[Samba] Samba 4 AD share: Access denied
ryana at reachtechfp.com
Wed Aug 13 07:51:36 MDT 2014
I already tried removing it from the global section. I had the same idea
you do. Unfortunately, the only thing testparm shows as being recognized
is the path, comment, and read only flag. Still does not work. I did
open a bug report since I have now been through this LONG email chain
twice and tried everything as well as my variations on everything
several times now. It just seems to want to deny access. I wish it was
just denying it to 7, so I could blame 7, but it denies access to all
OSes including my Android phone and my Debian Wheezy laptop.
Thanks for your help, but I am not up yet. Maybe we'll get it sooner
rather than later. Also, I have set all shared directories to 777 and
all files in said directories to 666 until we get it working. Then I can
worry about locking it down.
On 08/13/2014 12:30 AM, Davor Vusir wrote:
> 2014-08-12 23:06 GMT+02:00 Ryan Ashley <ryana at reachtechfp.com>:
>> Just so you know, those attributes only work in the global section. I added
>> them to my shares, but it does not use them. I was still unable to access
>> said shares after rebooting the member server to insure the changes were
> Sorry to hear that. I guess I'm out of ideas. For now...
>> root at fs01:~# testparm /etc/samba/smb.conf
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[install$]"
>> Processing section "[staff$]"
>> Processing section "[fbc$]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>> workgroup = TRUEVINE
>> realm = TRUEVINE.LAN
>> security = ADS
>> ntlm auth = No
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> local master = No
>> domain master = No
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind nss info = rfc2307
>> idmap config TRUEVINE:range = 10001-40000
>> idmap config TRUEVINE:schema_mode = rfc2307
>> idmap config TRUEVINE:backend = ad
>> idmap config *:range = 70001-80000
>> idmap config * : backend = tdb
>> map acl inherit = Yes
>> store dos attributes = Yes
>> vfs objects = acl_xattr
>> comment = "Software installation files"
>> path = /home/shared/install
>> read only = No
>> comment = "Staff file share"
>> path = /home/shared/staff
>> read only = No
>> comment = "Family Bible College file share"
>> path = /home/shared/fbc
>> read only = No
>> As you can see, testparm ignores them in the share sections. I will remove
>> them since they do not work.
> What happens if you remove them from the global section and only have
> them in the share sections?
>> On 8/12/2014 4:57 PM, Ryan Ashley wrote:
>>> I do not have those attributes on my actual AD DC, only on my member
>>> servers. I followed the guide to the letter and put them in global, but I
>>> will happily try putting them in the share section as suggested. If it works
>>> I will let you know. Thanks for the help. If this fixes it I will also
>>> update my ticket and advise the guide be updated.
>>> On 8/12/2014 4:29 PM, Rowland Penny wrote:
>>>> On 12/08/14 20:41, Davor Vusir wrote:
>>>>> In my first setup, a combined (compiled) AD DC and file server I never
>>>>> got it to work with "vfs objects = acl_xattr" in the global section. I
>>>>> had two more shares and could not get the permissions to work until I
>>>>> put "vfs objects = acl_xattr" in the share sections. The shares were
>>>>> on LVM volumes mapped to directories later shared with Samba. My
>>>>> conclusion is that "vfs objects = acl_xattr" in the global section on
>>>>> a AD DC does not extend (or how to put it) beyond the netlogon and
>>>>> sysvol shares. I have not tested this configuration on one (1) mounted
>>>>> LVM volume where /usr/local and Sambashares reside.
>>>> If you add "vfs objects = acl_xattr" to smb.conf on a Samba 4 AD DC, you
>>>> are turning off the 'dfs_samba4' vfs module. If you run 'testpam
>>>> --suppress-prompt --verbose', you will find 'vfs objects = dfs_samba4,
>>>>> I have now changed the setup to a dedicated virtual AD DC and a
>>>>> physical file server because of poor network performance. After the
>>>>> switch I experienced the same; proper permissions denies access... The
>>>>> setup is still the same; mounted LVM volumes later shared with samba.
>>>>> By removing "vfs objects = acl_xattr, map acl inherit = Yes and store
>>>>> dos attributes = Yes" from the global section, as mentioned in
>>>> You only add these line to a member server, they are not required on the
>>>> AD DC.
>>>>> and instead putting "vfs objects = acl_xattr" in the share section
>>>>> solves it. If you are using more vfs objects you may have to reorder
>>>>> them. And I also noticed that removing Everyone from the Share tab
>>>>> will neither let you edit nor remove ACE:s in the Security tab. So
>>>>> first let Everyone be there, add Domain Admins, press Apply. Add
>>>>> Domain Admins to the ACL, press Apply. Take ownership. After this
>>>>> procedure you are able to edit ACE:s. This will not guarantee that
>>>>> inheritence is correct. Again, "vfs objects = acl_xattr" in the global
>>>>> section does not seem to extend beyond global section. And I'm not
>>>>> sure why "map acl inherit = Yes and store dos attributes = Yes" are in
>>>>> the global section (I'm using neither). Both belongs to a share
>>>>> section according to
>>>>> Hope it helps.
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba