[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Tue Aug 12 09:50:41 MDT 2014
Alright, now all the printers are giving me access denied. I need an
answer in the next thirty minutes or I am going to file a bug report. I
have spent too many days and nights on this already. I have been over
countless documents and such both at the Samba Wiki and at other sites.
I worked with people on this list and I have tried so much that should
not have mattered, and now we have other people reporting access denied
errors, including one on this very list. I believe Samba is broken in
some way currently that is denying access to everybody, despite proper
permissions (ACLs) and configuration. I get denied access to both shares
and printers, even though I have the correct UID/GID on all of my
systems. I will await a response. If nobody can figure this out, I'll
file the report so this can be fixed.
On 08/12/2014 10:55 AM, Ryan Ashley wrote:
> I did some more reading and apparently things above 3,000,000 are from
> the BUILTIN stuff. Is this correct? If so, should it be resolving or
> not? I mean this IS my DC, and I would think it would resolve. If not,
> that is fine, so long as this is normal.
>
> root at dc01:/var/lib/samba# getfacl sysvol
> # file: sysvol
> # owner: TRUEVINE\134reachfp
> # group: 3000000
> user::rwx
> user:TRUEVINE\134reachfp:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:TRUEVINE\134reachfp:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> On 08/12/2014 10:34 AM, Ryan Ashley wrote:
>> I may have found the culprit. I attempted to change a group policy
>> this morning, as domain admin, and got "Access is denied" when
>> applying the change. This led me to the DC. Specifically, the sysvol
>> directory. It was owned by root and 3000000. Not good. I restarted
>> S4. Same thing. I did "samba-tool ntacl sysvolreset" and now I have
>> this.
>>
>> root at dc01:/var/lib/samba# l
>> total 1376
>> -rw------- 1 root root 421888 Jun 19 14:32
>> account_policy.tdb
>> drwx------ 2 root root 16384 Jun 19 09:41 lost+found
>> drwxr-x--- 2 root root 4096 Aug 12 10:29 ntp_signd
>> drwxr-xr-x 7 root root 4096 Aug 12 10:29 private
>> -rw------- 1 root root 528384 Jun 19 14:32 registry.tdb
>> -rw------- 1 root root 421888 Jun 19 14:32
>> share_info.tdb
>> drwxrwx---+ 3 TRUEVINE\reachfp 3000000 4096 Aug 12 10:29 sysvol
>> drwxr-x--- 2 root root 4096 Aug 12 10:29
>> winbindd_privileged
>> root at dc01:/var/lib/samba#
>>
>> What group is supposed to have access to that and why is it setting
>> it to some unknown ID? This is my DC and it is the ONLY DC in the
>> domain. Yes, /etc/nsswitch.conf is setup to use winbind, which should
>> be clear from the owner. Still, this could be why the domain is
>> acting so strange. How do I fix this?
>>
>> On 08/12/2014 09:28 AM, Ryan Ashley wrote:
>>> Still stuck. I have even tried giving everybody full permissions and
>>> no matter what I do with ACLs, I keep being denied access. I believe
>>> the issue is on the network level. In Windows, you normally set
>>> network access to "Everyone/Full Control" and then control things
>>> via NTFS permissions. Is it possible Samba is somehow stopping me at
>>> the network level? How can I check?
>>>
>>> Also, I did some thinking and believe we went down a path that was
>>> in no way going to help me. Steve and Rowland, you both had me get
>>> my ID's mapping the same across all servers, but here is my
>>> thinking, and it may be wrong. If I had never fixed that, but server
>>> A always saw me as ID 70001 and server B saw me as 70009, who cares?
>>> If I always access server A and get ID 70001 then everything with
>>> that ID is always owned by me. So what should it matter if the other
>>> server has a different ID for me? Everything on that server would be
>>> owned by that ID. The only case I could see for having the same ID
>>> across servers would be for something like a DFS. Either way, the
>>> ID's did not change a thing other than the numbers stored in the
>>> ACLs. I am still being denied access by every user EXCEPT the domain
>>> admin.
>>>
>>> So what should I look at next? I am still lost as to why this won't
>>> work.
>>>
>>> On 08/11/2014 10:20 PM, Ryan Ashley wrote:
>>>> Alright, I have spent the day trying various things to get nowhere.
>>>> It is like the user being in the group means nothing to Samba. I
>>>> have my support user in all groups, the drives map, but I get
>>>> "Access is denied" whenever I attempt to click on a mapped drive. I
>>>> read dozens of posts about how this could be a Windows 7 thing, so
>>>> I added the lines below to the global section, but it does not
>>>> help. I also cannot access the share from Linux (KDE4/Dolphin), so
>>>> I am fairly sure this isn't a Windows 7 bug. I cannot access them
>>>> from an iPad either, or my Android phone. In other words, Samba is
>>>> denying access to everybody who is not the actual owner of the
>>>> share, even if the user is in any of the groups in the ACL on the
>>>> Linux filesystem.
>>>>
>>>> ntlm auth = no
>>>> lanman auth = no
>>>> client ntlmv2 auth = yes
>>>>
>>>> The rest has not changed at this point. I did configure with
>>>> "--with-ads and --with-shared-modules=idmap_ad". Still no go. What
>>>> could cause Samba to not figure out a user is in a group that has
>>>> access to a directory? This is where I am stuck.
>>>>
>>>> On 8/11/2014 12:44 PM, Ryan Ashley wrote:
>>>>> Alright, I am back where I started. I now have the correct ID's on
>>>>> both servers, but nothing I do allows users and groups access to
>>>>> the shares. I keep getting "Access Denied" when any domain user
>>>>> attempts to access the shares. I have tried 777/666 and 770/660
>>>>> for the Linux permissions and nothing changes. Here is a dump of
>>>>> the current server config and ACLs.
>>>>>
>>>>> root at fs01:~# testparm /etc/samba/smb.conf
>>>>> Load smb config files from /etc/samba/smb.conf
>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>> (16384)
>>>>> Processing section "[install$]"
>>>>> Processing section "[staff$]"
>>>>> Processing section "[fbc$]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> [global]
>>>>> workgroup = TRUEVINE
>>>>> realm = TRUEVINE.LAN
>>>>> security = ADS
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> local master = No
>>>>> domain master = No
>>>>> winbind enum users = Yes
>>>>> winbind enum groups = Yes
>>>>> winbind use default domain = Yes
>>>>> winbind nss info = rfc2307
>>>>> idmap config TRUEVINE:range = 10001-40000
>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>> idmap config TRUEVINE:backend = ad
>>>>> idmap config *:range = 70001-80000
>>>>> idmap config * : backend = tdb
>>>>> map acl inherit = Yes
>>>>> store dos attributes = Yes
>>>>> vfs objects = acl_xattr
>>>>>
>>>>> [install$]
>>>>> comment = "Software installation files"
>>>>> path = /home/shared/install
>>>>> read only = No
>>>>>
>>>>> [staff$]
>>>>> comment = "Staff file share"
>>>>> path = /home/shared/staff
>>>>> read only = No
>>>>>
>>>>> [fbc$]
>>>>> comment = "Family Bible College file share"
>>>>> path = /home/shared/fbc
>>>>> read only = No
>>>>>
>>>>> root at fs01:~# getfacl /home/shared/fbc/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/fbc/
>>>>> # owner: reachfp
>>>>> # group: fbc
>>>>> # flags: -s-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:fbc:rwx
>>>>> group:70006:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:fbc:rwx
>>>>> default:group:70006:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at fs01:~# getfacl /home/shared/staff/
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: home/shared/staff/
>>>>> # owner: reachfp
>>>>> # group: staff
>>>>> # flags: -s-
>>>>> user::rwx
>>>>> user:reachfp:rwx
>>>>> group::rwx
>>>>> group:staff:rwx
>>>>> group:70006:rwx
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:reachfp:rwx
>>>>> default:group::---
>>>>> default:group:staff:rwx
>>>>> default:group:70006:rwx
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> root at fs01:~#
>>>>>
>>>>> The 70006 ID is the "SYSTEM" account. The guides recommended using
>>>>> this for the printer shares and I have always used it on file
>>>>> shares also. Removing it does not fix things, so I added it back.
>>>>> If you can give me a good reason to remove it again, I will
>>>>> happily do so.
>>>>>
>>>>> On 08/11/2014 12:11 PM, Ryan Ashley wrote:
>>>>>> Just so it can be avoided, all shares had directory permissions
>>>>>> of 777 and file permissions of 666. Still getting access denied.
>>>>>> I just changed permissions to 770 and 660 for security. I can
>>>>>> change them back if needed.
>>>>>>
>>>>>> root at fs01:/home/shared# l
>>>>>> total 40
>>>>>> drwxrws---+ 6 reachfp fbc 4096 Jul 23 11:31 fbc
>>>>>> drwxrwsrwx 8 reachfp domain admins 4096 Jul 23 11:14 install
>>>>>> drwx------ 2 root root 16384 Jul 15 10:00 lost+found
>>>>>> drwxrws---+ 13 reachfp staff 4096 Jul 23 11:30 staff
>>>>>> root at fs01:/home/shared# l -n
>>>>>> total 40
>>>>>> drwxrws---+ 6 10001 10030 4096 Jul 23 11:31 fbc
>>>>>> drwxrwsrwx 8 10001 10002 4096 Jul 23 11:14 install
>>>>>> drwx------ 2 0 0 16384 Jul 15 10:00 lost+found
>>>>>> drwxrws---+ 13 10001 10032 4096 Jul 23 11:30 staff
>>>>>> root at fs01:/home/shared#
>>>>>>
>>>>>> root at fs01:/home/shared# getent group
>>>>>> <snipped out the UNIX groups>
>>>>>> allowed rodc password replication group:x:10007:
>>>>>> enterprise read-only domain controllers:x:10013:
>>>>>> denied rodc password replication group:x:10009:krbtgt
>>>>>> read-only domain controllers:x:10015:
>>>>>> audiovideo:x:10029:reach_support,yolandab,daquanm,richards
>>>>>> group policy creator owners:x:10014:reachfp
>>>>>> newmembers:x:10031:cynthiaj,joyces,yolandab,jovanm,thomasa
>>>>>> vpn users:x:10033:reach_support
>>>>>> staff:x:10032:reach_support,ernestj,cynthiaj,joyces,yolandab,jovanm,daquanm,patriceb,jessicaj,shamekias,thomasa,richards
>>>>>>
>>>>>> fbc:x:10030:reach_support,ernestj,cynthiaj,joyces,jessicaj
>>>>>> ras and ias servers:x:10015:
>>>>>> domain controllers:x:10005:
>>>>>> enterprise admins:x:10012:reachfp
>>>>>> domain computers:x:10004:
>>>>>> cert publishers:x:10008:
>>>>>> dnsupdateproxy:x:10011:
>>>>>> domain admins:x:10002:reachfp
>>>>>> domain guests:x:10006:
>>>>>> schema admins:x:10016:reachfp
>>>>>> domain users:x:10003:
>>>>>> dnsadmins:x:10010:
>>>>>> root at fs01:/home/shared# getent passwd
>>>>>> <snipped the UNIX stuff again>
>>>>>> shamekias:*:10011:10003:<???>:/home/TRUEVINE/shamekias:/bin/false
>>>>>> richards:*:10010:10003:<???>:/home/TRUEVINE/richards:/bin/false
>>>>>> yolandab:*:10013:10003:<???>:/home/TRUEVINE/yolandab:/bin/false
>>>>>> joyces:*:10008:10003:<???>:/home/TRUEVINE/joyces:/bin/false
>>>>>> patriceb:*:10009:10003:<???>:/home/TRUEVINE/patriceb:/bin/false
>>>>>> cynthiaj:*:10003:10003:<???>:/home/TRUEVINE/cynthiaj:/bin/false
>>>>>> jessicaj:*:10006:10003:<???>:/home/TRUEVINE/jessicaj:/bin/false
>>>>>> reach_support:*:10002:10003:Reach
>>>>>> Support:/home/TRUEVINE/reach_support:/bin/false
>>>>>> daquanm:*:10004:10003:<???>:/home/TRUEVINE/daquanm:/bin/false
>>>>>> ernestj:*:10005:10003:<???>:/home/TRUEVINE/ernestj:/bin/false
>>>>>> jovanm:*:10007:10003:<???>:/home/TRUEVINE/jovanm:/bin/false
>>>>>> thomasa:*:10012:10003:<???>:/home/TRUEVINE/thomasa:/bin/false
>>>>>> reachfp:*:10001:10003:reachfp:/home/TRUEVINE/reachfp:/bin/false
>>>>>> root at fs01:/home/shared#
>>>>>>
>>>>>> On 08/11/2014 11:52 AM, Ryan Ashley wrote:
>>>>>>> Just to let everybody know, I rebuilt S4 from scratch using
>>>>>>> "--with-shared-modules=idmap_ad" in the configuration
>>>>>>> parameters, and now I am getting the correct ID's on both member
>>>>>>> servers. Now my issue is that despite this, only the domain
>>>>>>> admin can browse the mapped drives. Permissions are correct on
>>>>>>> all shares (I redid them by hand) but people in those groups are
>>>>>>> NOT allowed access despite having "full control" over the share.
