[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Tue Aug 12 08:55:18 MDT 2014
I did some more reading and apparently things above 3,000,000 are from
the BUILTIN stuff. Is this correct? If so, should it be resolving or
not? I mean this IS my DC, and I would think it would resolve. If not,
that is fine, so long as this is normal.
root at dc01:/var/lib/samba# getfacl sysvol
# file: sysvol
# owner: TRUEVINE\134reachfp
# group: 3000000
user::rwx
user:TRUEVINE\134reachfp:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:TRUEVINE\134reachfp:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
On 08/12/2014 10:34 AM, Ryan Ashley wrote:
> I may have found the culprit. I attempted to change a group policy
> this morning, as domain admin, and got "Access is denied" when
> applying the change. This led me to the DC. Specifically, the sysvol
> directory. It was owned by root and 3000000. Not good. I restarted S4.
> Same thing. I did "samba-tool ntacl sysvolreset" and now I have this.
>
> root at dc01:/var/lib/samba# l
> total 1376
> -rw------- 1 root root 421888 Jun 19 14:32
> account_policy.tdb
> drwx------ 2 root root 16384 Jun 19 09:41 lost+found
> drwxr-x--- 2 root root 4096 Aug 12 10:29 ntp_signd
> drwxr-xr-x 7 root root 4096 Aug 12 10:29 private
> -rw------- 1 root root 528384 Jun 19 14:32 registry.tdb
> -rw------- 1 root root 421888 Jun 19 14:32 share_info.tdb
> drwxrwx---+ 3 TRUEVINE\reachfp 3000000 4096 Aug 12 10:29 sysvol
> drwxr-x--- 2 root root 4096 Aug 12 10:29
> winbindd_privileged
> root at dc01:/var/lib/samba#
>
> What group is supposed to have access to that and why is it setting it
> to some unknown ID? This is my DC and it is the ONLY DC in the domain.
> Yes, /etc/nsswitch.conf is setup to use winbind, which should be clear
> from the owner. Still, this could be why the domain is acting so
> strange. How do I fix this?
>
> On 08/12/2014 09:28 AM, Ryan Ashley wrote:
>> Still stuck. I have even tried giving everybody full permissions and
>> no matter what I do with ACLs, I keep being denied access. I believe
>> the issue is on the network level. In Windows, you normally set
>> network access to "Everyone/Full Control" and then control things via
>> NTFS permissions. Is it possible Samba is somehow stopping me at the
>> network level? How can I check?
>>
>> Also, I did some thinking and believe we went down a path that was in
>> no way going to help me. Steve and Rowland, you both had me get my
>> ID's mapping the same across all servers, but here is my thinking,
>> and it may be wrong. If I had never fixed that, but server A always
>> saw me as ID 70001 and server B saw me as 70009, who cares? If I
>> always access server A and get ID 70001 then everything with that ID
>> is always owned by me. So what should it matter if the other server
>> has a different ID for me? Everything on that server would be owned
>> by that ID. The only case I could see for having the same ID across
>> servers would be for something like a DFS. Either way, the ID's did
>> not change a thing other than the numbers stored in the ACLs. I am
>> still being denied access by every user EXCEPT the domain admin.
>>
>> So what should I look at next? I am still lost as to why this won't
>> work.
>>
>> On 08/11/2014 10:20 PM, Ryan Ashley wrote:
>>> Alright, I have spent the day trying various things to get nowhere.
>>> It is like the user being in the group means nothing to Samba. I
>>> have my support user in all groups, the drives map, but I get
>>> "Access is denied" whenever I attempt to click on a mapped drive. I
>>> read dozens of posts about how this could be a Windows 7 thing, so I
>>> added the lines below to the global section, but it does not help. I
>>> also cannot access the share from Linux (KDE4/Dolphin), so I am
>>> fairly sure this isn't a Windows 7 bug. I cannot access them from an
>>> iPad either, or my Android phone. In other words, Samba is denying
>>> access to everybody who is not the actual owner of the share, even
>>> if the user is in any of the groups in the ACL on the Linux filesystem.
