>>>>>>         print ok = Yes
>>>>>>         browseable = No
>>>>>>
>>>>>> [print$]
>>>>>>         comment = Printer drivers
>>>>>>         path = /srv/samba/printer_drivers
>>>>>>         read only = No
>>>>>>
>>>>>> [Xerox7545]
>>>>>>         path = /var/spool/samba
>>>>>>         printable = Yes
>>>>>>         print ok = Yes
>>>>>>         printer name = Xerox_WC_7545
>>>>>>
>>>>>> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>>>>>>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>> Alright, I am calling it quits for the day unless somebody 
>>>>>>>> knows what I have
>>>>>>>> screwed up here. If I do "getent passwd" it shows all local and 
>>>>>>>> domain
>>>>>>>> users, and the domain users have the wrong ID's. If I do 
>>>>>>>> "getent passwd
>>>>>>>> <domain user>" I get absolutely nothing. Obviously I have done 
>>>>>>>> something
>>>>>>>> wrong here, but I have no clue what. This behavior started 
>>>>>>>> after modifying
>>>>>>>> the configuration file though. The modifications Rowland showed 
>>>>>>>> me in his.
>>>>>>>> That tells me that maybe it is trying to do something right and 
>>>>>>>> cannot. I
>>>>>>>> have one last idea of my own, then I will be installing the 
>>>>>>>> backports
>>>>>>>> version Monday on a clean VM.
>>>>>>>>
>>>>>>> Hey Ryan!
>>>>>>>
>>>>>>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
>>>>>>> samba is using the directories (lock directory =
>>>>>>> /usr/local/samba/var/lock) from the old selfcompiled installation.
>>>>>>> Now I'm using the Sernet package.
>>>>>>>
>>>>>>> When i run ''testparm -v | more' it reads
>>>>>>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf and 
>>>>>>> shows
>>>>>>> only one out of two share definitions.
>>>>>>>
>>>>>>> The file /etc/samba/smb.conf is copied from an old AD DC 
>>>>>>> serverconfig
>>>>>>> and later edited. The hidden entries like "lock directory =" 
>>>>>>> above are
>>>>>>> present.
>>>>>>>
>>>>>>> Are you perhaps experienceing the same?
>>>>>>>
>>>>>>> Regards
>>>>>>> Davor
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>



More information about the samba mailing list