>>>>>>>
>>>>>>> At least we made some progress. Now what should I look at since
>>>>>>> the ID's are being pulled from AD correctly? My nsswitch.conf
>>>>>>> nis set to use winbind and winbind is running. Everything
>>>>>>> appears to work correctly on both servers including same ID and
>>>>>>> such, but it still denies access to everybody EXCEPT the owner.
>>>>>>>
>>>>>>> On 08/11/2014 09:48 AM, Ryan Ashley wrote:
>>>>>>>> Thank you for that information. I just ran the command on out
>>>>>>>> print-server and it appears to be using the correct
>>>>>>>> configuration file, but there are LOADS of extra parameters I
>>>>>>>> am assuming are at default settings. However, I do not appear
>>>>>>>> to have /var/run/samba o9r /var/lock/samba directories. I am
>>>>>>>> going to create those and see if it helps, but if it does I do
>>>>>>>> not know why.
>>>>>>>>
>>>>>>>> Also, I cannot seem to be able to install the S4 packages from
>>>>>>>> backports onto ANY Wheezy system, including my laptop. The
>>>>>>>> "samba4-common-bin" is configured to depend on "python-samba"
>>>>>>>> but the only version available is 4.0.x so it won't install. I
>>>>>>>> am working that issue out on the Debian forums and may result
>>>>>>>> in a bug report.
>>>>>>>>
>>>>>>>> root at ps01:~# testparm -v /etc/samba/smb.conf
>>>>>>>> Load smb config files from /etc/samba/smb.conf
>>>>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>>>>>>>> limit (16384)
>>>>>>>> Processing section "[printers]"
>>>>>>>> Processing section "[print$]"
>>>>>>>> Processing section "[Xerox7545]"
>>>>>>>> Loaded services file OK.
>>>>>>>> ERROR: lock directory /var/lock/samba does not exist
>>>>>>>> ERROR: pid directory /var/run/samba does not exist
>>>>>>>> Server role: ROLE_DOMAIN_MEMBER
>>>>>>>> Press enter to see a dump of your service definitions
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> dos charset = CP850
>>>>>>>> unix charset = UTF-8
>>>>>>>> workgroup = TRUEVINE
>>>>>>>> realm = TRUEVINE.LAN
>>>>>>>> netbios name = PS01
>>>>>>>> netbios aliases =
>>>>>>>> netbios scope =
>>>>>>>> server string = Samba 4.1.11
>>>>>>>> interfaces =
>>>>>>>> bind interfaces only = No
>>>>>>>> server role = auto
>>>>>>>> security = ADS
>>>>>>>> auth methods = winbind
>>>>>>>> encrypt passwords = Yes
>>>>>>>> client schannel = Auto
>>>>>>>> server schannel = Auto
>>>>>>>> allow trusted domains = Yes
>>>>>>>> map to guest = Never
>>>>>>>> null passwords = No
>>>>>>>> obey pam restrictions = No
>>>>>>>> password server = *
>>>>>>>> smb passwd file = /var/lib/samba/private/smbpasswd
>>>>>>>> private dir = /var/lib/samba/private
>>>>>>>> passdb backend = tdbsam
>>>>>>>> algorithmic rid base = 1000
>>>>>>>> root directory =
>>>>>>>> guest account = nobody
>>>>>>>> enable privileges = Yes
>>>>>>>> pam password change = No
>>>>>>>> passwd program =
>>>>>>>> passwd chat = *new*password* %n\n *new*password* %n\n
>>>>>>>> *changed*
>>>>>>>> passwd chat debug = No
>>>>>>>> passwd chat timeout = 2
>>>>>>>> check password script =
>>>>>>>> username map =
>>>>>>>> username level = 0
>>>>>>>> unix password sync = No
>>>>>>>> restrict anonymous = 0
>>>>>>>> lanman auth = No
>>>>>>>> ntlm auth = Yes
>>>>>>>> client NTLMv2 auth = Yes
>>>>>>>> client lanman auth = No
>>>>>>>> client plaintext auth = No
>>>>>>>> client use spnego principal = No
>>>>>>>> preload modules =
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> map untrusted to domain = No
>>>>>>>> log level = 2
>>>>>>>> syslog = 1
>>>>>>>> syslog only = No
>>>>>>>> log file =
>>>>>>>> max log size = 5000
>>>>>>>> debug timestamp = Yes
>>>>>>>> debug prefix timestamp = No
>>>>>>>> debug hires timestamp = Yes
>>>>>>>> debug pid = No
>>>>>>>> debug uid = No
>>>>>>>> debug class = No
>>>>>>>> enable core files = Yes
>>>>>>>> smb ports = 445, 139
>>>>>>>> large readwrite = Yes
>>>>>>>> server max protocol = SMB3
>>>>>>>> server min protocol = LANMAN1
>>>>>>>> client max protocol = NT1
>>>>>>>> client min protocol = CORE
>>>>>>>> unicode = Yes
>>>>>>>> min receivefile size = 0
>>>>>>>> read raw = Yes
>>>>>>>> write raw = Yes
>>>>>>>> disable netbios = No
>>>>>>>> reset on zero vc = No
>>>>>>>> log writeable files on exit = No
>>>>>>>> defer sharing violations = Yes
>>>>>>>> nt pipe support = Yes
>>>>>>>> nt status support = Yes
>>>>>>>> max mux = 50
>>>>>>>> max xmit = 16644
>>>>>>>> name resolve order = lmhosts, wins, host, bcast
>>>>>>>> max ttl = 259200
>>>>>>>> max wins ttl = 518400
>>>>>>>> min wins ttl = 21600
>>>>>>>> time server = No
>>>>>>>> unix extensions = Yes
>>>>>>>> use spnego = Yes
>>>>>>>> client signing = default
>>>>>>>> server signing = default
>>>>>>>> client use spnego = Yes
>>>>>>>> client ldap sasl wrapping = plain
>>>>>>>> enable asu support = No
>>>>>>>> svcctl list =
>>>>>>>> cldap port = 0
>>>>>>>> dgram port = 0
>>>>>>>> nbt port = 0
>>>>>>>> krb5 port = 0
>>>>>>>> kpasswd port = 0
>>>>>>>> web port = 0
>>>>>>>> rpc big endian = No
>>>>>>>> deadtime = 0
>>>>>>>> getwd cache = Yes
>>>>>>>> keepalive = 300
>>>>>>>> lpq cache time = 30
>>>>>>>> max smbd processes = 0
>>>>>>>> max disk size = 0
>>>>>>>> max open files = 16384
>>>>>>>> socket options = TCP_NODELAY
>>>>>>>> use mmap = Yes
>>>>>>>> use ntdb = No
>>>>>>>> hostname lookups = No
>>>>>>>> name cache timeout = 660
>>>>>>>> ctdbd socket =
>>>>>>>> cluster addresses =
>>>>>>>> clustering = No
>>>>>>>> ctdb timeout = 0
>>>>>>>> ctdb locktime warn threshold = 0
>>>>>>>> smb2 max read = 1048576
>>>>>>>> smb2 max write = 1048576
>>>>>>>> smb2 max trans = 1048576
>>>>>>>> smb2 max credits = 8192
>>>>>>>> load printers = Yes
>>>>>>>> printcap cache time = 750
>>>>>>>> printcap name =
>>>>>>>> cups server =
>>>>>>>> cups encrypt = No
>>>>>>>> cups connection timeout = 30
>>>>>>>> iprint server =
>>>>>>>> disable spoolss = No
>>>>>>>> addport command =
>>>>>>>> enumports command =
>>>>>>>> addprinter command =
>>>>>>>> deleteprinter command =
>>>>>>>> show add printer wizard = Yes
>>>>>>>> os2 driver map =
>>>>>>>> mangling method = hash2
>>>>>>>> mangle prefix = 1
>>>>>>>> max stat cache size = 256
>>>>>>>> stat cache = Yes
>>>>>>>> machine password timeout = 604800
>>>>>>>> add user script =
>>>>>>>> rename user script =
>>>>>>>> delete user script =
>>>>>>>> add group script =
>>>>>>>> delete group script =
>>>>>>>> add user to group script =
>>>>>>>> delete user from group script =
>>>>>>>> set primary group script =
>>>>>>>> add machine script =
>>>>>>>> shutdown script =
>>>>>>>> abort shutdown script =
>>>>>>>> username map script =
>>>>>>>> username map cache time = 0
>>>>>>>> logon script =
>>>>>>>> logon path = \\%N\%U\profile
>>>>>>>> logon drive =
>>>>>>>> logon home = \\%N\%U
>>>>>>>> domain logons = No