>>>
>>> ntlm auth = no
>>> lanman auth = no
>>> client ntlmv2 auth = yes
>>>
>>> The rest has not changed at this point. I did configure with
>>> "--with-ads and --with-shared-modules=idmap_ad". Still no go. What
>>> could cause Samba to not figure out a user is in a group that has
>>> access to a directory? This is where I am stuck.
>>>
>>> On 8/11/2014 12:44 PM, Ryan Ashley wrote:
>>>> Alright, I am back where I started. I now have the correct ID's on
>>>> both servers, but nothing I do allows users and groups access to
>>>> the shares. I keep getting "Access Denied" when any domain user
>>>> attempts to access the shares. I have tried 777/666 and 770/660 for
>>>> the Linux permissions and nothing changes. Here is a dump of the
>>>> current server config and ACLs.
>>>>
>>>> root at fs01:~# testparm /etc/samba/smb.conf
>>>> Load smb config files from /etc/samba/smb.conf
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> Processing section "[install$]"
>>>> Processing section "[staff$]"
>>>> Processing section "[fbc$]"
>>>> Loaded services file OK.
>>>> Server role: ROLE_DOMAIN_MEMBER
>>>> Press enter to see a dump of your service definitions
>>>>
>>>> [global]
>>>> workgroup = TRUEVINE
>>>> realm = TRUEVINE.LAN
>>>> security = ADS
>>>> dedicated keytab file = /etc/krb5.keytab
>>>> kerberos method = secrets and keytab
>>>> local master = No
>>>> domain master = No
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind nss info = rfc2307
>>>> idmap config TRUEVINE:range = 10001-40000
>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>> idmap config TRUEVINE:backend = ad
>>>> idmap config *:range = 70001-80000
>>>> idmap config * : backend = tdb
>>>> map acl inherit = Yes
>>>> store dos attributes = Yes
>>>> vfs objects = acl_xattr
>>>>
>>>> [install$]
>>>> comment = "Software installation files"
>>>> path = /home/shared/install
>>>> read only = No
>>>>
>>>> [staff$]
>>>> comment = "Staff file share"
>>>> path = /home/shared/staff
>>>> read only = No
>>>>
>>>> [fbc$]
>>>> comment = "Family Bible College file share"
>>>> path = /home/shared/fbc
>>>> read only = No
>>>>
>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/fbc/
>>>> # owner: reachfp
>>>> # group: fbc
>>>> # flags: -s-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:fbc:rwx
>>>> group:70006:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:fbc:rwx
>>>> default:group:70006:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~# getfacl /home/shared/staff/
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: home/shared/staff/
>>>> # owner: reachfp
>>>> # group: staff
>>>> # flags: -s-
>>>> user::rwx
>>>> user:reachfp:rwx
>>>> group::rwx
>>>> group:staff:rwx
>>>> group:70006:rwx
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:reachfp:rwx
>>>> default:group::---
>>>> default:group:staff:rwx
>>>> default:group:70006:rwx
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> root at fs01:~#
>>>>
>>>> The 70006 ID is the "SYSTEM" account. The guides recommended using
>>>> this for the printer shares and I have always used it on file
>>>> shares also. Removing it does not fix things, so I added it back.
>>>> If you can give me a good reason to remove it again, I will happily
>>>> do so.
>>>>
>>>> On 08/11/2014 12:11 PM, Ryan Ashley wrote:
>>>>> Just so it can be avoided, all shares had directory permissions of
>>>>> 777 and file permissions of 666. Still getting access denied. I
>>>>> just changed permissions to 770 and 660 for security. I can change
>>>>> them back if needed.
