[Samba] Samba 4 AD share: Access denied
ryana at reachtechfp.com
Thu Aug 14 12:05:40 MDT 2014
I can do "id", "getent", etc on the file-server and they work fine, but
I do NOT want domain users being able to login to the server so I did
not setup the PAM stuff. Everything else does work though, including
ACLs and resolving groups and such.
root at fs01:~# id yolandab
uid=10013(yolandab) gid=10003(domain users) groups=10003(domain
root at fs01:~# id ernestj
uid=10005(ernestj) gid=10003(domain users) groups=10003(domain
root at fs01:~#
I have posted countless results of "getent passwd" and "getent group",
but will happily do so again if it helps. I will also add the PAM stuff
to test and will post the results. My understanding however, was that
PAM was only used to physically login to the system, such as through
SSH. Am I wrong here?
Also, is it possible that my AD DB has somehow become corrupted? I spent
some time last night and copied my smb.conf over from a working domain
and tried it on this domain and still got access denied. I also copied
my smb.conf from the non-working server to a working one and it worked
fine there. This tells me that my smb.conf is correct despite having
tons of extra settings that Rowland and Steve had me add during
troubleshooting. I did run a dbcheck on it and it tested 327 objects and
had no errors, but if it is corrupted, would it know?
On 08/14/2014 03:56 AM, mourik jan heupink - merit wrote:
> On your fileserver, are you able to become or logon as one of your
> regular users? (Either logon directly, or using 'su username')
> Then 'id' to make sure that group memberships are as expected, and
> then try to access your staff share. Samba 'obeys' the acl's on the
> filesystem, we're using those primarily to grant/deny access to files.
> Perhaps those are wrong?
> On 8/13/2014 22:29, Ryan Ashley wrote:
>> Alright, I changed the owner of the staff share (files and all) to a
>> domain user. The only people in the ACL were the user, domain admins
>> group, and staff group. The user was denied access despite owning
>> everything. This throws all four of my theories out the window. This
>> tells me that ONLY people with domain admin access can access shares.
>> What would cause this? I have triple-checked the ACLs and have removed
>> the "SYSTEM" account from the ACLs. Currently the owner is the domain
>> admin and the domain admins group along with the staff group have full
>> control. Still, no domain users can access it. Is there any possible way
>> to get Samba to log access denied cases in a log-file the way Windows
>> does in an event log? All I know from my standpoint is that Samba is
>> denying access to everybody who is not a domain admin, despite having
>> ACLs set that said domain admins can manipulate.
More information about the samba