>>>>>>>> init logon delayed hosts =
>>>>>>>> init logon delay = 100
>>>>>>>> os level = 20
>>>>>>>> lm announce = Auto
>>>>>>>> lm interval = 60
>>>>>>>> preferred master = No
>>>>>>>> local master = Yes
>>>>>>>> domain master = Auto
>>>>>>>> browse list = Yes
>>>>>>>> enhanced browsing = Yes
>>>>>>>> dns proxy = Yes
>>>>>>>> wins proxy = No
>>>>>>>> wins server =
>>>>>>>> wins support = No
>>>>>>>> wins hook =
>>>>>>>> lock spin time = 200
>>>>>>>> oplock break wait time = 0
>>>>>>>> ldap admin dn =
>>>>>>>> ldap delete dn = No
>>>>>>>> ldap group suffix =
>>>>>>>> ldap idmap suffix =
>>>>>>>> ldap machine suffix =
>>>>>>>> ldap passwd sync = no
>>>>>>>> ldap replication sleep = 1000
>>>>>>>> ldap suffix =
>>>>>>>> ldap ssl = start tls
>>>>>>>> ldap ssl ads = No
>>>>>>>> ldap deref = auto
>>>>>>>> ldap follow referral = Auto
>>>>>>>> ldap timeout = 15
>>>>>>>> ldap connection timeout = 2
>>>>>>>> ldap page size = 1024
>>>>>>>> ldap user suffix =
>>>>>>>> ldap debug level = 0
>>>>>>>> ldap debug threshold = 10
>>>>>>>> eventlog list =
>>>>>>>> add share command =
>>>>>>>> change share command =
>>>>>>>> delete share command =
>>>>>>>> preload =
>>>>>>>> lock directory = /var/lock/samba
>>>>>>>> state directory = /var/lib/samba
>>>>>>>> cache directory = /var/cache/samba
>>>>>>>> pid directory = /var/run/samba
>>>>>>>> ntp signd socket directory =
>>>>>>>> utmp directory =
>>>>>>>> wtmp directory =
>>>>>>>> utmp = No
>>>>>>>> default service =
>>>>>>>> message command =
>>>>>>>> get quota command =
>>>>>>>> set quota command =
>>>>>>>> remote announce =
>>>>>>>> remote browse sync =
>>>>>>>> nbt client socket address = 0.0.0.0
>>>>>>>> nmbd bind explicit broadcast = Yes
>>>>>>>> homedir map = auto.home
>>>>>>>> afs username map =
>>>>>>>> afs token lifetime = 604800
>>>>>>>> log nt token command =
>>>>>>>> NIS homedir = No
>>>>>>>> registry shares = No
>>>>>>>> usershare allow guests = No
>>>>>>>> usershare max shares = 0
>>>>>>>> usershare owner only = Yes
>>>>>>>> usershare path = /var/lib/samba/usershares
>>>>>>>> usershare prefix allow list =
>>>>>>>> usershare prefix deny list =
>>>>>>>> usershare template share =
>>>>>>>> async smb echo handler = No
>>>>>>>> panic action =
>>>>>>>> perfcount module =
>>>>>>>> host msdfs = Yes
>>>>>>>> passdb expand explicit = No
>>>>>>>> idmap backend = tdb
>>>>>>>> idmap cache time = 604800
>>>>>>>> idmap negative cache time = 120
>>>>>>>> idmap uid =
>>>>>>>> idmap gid =
>>>>>>>> template homedir = /home/%D/%U
>>>>>>>> template shell = /bin/false
>>>>>>>> winbind separator = \
>>>>>>>> winbind cache time = 300
>>>>>>>> winbind reconnect delay = 30
>>>>>>>> winbind max clients = 200
>>>>>>>> winbind enum users = Yes
>>>>>>>> winbind enum groups = Yes
>>>>>>>> winbind use default domain = Yes
>>>>>>>> winbind trusted domains only = No
>>>>>>>> winbind nested groups = Yes
>>>>>>>> winbind expand groups = 1
>>>>>>>> winbind nss info = rfc2307
>>>>>>>> winbind refresh tickets = No
>>>>>>>> winbind offline logon = No
>>>>>>>> winbind normalize names = No
>>>>>>>> winbind rpc only = No
>>>>>>>> create krb5 conf = Yes
>>>>>>>> ncalrpc dir = /var/run/samba/ncalrpc
>>>>>>>> winbind max domain connections = 1
>>>>>>>> winbindd socket directory =
>>>>>>>> winbindd privileged socket directory =
>>>>>>>> winbind sealed pipes = No
>>>>>>>> allow dns updates = disabled