>>>>>
>>>>> root at fs01:/home/shared# l
>>>>> total 40
>>>>> drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>> drwxrwsrwx 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>> drwxrws---+ 13 reachfp staff 4096 Jul 23 11:30 staff
>>>>> root at fs01:/home/shared# l -n
>>>>> total 40
>>>>> drwxrws---+ 6 10001 10030 4096 Jul 23 11:31 fbc
>>>>> drwxrwsrwx 8 10001 10002 4096 Jul 23 11:14 install
>>>>> drwx------ 2 0 0 16384 Jul 15 10:00 lost+found
>>>>> drwxrws---+ 13 10001 10032 4096 Jul 23 11:30 staff
>>>>> root at fs01:/home/shared#
>>>>>
>>>>> root at fs01:/home/shared# getent group
>>>>> <snipped out the UNIX groups>
>>>>> allowed rodc password replication group:x:10007:
>>>>> enterprise read-only domain controllers:x:10013:
>>>>> denied rodc password replication group:x:10009:krbtgt
>>>>> read-only domain controllers:x:10015:
>>>>> audiovideo:x:10029:reach_support,yolandab,daquanm,richards
>>>>> group policy creator owners:x:10014:reachfp
>>>>> newmembers:x:10031:cynthiaj,joyces,yolandab,jovanm,thomasa
>>>>> vpn users:x:10033:reach_support
>>>>> staff:x:10032:reach_support,ernestj,cynthiaj,joyces,yolandab,jovanm,daquanm,patriceb,jessicaj,shamekias,thomasa,richards
>>>>>
>>>>> fbc:x:10030:reach_support,ernestj,cynthiaj,joyces,jessicaj
>>>>> ras and ias servers:x:10015:
>>>>> domain controllers:x:10005:
>>>>> enterprise admins:x:10012:reachfp
>>>>> domain computers:x:10004:
>>>>> cert publishers:x:10008:
>>>>> dnsupdateproxy:x:10011:
>>>>> domain admins:x:10002:reachfp
>>>>> domain guests:x:10006:
>>>>> schema admins:x:10016:reachfp
>>>>> domain users:x:10003:
>>>>> dnsadmins:x:10010:
>>>>> root at fs01:/home/shared# getent passwd
>>>>> <snipped the UNIX stuff again>
>>>>> shamekias:*:10011:10003:<???>:/home/TRUEVINE/shamekias:/bin/false
>>>>> richards:*:10010:10003:<???>:/home/TRUEVINE/richards:/bin/false
>>>>> yolandab:*:10013:10003:<???>:/home/TRUEVINE/yolandab:/bin/false
>>>>> joyces:*:10008:10003:<???>:/home/TRUEVINE/joyces:/bin/false
>>>>> patriceb:*:10009:10003:<???>:/home/TRUEVINE/patriceb:/bin/false
>>>>> cynthiaj:*:10003:10003:<???>:/home/TRUEVINE/cynthiaj:/bin/false
>>>>> jessicaj:*:10006:10003:<???>:/home/TRUEVINE/jessicaj:/bin/false
>>>>> reach_support:*:10002:10003:Reach
>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>> daquanm:*:10004:10003:<???>:/home/TRUEVINE/daquanm:/bin/false
>>>>> ernestj:*:10005:10003:<???>:/home/TRUEVINE/ernestj:/bin/false
>>>>> jovanm:*:10007:10003:<???>:/home/TRUEVINE/jovanm:/bin/false
>>>>> thomasa:*:10012:10003:<???>:/home/TRUEVINE/thomasa:/bin/false
>>>>> reachfp:*:10001:10003:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>> root at fs01:/home/shared#
>>>>>
>>>>> On 08/11/2014 11:52 AM, Ryan Ashley wrote:
>>>>>> Just to let everybody know, I rebuilt S4 from scratch using
>>>>>> "--with-shared-modules=idmap_ad" in the configuration parameters,
>>>>>> and now I am getting the correct ID's on both member servers. Now
>>>>>> my issue is that despite this, only the domain admin can browse
>>>>>> the mapped drives. Permissions are correct on all shares (I redid
>>>>>> them by hand) but people in those groups are NOT allowed access
>>>>>> despite having "full control" over the share.
>>>>>>
>>>>>> At least we made some progress. Now what should I look at since
>>>>>> the ID's are being pulled from AD correctly? My nsswitch.conf nis
>>>>>> set to use winbind and winbind is running. Everything appears to
>>>>>> work correctly on both servers including same ID and such, but it
>>>>>> still denies access to everybody EXCEPT the owner.
>>>>>>
>>>>>> On 08/11/2014 09:48 AM, Ryan Ashley wrote:
>>>>>>> Thank you for that information. I just ran the command on out
>>>>>>> print-server and it appears to be using the correct
>>>>>>> configuration file, but there are LOADS of extra parameters I am
>>>>>>> assuming are at default settings. However, I do not appear to
>>>>>>> have /var/run/samba o9r /var/lock/samba directories. I am going
>>>>>>> to create those and see if it helps, but if it does I do not
>>>>>>> know why.
>>>>>>>
>>>>>>> Also, I cannot seem to be able to install the S4 packages from
>>>>>>> backports onto ANY Wheezy system, including my laptop. The
>>>>>>> "samba4-common-bin" is configured to depend on "python-samba"
>>>>>>> but the only version available is 4.0.x so it won't install. I
>>>>>>> am working that issue out on the Debian forums and may result in
>>>>>>> a bug report.
>>>>>>>
>>>>>>> root at ps01:~# testparm -v /etc/samba/smb.conf
>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>>>>>>> limit (16384)
>>>>>>> Processing section "[printers]"
>>>>>>> Processing section "[print$]"
>>>>>>> Processing section "[Xerox7545]"
>>>>>>> Loaded services file OK.
>>>>>>> ERROR: lock directory /var/lock/samba does not exist
>>>>>>> ERROR: pid directory /var/run/samba does not exist
>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>
>>>>>>> [global]
>>>>>>> dos charset = CP850
>>>>>>> unix charset = UTF-8
>>>>>>> workgroup = TRUEVINE
>>>>>>> realm = TRUEVINE.LAN
>>>>>>> netbios name = PS01
>>>>>>> netbios aliases =
>>>>>>> netbios scope =
>>>>>>> server string = Samba 4.1.11
>>>>>>> interfaces =
>>>>>>> bind interfaces only = No
>>>>>>> server role = auto
>>>>>>> security = ADS
>>>>>>> auth methods = winbind
>>>>>>> encrypt passwords = Yes
>>>>>>> client schannel = Auto
>>>>>>> server schannel = Auto
>>>>>>> allow trusted domains = Yes
>>>>>>> map to guest = Never
>>>>>>> null passwords = No
>>>>>>> obey pam restrictions = No
>>>>>>> password server = *
>>>>>>> smb passwd file = /var/lib/samba/private/smbpasswd
>>>>>>> private dir = /var/lib/samba/private
>>>>>>> passdb backend = tdbsam
>>>>>>> algorithmic rid base = 1000
>>>>>>> root directory =
>>>>>>> guest account = nobody
>>>>>>> enable privileges = Yes
>>>>>>> pam password change = No
>>>>>>> passwd program =
>>>>>>> passwd chat = *new*password* %n\n *new*password* %n\n
>>>>>>> *changed*
>>>>>>> passwd chat debug = No
>>>>>>> passwd chat timeout = 2
>>>>>>> check password script =
>>>>>>> username map =
>>>>>>> username level = 0
>>>>>>> unix password sync = No
>>>>>>> restrict anonymous = 0
>>>>>>> lanman auth = No
>>>>>>> ntlm auth = Yes
>>>>>>> client NTLMv2 auth = Yes
>>>>>>> client lanman auth = No
>>>>>>> client plaintext auth = No
>>>>>>> client use spnego principal = No
>>>>>>> preload modules =
>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>> kerberos method = secrets and keytab
>>>>>>> map untrusted to domain = No
>>>>>>> log level = 2
>>>>>>> syslog = 1
>>>>>>> syslog only = No
>>>>>>> log file =
>>>>>>> max log size = 5000
>>>>>>> debug timestamp = Yes
>>>>>>> debug prefix timestamp = No
>>>>>>> debug hires timestamp = Yes
>>>>>>> debug pid = No
>>>>>>> debug uid = No
>>>>>>> debug class = No
>>>>>>> enable core files = Yes
>>>>>>> smb ports = 445, 139
>>>>>>> large readwrite = Yes
>>>>>>> server max protocol = SMB3
>>>>>>> server min protocol = LANMAN1
>>>>>>> client max protocol = NT1
>>>>>>> client min protocol = CORE
>>>>>>> unicode = Yes
>>>>>>> min receivefile size = 0
>>>>>>> read raw = Yes
>>>>>>> write raw = Yes
>>>>>>> disable netbios = No
>>>>>>> reset on zero vc = No
>>>>>>> log writeable files on exit = No
>>>>>>> defer sharing violations = Yes
>>>>>>> nt pipe support = Yes
>>>>>>> nt status support = Yes
>>>>>>> max mux = 50
>>>>>>> max xmit = 16644
>>>>>>> name resolve order = lmhosts, wins, host, bcast
>>>>>>> max ttl = 259200
>>>>>>> max wins ttl = 518400
>>>>>>> min wins ttl = 21600
>>>>>>> time server = No
>>>>>>> unix extensions = Yes
>>>>>>> use spnego = Yes
>>>>>>> client signing = default
>>>>>>> server signing = default
>>>>>>> client use spnego = Yes
>>>>>>> client ldap sasl wrapping = plain
>>>>>>> enable asu support = No
>>>>>>> svcctl list =
>>>>>>> cldap port = 0
>>>>>>> dgram port = 0
>>>>>>> nbt port = 0
>>>>>>> krb5 port = 0
>>>>>>> kpasswd port = 0
>>>>>>> web port = 0
>>>>>>> rpc big endian = No
>>>>>>> deadtime = 0
>>>>>>> getwd cache = Yes
>>>>>>> keepalive = 300
>>>>>>> lpq cache time = 30
>>>>>>> max smbd processes = 0
>>>>>>> max disk size = 0
>>>>>>> max open files = 16384
>>>>>>> socket options = TCP_NODELAY
>>>>>>> use mmap = Yes
>>>>>>> use ntdb = No
>>>>>>> hostname lookups = No
>>>>>>> name cache timeout = 660
>>>>>>> ctdbd socket =
>>>>>>> cluster addresses =
>>>>>>> clustering = No
>>>>>>> ctdb timeout = 0
>>>>>>> ctdb locktime warn threshold = 0
>>>>>>> smb2 max read = 1048576
>>>>>>> smb2 max write = 1048576
>>>>>>> smb2 max trans = 1048576
>>>>>>> smb2 max credits = 8192
>>>>>>> load printers = Yes
>>>>>>> printcap cache time = 750
>>>>>>> printcap name =
>>>>>>> cups server =
>>>>>>> cups encrypt = No
>>>>>>> cups connection timeout = 30
>>>>>>> iprint server =
>>>>>>> disable spoolss = No
>>>>>>> addport command =
>>>>>>> enumports command =
>>>>>>> addprinter command =
>>>>>>> deleteprinter command =
>>>>>>> show add printer wizard = Yes
>>>>>>> os2 driver map =
>>>>>>> mangling method = hash2
>>>>>>> mangle prefix = 1
>>>>>>> max stat cache size = 256
>>>>>>> stat cache = Yes
>>>>>>> machine password timeout = 604800
>>>>>>> add user script =
>>>>>>> rename user script =
>>>>>>> delete user script =
>>>>>>> add group script =
>>>>>>> delete group script =
>>>>>>> add user to group script =
>>>>>>> delete user from group script =
>>>>>>> set primary group script =
>>>>>>> add machine script =
>>>>>>> shutdown script =
>>>>>>> abort shutdown script =
>>>>>>> username map script =
>>>>>>> username map cache time = 0
>>>>>>> logon script =
>>>>>>> logon path = \\%N\%U\profile
>>>>>>> logon drive =
>>>>>>> logon home = \\%N\%U
>>>>>>> domain logons = No
>>>>>>> init logon delayed hosts =
>>>>>>> init logon delay = 100
>>>>>>> os level = 20
>>>>>>> lm announce = Auto
>>>>>>> lm interval = 60
>>>>>>> preferred master = No
>>>>>>> local master = Yes
>>>>>>> domain master = Auto
