[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Tue Aug 12 15:06:59 MDT 2014

Just so you know, those attributes only work in the global section. I 
added them to my shares, but it does not use them. I was still unable to 
access said shares after rebooting the member server to insure the 
changes were accepted.

root at fs01:~# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[install$]"
Processing section "[staff$]"
Processing section "[fbc$]"
Loaded services file OK.
Press enter to see a dump of your service definitions

         workgroup = TRUEVINE
         realm = TRUEVINE.LAN
         security = ADS
         ntlm auth = No
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         local master = No
         domain master = No
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         idmap config TRUEVINE:range = 10001-40000
         idmap config TRUEVINE:schema_mode = rfc2307
         idmap config TRUEVINE:backend = ad
         idmap config *:range = 70001-80000
         idmap config * : backend = tdb
         map acl inherit = Yes
         store dos attributes = Yes
         vfs objects = acl_xattr

         comment = "Software installation files"
         path = /home/shared/install
         read only = No

         comment = "Staff file share"
         path = /home/shared/staff
         read only = No

         comment = "Family Bible College file share"
         path = /home/shared/fbc
         read only = No

As you can see, testparm ignores them in the share sections. I will 
remove them since they do not work.

On 8/12/2014 4:57 PM, Ryan Ashley wrote:
> I do not have those attributes on my actual AD DC, only on my member 
> servers. I followed the guide to the letter and put them in global, 
> but I will happily try putting them in the share section as suggested. 
> If it works I will let you know. Thanks for the help. If this fixes it 
> I will also update my ticket and advise the guide be updated.
> On 8/12/2014 4:29 PM, Rowland Penny wrote:
>> On 12/08/14 20:41, Davor Vusir wrote:
>>> In my first setup, a combined (compiled) AD DC and file server I never
>>> got it to work with "vfs objects = acl_xattr" in the global section. I
>>> had two more shares and could not get the permissions to work until I
>>> put "vfs objects = acl_xattr" in the share sections. The shares were
>>> on LVM volumes mapped to directories later shared with Samba. My
>>> conclusion is that "vfs objects = acl_xattr" in the global section on
>>> a AD DC does not extend (or how to put it) beyond the netlogon and
>>> sysvol shares. I have not tested this configuration on one (1) mounted
>>> LVM volume where /usr/local and Sambashares reside.
>> If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD DC, 
>> you are turning off the 'dfs_samba4' vfs module. If you run 'testpam 
>> --suppress-prompt --verbose', you will find 'vfs objects = 
>> dfs_samba4, acl_xattr'.
>>> I have now changed the setup to a dedicated virtual AD DC and a
>>> physical file server because of poor network performance. After the
>>> switch I experienced the same; proper permissions denies access... The
>>> setup is still the same; mounted LVM volumes later shared with samba.
>>> By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
>>> dos attributes = Yes" from the global section, as mentioned in
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs, 
>> You only add these line to a member server, they are not required on 
>> the AD DC.
>> Rowland
>>> and instead putting "vfs objects = acl_xattr" in the share section
>>> solves it. If you are using more vfs objects you may have to reorder
>>> them. And I also noticed that removing Everyone from the Share tab
>>> will neither let you edit nor remove ACE:s in the Security tab. So
>>> first let Everyone be there, add Domain Admins, press Apply. Add
>>> Domain Admins to the ACL, press Apply. Take ownership. After this
>>> procedure you are able to edit ACE:s. This will not guarantee that
>>> inheritence is correct. Again, "vfs objects = acl_xattr" in the global
>>> section does not seem to extend beyond global section. And I'm not
>>> sure why "map acl inherit = Yes and store dos attributes = Yes" are in
>>> the global section (I'm using neither). Both belongs to a share
>>> section according to
>>> http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html.
>>> Hope it helps.
>>> Regards
>>> Davor

More information about the samba mailing list