>>>>>>>> dns forwarder =
>>>>>>>> dns update command =
>>>>>>>> nsupdate command =
>>>>>>>> rndc command =
>>>>>>>> multicast dns register = Yes
>>>>>>>> samba kcc command =
>>>>>>>> server services =
>>>>>>>> dcerpc endpoint servers =
>>>>>>>> spn update command =
>>>>>>>> share backend =
>>>>>>>> tls enabled = No
>>>>>>>> tls keyfile =
>>>>>>>> tls certfile =
>>>>>>>> tls cafile =
>>>>>>>> tls crlfile =
>>>>>>>> tls dh params file =
>>>>>>>> spoolss: architecture = Windows x64
>>>>>>>> rpc_daemon:spoolssd = fork
>>>>>>>> rpc_server:spoolss = external
>>>>>>>> idmap config TRUEVINE:range = 10000-40000
>>>>>>>> idmap config TRUEVINE:schema_mode = rfc2307
>>>>>>>> idmap config TRUEVINE:backend = ad
>>>>>>>> idmap config *:range = 70001-80000
>>>>>>>> idmap config * : backend = tdb
>>>>>>>> comment =
>>>>>>>> path =
>>>>>>>> username =
>>>>>>>> invalid users =
>>>>>>>> valid users =
>>>>>>>> admin users =
>>>>>>>> read list =
>>>>>>>> write list =
>>>>>>>> force user =
>>>>>>>> force group =
>>>>>>>> read only = Yes
>>>>>>>> acl check permissions = Yes
>>>>>>>> acl group control = No
>>>>>>>> acl map full control = Yes
>>>>>>>> acl allow execute always = No
>>>>>>>> create mask = 0744
>>>>>>>> force create mode = 00
>>>>>>>> directory mask = 0755
>>>>>>>> force directory mode = 00
>>>>>>>> force unknown acl user = No
>>>>>>>> inherit permissions = No
>>>>>>>> inherit acls = No
>>>>>>>> inherit owner = No
>>>>>>>> guest only = No
>>>>>>>> administrative share = No
>>>>>>>> guest ok = No
>>>>>>>> only user = No
>>>>>>>> hosts allow =
>>>>>>>> hosts deny =
>>>>>>>> allocation roundup size = 1048576
>>>>>>>> aio read size = 0
>>>>>>>> aio write size = 0
>>>>>>>> aio write behind =
>>>>>>>> ea support = No
>>>>>>>> nt acl support = Yes
>>>>>>>> profile acls = No
>>>>>>>> map acl inherit = Yes
>>>>>>>> afs share = No
>>>>>>>> smb encrypt = default
>>>>>>>> durable handles = Yes
>>>>>>>> block size = 1024
>>>>>>>> change notify = Yes
>>>>>>>> directory name cache size = 100
>>>>>>>> kernel change notify = Yes
>>>>>>>> max connections = 0
>>>>>>>> min print space = 0
>>>>>>>> strict allocate = No
>>>>>>>> strict sync = No
>>>>>>>> sync always = No
>>>>>>>> use sendfile = No
>>>>>>>> write cache size = 0
>>>>>>>> max reported print jobs = 0
>>>>>>>> max print jobs = 1000
>>>>>>>> printable = No
>>>>>>>> print notify backchannel = Yes
>>>>>>>> print ok = No
>>>>>>>> printing = cups
>>>>>>>> cups options =
>>>>>>>> print command =
>>>>>>>> lpq command = %p
>>>>>>>> lprm command =
>>>>>>>> lppause command =
>>>>>>>> lpresume command =
>>>>>>>> queuepause command =
>>>>>>>> queueresume command =
>>>>>>>> printer name =
>>>>>>>> use client driver = No
>>>>>>>> default devmode = Yes
>>>>>>>> force printername = No
>>>>>>>> printjob username = %U
>>>>>>>> default case = lower
>>>>>>>> case sensitive = Auto
>>>>>>>> preserve case = Yes
>>>>>>>> short preserve case = Yes
>>>>>>>> mangling char = ~
>>>>>>>> hide dot files = Yes
>>>>>>>> hide special files = No
>>>>>>>> hide unreadable = No
>>>>>>>> hide unwriteable files = No
>>>>>>>> delete veto files = No
>>>>>>>> veto files =
>>>>>>>> hide files =
>>>>>>>> veto oplock files =
>>>>>>>> map archive = Yes
>>>>>>>> map hidden = No
>>>>>>>> map system = No
>>>>>>>> map readonly = yes
>>>>>>>> mangled names = Yes
>>>>>>>> store dos attributes = Yes
>>>>>>>> dmapi support = No