>>>>>>> browse list = Yes
>>>>>>> enhanced browsing = Yes
>>>>>>> dns proxy = Yes
>>>>>>> wins proxy = No
>>>>>>> wins server =
>>>>>>> wins support = No
>>>>>>> wins hook =
>>>>>>> lock spin time = 200
>>>>>>> oplock break wait time = 0
>>>>>>> ldap admin dn =
>>>>>>> ldap delete dn = No
>>>>>>> ldap group suffix =
>>>>>>> ldap idmap suffix =
>>>>>>> ldap machine suffix =
>>>>>>> ldap passwd sync = no
>>>>>>> ldap replication sleep = 1000
>>>>>>> ldap suffix =
>>>>>>> ldap ssl = start tls
>>>>>>> ldap ssl ads = No
>>>>>>> ldap deref = auto
>>>>>>> ldap follow referral = Auto
>>>>>>> ldap timeout = 15
>>>>>>> ldap connection timeout = 2
>>>>>>> ldap page size = 1024
>>>>>>> ldap user suffix =
>>>>>>> ldap debug level = 0
>>>>>>> ldap debug threshold = 10
>>>>>>> eventlog list =
>>>>>>> add share command =
>>>>>>> change share command =
>>>>>>> delete share command =
>>>>>>> preload =
>>>>>>> lock directory = /var/lock/samba
>>>>>>> state directory = /var/lib/samba
>>>>>>> cache directory = /var/cache/samba
>>>>>>> pid directory = /var/run/samba
>>>>>>> ntp signd socket directory =
>>>>>>> utmp directory =
>>>>>>> wtmp directory =
>>>>>>> utmp = No
>>>>>>> default service =
>>>>>>> message command =
>>>>>>> get quota command =
>>>>>>> set quota command =
>>>>>>> remote announce =
>>>>>>> remote browse sync =
>>>>>>> nbt client socket address = 0.0.0.0
>>>>>>> nmbd bind explicit broadcast = Yes
>>>>>>> homedir map = auto.home
>>>>>>> afs username map =
>>>>>>> afs token lifetime = 604800
>>>>>>> log nt token command =
>>>>>>> NIS homedir = No
>>>>>>> registry shares = No
>>>>>>> usershare allow guests = No
>>>>>>> usershare max shares = 0
>>>>>>> usershare owner only = Yes
>>>>>>> usershare path = /var/lib/samba/usershares
>>>>>>> usershare prefix allow list =
>>>>>>> usershare prefix deny list =
>>>>>>> usershare template share =
>>>>>>> async smb echo handler = No
>>>>>>> panic action =
>>>>>>> perfcount module =
>>>>>>> host msdfs = Yes
>>>>>>> passdb expand explicit = No
>>>>>>> idmap backend = tdb
>>>>>>> idmap cache time = 604800
>>>>>>> idmap negative cache time = 120
>>>>>>> idmap uid =
>>>>>>> idmap gid =
>>>>>>> template homedir = /home/%D/%U
>>>>>>> template shell = /bin/false
>>>>>>> winbind separator = \
>>>>>>> winbind cache time = 300
>>>>>>> winbind reconnect delay = 30
>>>>>>> winbind max clients = 200
>>>>>>> winbind enum users = Yes
>>>>>>> winbind enum groups = Yes
>>>>>>> winbind use default domain = Yes
>>>>>>> winbind trusted domains only = No
>>>>>>> winbind nested groups = Yes
>>>>>>> winbind expand groups = 1
>>>>>>> winbind nss info = rfc2307
>>>>>>> winbind refresh tickets = No
>>>>>>> winbind offline logon = No
>>>>>>> winbind normalize names = No
>>>>>>> winbind rpc only = No
>>>>>>> create krb5 conf = Yes
>>>>>>> ncalrpc dir = /var/run/samba/ncalrpc
>>>>>>> winbind max domain connections = 1
>>>>>>> winbindd socket directory =
>>>>>>> winbindd privileged socket directory =
>>>>>>> winbind sealed pipes = No
>>>>>>> allow dns updates = disabled
>>>>>>> dns forwarder =
>>>>>>> dns update command =
>>>>>>> nsupdate command =
>>>>>>> rndc command =
>>>>>>> multicast dns register = Yes
>>>>>>> samba kcc command =
>>>>>>> server services =
>>>>>>> dcerpc endpoint servers =
>>>>>>> spn update command =
>>>>>>> share backend =
>>>>>>> tls enabled = No
>>>>>>> tls keyfile =
>>>>>>> tls certfile =
>>>>>>> tls cafile =
>>>>>>> tls crlfile =
>>>>>>> tls dh params file =
>>>>>>> spoolss: architecture = Windows x64
>>>>>>> rpc_daemon:spoolssd = fork
>>>>>>> rpc_server:spoolss = external
>>>>>>> idmap config TRUEVINE:range = 10000-40000
>>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>> idmap config TRUEVINE:backend = ad
>>>>>>> idmap config *:range = 70001-80000
>>>>>>> idmap config * : backend = tdb
>>>>>>> comment =
>>>>>>> path =
>>>>>>> username =
>>>>>>> invalid users =
>>>>>>> valid users =
>>>>>>> admin users =
>>>>>>> read list =
>>>>>>> write list =
>>>>>>> force user =
>>>>>>> force group =
>>>>>>> read only = Yes
>>>>>>> acl check permissions = Yes
>>>>>>> acl group control = No
>>>>>>> acl map full control = Yes
>>>>>>> acl allow execute always = No
>>>>>>> create mask = 0744
>>>>>>> force create mode = 00
>>>>>>> directory mask = 0755
>>>>>>> force directory mode = 00
>>>>>>> force unknown acl user = No
>>>>>>> inherit permissions = No
>>>>>>> inherit acls = No
>>>>>>> inherit owner = No
>>>>>>> guest only = No
>>>>>>> administrative share = No
>>>>>>> guest ok = No
>>>>>>> only user = No
>>>>>>> hosts allow =
>>>>>>> hosts deny =
>>>>>>> allocation roundup size = 1048576
>>>>>>> aio read size = 0
>>>>>>> aio write size = 0
>>>>>>> aio write behind =
>>>>>>> ea support = No
>>>>>>> nt acl support = Yes
>>>>>>> profile acls = No
>>>>>>> map acl inherit = Yes
>>>>>>> afs share = No
>>>>>>> smb encrypt = default
>>>>>>> durable handles = Yes
>>>>>>> block size = 1024
>>>>>>> change notify = Yes
>>>>>>> directory name cache size = 100
>>>>>>> kernel change notify = Yes
>>>>>>> max connections = 0
>>>>>>> min print space = 0
>>>>>>> strict allocate = No
>>>>>>> strict sync = No
>>>>>>> sync always = No
>>>>>>> use sendfile = No
>>>>>>> write cache size = 0
>>>>>>> max reported print jobs = 0
>>>>>>> max print jobs = 1000
>>>>>>> printable = No
>>>>>>> print notify backchannel = Yes
>>>>>>> print ok = No
>>>>>>> printing = cups
>>>>>>> cups options =
>>>>>>> print command =
>>>>>>> lpq command = %p
>>>>>>> lprm command =
>>>>>>> lppause command =
>>>>>>> lpresume command =
>>>>>>> queuepause command =
>>>>>>> queueresume command =
>>>>>>> printer name =
>>>>>>> use client driver = No
>>>>>>> default devmode = Yes
>>>>>>> force printername = No
>>>>>>> printjob username = %U
>>>>>>> default case = lower
>>>>>>> case sensitive = Auto
>>>>>>> preserve case = Yes
>>>>>>> short preserve case = Yes
>>>>>>> mangling char = ~
>>>>>>> hide dot files = Yes
>>>>>>> hide special files = No
>>>>>>> hide unreadable = No
>>>>>>> hide unwriteable files = No
>>>>>>> delete veto files = No
>>>>>>> veto files =
>>>>>>> hide files =
>>>>>>> veto oplock files =
>>>>>>> map archive = Yes
>>>>>>> map hidden = No
>>>>>>> map system = No
>>>>>>> map readonly = yes
>>>>>>> mangled names = Yes
>>>>>>> store dos attributes = Yes
>>>>>>> dmapi support = No
>>>>>>> browseable = Yes
