[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 12 14:57:17 MDT 2014

I do not have those attributes on my actual AD DC, only on my member 
servers. I followed the guide to the letter and put them in global, but 
I will happily try putting them in the share section as suggested. If it 
works I will let you know. Thanks for the help. If this fixes it I will 
also update my ticket and advise the guide be updated.

On 8/12/2014 4:29 PM, Rowland Penny wrote:
> On 12/08/14 20:41, Davor Vusir wrote:
>> In my first setup, a combined (compiled) AD DC and file server I never
>> got it to work with "vfs objects = acl_xattr" in the global section. I
>> had two more shares and could not get the permissions to work until I
>> put "vfs objects = acl_xattr" in the share sections. The shares were
>> on LVM volumes mapped to directories later shared with Samba. My
>> conclusion is that "vfs objects = acl_xattr" in the global section on
>> a AD DC does not extend (or how to put it) beyond the netlogon and
>> sysvol shares. I have not tested this configuration on one (1) mounted
>> LVM volume where /usr/local and Sambashares reside.
> If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD DC, 
> you are turning off the 'dfs_samba4' vfs module. If you run 'testpam 
> --suppress-prompt --verbose', you will find 'vfs objects = dfs_samba4, 
> acl_xattr'.
>> I have now changed the setup to a dedicated virtual AD DC and a
>> physical file server because of poor network performance. After the
>> switch I experienced the same; proper permissions denies access... The
>> setup is still the same; mounted LVM volumes later shared with samba.
>> By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
>> dos attributes = Yes" from the global section, as mentioned in
>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs, 
> You only add these line to a member server, they are not required on 
> the AD DC.
> Rowland
>> and instead putting "vfs objects = acl_xattr" in the share section
>> solves it. If you are using more vfs objects you may have to reorder
>> them. And I also noticed that removing Everyone from the Share tab
>> will neither let you edit nor remove ACE:s in the Security tab. So
>> first let Everyone be there, add Domain Admins, press Apply. Add
>> Domain Admins to the ACL, press Apply. Take ownership. After this
>> procedure you are able to edit ACE:s. This will not guarantee that
>> inheritence is correct. Again, "vfs objects = acl_xattr" in the global
>> section does not seem to extend beyond global section. And I'm not
>> sure why "map acl inherit = Yes and store dos attributes = Yes" are in
>> the global section (I'm using neither). Both belongs to a share
>> section according to
>> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
>> Hope it helps.
>> Regards
>> Davor

More information about the samba mailing list