>>>>>>>> browseable = Yes
>>>>>>>> access based share enum = No
>>>>>>>> blocking locks = Yes
>>>>>>>> csc policy = manual
>>>>>>>> fake oplocks = No
>>>>>>>> kernel oplocks = No
>>>>>>>> kernel share modes = Yes
>>>>>>>> locking = Yes
>>>>>>>> oplocks = Yes
>>>>>>>> level2 oplocks = Yes
>>>>>>>> oplock contention limit = 2
>>>>>>>> posix locking = Yes
>>>>>>>> strict locking = Auto
>>>>>>>> dfree cache time = 0
>>>>>>>> dfree command =
>>>>>>>> copy =
>>>>>>>> preexec =
>>>>>>>> preexec close = No
>>>>>>>> postexec =
>>>>>>>> root preexec =
>>>>>>>> root preexec close = No
>>>>>>>> root postexec =
>>>>>>>> available = Yes
>>>>>>>> volume =
>>>>>>>> fstype = NTFS
>>>>>>>> wide links = No
>>>>>>>> follow symlinks = Yes
>>>>>>>> dont descend =
>>>>>>>> magic script =
>>>>>>>> magic output =
>>>>>>>> delete readonly = No
>>>>>>>> dos filemode = No
>>>>>>>> dos filetimes = Yes
>>>>>>>> dos filetime resolution = No
>>>>>>>> fake directory create times = No
>>>>>>>> vfs objects = acl_xattr
>>>>>>>> msdfs root = No
>>>>>>>> msdfs proxy =
>>>>>>>> ntvfs handler =
>>>>>>>>
>>>>>>>> [printers]
>>>>>>>> path = /var/spool/samba
>>>>>>>> printable = Yes
>>>>>>>> print ok = Yes
>>>>>>>> browseable = No
>>>>>>>>
>>>>>>>> [print$]
>>>>>>>> comment = Printer drivers
>>>>>>>> path = /srv/samba/printer_drivers
>>>>>>>> read only = No
>>>>>>>>
>>>>>>>> [Xerox7545]
>>>>>>>> path = /var/spool/samba
>>>>>>>> printable = Yes
>>>>>>>> print ok = Yes
>>>>>>>> printer name = Xerox_WC_7545
>>>>>>>>
>>>>>>>> On 08/10/2014 02:54 AM, Davor Vusir wrote:
>>>>>>>>> 2014-08-09 23:41 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>>>>>>>>>> Alright, I am calling it quits for the day unless somebody
>>>>>>>>>> knows what I have
>>>>>>>>>> screwed up here. If I do "getent passwd" it shows all local
>>>>>>>>>> and domain
>>>>>>>>>> users, and the domain users have the wrong ID's. If I do
>>>>>>>>>> "getent passwd
>>>>>>>>>> <domain user>" I get absolutely nothing. Obviously I have
>>>>>>>>>> done something
>>>>>>>>>> wrong here, but I have no clue what. This behavior started
>>>>>>>>>> after modifying
>>>>>>>>>> the configuration file though. The modifications Rowland
>>>>>>>>>> showed me in his.
>>>>>>>>>> That tells me that maybe it is trying to do something right
>>>>>>>>>> and cannot. I
>>>>>>>>>> have one last idea of my own, then I will be installing the
>>>>>>>>>> backports
>>>>>>>>>> version Monday on a clean VM.
>>>>>>>>>>
>>>>>>>>> Hey Ryan!
>>>>>>>>>
>>>>>>>>> I noticed when I ran 'testparm -v /etc/samba/smb.conf | more'
>>>>>>>>> that
>>>>>>>>> samba is using the directories (lock directory =
>>>>>>>>> /usr/local/samba/var/lock) from the old selfcompiled
>>>>>>>>> installation.
>>>>>>>>> Now I'm using the Sernet package.
>>>>>>>>>
>>>>>>>>> When i run ''testparm -v | more' it reads
>>>>>>>>> /usr/local/samba/etc/smb.conf instead of /etc/samba/smb.conf
>>>>>>>>> and shows
>>>>>>>>> only one out of two share definitions.
>>>>>>>>>
>>>>>>>>> The file /etc/samba/smb.conf is copied from an old AD DC
>>>>>>>>> serverconfig
>>>>>>>>> and later edited. The hidden entries like "lock directory ="
>>>>>>>>> above are
>>>>>>>>> present.
>>>>>>>>>
>>>>>>>>> Are you perhaps experienceing the same?
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Davor
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the samba
mailing list