>>>>>>> access based share enum = No
>>>>>>> blocking locks = Yes
>>>>>>> csc policy = manual
>>>>>>> fake oplocks = No
>>>>>>> kernel oplocks = No
>>>>>>> kernel share modes = Yes
>>>>>>> locking = Yes
>>>>>>> oplocks = Yes
>>>>>>> level2 oplocks = Yes
>>>>>>> oplock contention limit = 2
>>>>>>> posix locking = Yes
>>>>>>> strict locking = Auto
>>>>>>> dfree cache time = 0
>>>>>>> dfree command =
>>>>>>> copy =
>>>>>>> preexec =
>>>>>>> preexec close = No
>>>>>>> postexec =
>>>>>>> root preexec =
>>>>>>> root preexec close = No
>>>>>>> root postexec =
>>>>>>> available = Yes
>>>>>>> volume =
>>>>>>> fstype = NTFS
>>>>>>> wide links = No
>>>>>>> follow symlinks = Yes
>>>>>>> dont descend =
>>>>>>> magic script =
>>>>>>> magic output =
>>>>>>> delete readonly = No
>>>>>>> dos filemode = No
>>>>>>> dos filetimes = Yes
>>>>>>> dos filetime resolution = No
>>>>>>> fake directory create times = No
>>>>>>> vfs objects = acl_xattr
>>>>>>> msdfs root = No
>>>>>>> msdfs proxy =
>>>>>>> ntvfs handler =
>>>>>>>
>>>>>>> [printers]
>>>>>>> path = /var/spool/samba
>>>>>>> printable = Yes
>>>>>>> print ok = Yes
>>>>>>> browseable = No
>>>>>>>
>>>>>>> [print$]
>>>>>>> comment = Printer drivers
>>>>>>> path = /srv/samba/printer_drivers
>>>>>>> read only = No
>>>>>>>
>>>>>>> [Xerox7545]
>>>>>>> path = /var/spool/samba
>>>>>>> printable = Yes
>>>>>>> print ok = Yes
>>>>>>> printer name = Xerox_WC_7545
>>>>>>>
>>>>>>> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>>>>>>>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>> Alright, I am calling it quits for the day unless somebody
>>>>>>>>> knows what I have
>>>>>>>>> screwed up here. If I do "getent passwd" it shows all local
>>>>>>>>> and domain
>>>>>>>>> users, and the domain users have the wrong ID's. If I do
>>>>>>>>> "getent passwd
>>>>>>>>> <domain user>" I get absolutely nothing. Obviously I have done
>>>>>>>>> something
>>>>>>>>> wrong here, but I have no clue what. This behavior started
>>>>>>>>> after modifying
>>>>>>>>> the configuration file though. The modifications Rowland
>>>>>>>>> showed me in his.
>>>>>>>>> That tells me that maybe it is trying to do something right
>>>>>>>>> and cannot. I
>>>>>>>>> have one last idea of my own, then I will be installing the
>>>>>>>>> backports
>>>>>>>>> version Monday on a clean VM.
>>>>>>>>>
>>>>>>>> Hey Ryan!
>>>>>>>>
>>>>>>>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more' that
>>>>>>>> samba is using the directories (lock directory =
>>>>>>>> /usr/local/samba/var/lock) from the old selfcompiled installation.
>>>>>>>> Now I'm using the Sernet package.
>>>>>>>>
>>>>>>>> When i run ''testparm -v | more' it reads
>>>>>>>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf
>>>>>>>> and shows
>>>>>>>> only one out of two share definitions.
>>>>>>>>
>>>>>>>> The file /etc/samba/smb.conf is copied from an old AD DC
>>>>>>>> serverconfig
>>>>>>>> and later edited. The hidden entries like "lock directory ="
>>>>>>>> above are
>>>>>>>> present.
>>>>>>>>
>>>>>>>> Are you perhaps experienceing the same?
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Davor
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list