[Samba] Samba 4 AD share: Access denied

mourik jan heupink - merit heupink at merit.unu.edu
Thu Aug 14 01:56:29 MDT 2014

On your fileserver, are you able to become or logon as one of your 
regular users? (Either logon directly, or using 'su username')

Then 'id' to make sure that group memberships are as expected, and then 
try to access your staff share. Samba 'obeys' the acl's on the 
filesystem, we're using those primarily to grant/deny access to files.

Perhaps those are wrong?

On 8/13/2014 22:29, Ryan Ashley wrote:
> Alright, I changed the owner of the staff share (files and all) to a
> domain user. The only people in the ACL were the user, domain admins
> group, and staff group. The user was denied access despite owning
> everything. This throws all four of my theories out the window. This
> tells me that ONLY people with domain admin access can access shares.
> What would cause this? I have triple-checked the ACLs and have removed
> the "SYSTEM" account from the ACLs. Currently the owner is the domain
> admin and the domain admins group along with the staff group have full
> control. Still, no domain users can access it. Is there any possible way
> to get Samba to log access denied cases in a log-file the way Windows
> does in an event log? All I know from my standpoint is that Samba is
> denying access to everybody who is not a domain admin, despite having
> ACLs set that said domain admins can manipulate.

More information about the samba mailing list