[Samba] Samba 4 AD share: Access denied
ryana at reachtechfp.com
Thu Aug 14 21:38:25 MDT 2014
Alright, I do not know why my first reply to this still has not come
back, but I mentioned wanting to try this anyway. I finally did. It took
some time because the member server guide does not give instructions for
building the PAM modules, and they are not built by default, so I spent
hours figuring it out. Anyway, PAM now works, but I still get access
denied for the shares from the Windows systems.
Now, here is my current theory as to my issue. Back in 4.0 almost
everything was built by default. When I did a basic build I got PAM,
idmap_ad, everything. Now after viewing the build parameters page on the
wiki, I see loads of things which are not built by default anymore. I
believe something I need is not being built. What it is, I do not know.
I do have the rfc2307 things in my configuration file on the member
server and winbind is pulling the correct ID's for both users and
groups, so it works. Both getent and id show the correct information. I
have also added the user to their groups both the Windows AD way and the
NIS group way. Still, only domain admins can access the share at all. Is
there a permission I need to grant to domain users for viewing shares
they are supposed to have access to? I did grant the domain admins group
the permission mentioned in the member server guide, but nothing was
granted to other groups.
On 8/14/2014 3:44 PM, Sébastien Le Ray wrote:
> There's no need to configure PAM to get a working setup
> Do you have the rfc2307 stuff in your fileserver smb.conf and do all
> your groups have an assigned Unix GID? Did you try running winbindd in
> "debug" mode?
> Le 2014-08-14 21:01, Ryan Ashley a écrit :
>> Well, guess I will be configuring PAM! On a side note, I finally got
>> my UNIX Attributes tab! I assigned all built-in groups ID's starting
>> at 20001 and all built-in user accounts ID's starting at 10001.
>> Assigned primary groups and all, and it went VERY smoothly. No change
>> though. I still cannot access the shares as a normal user. Yes, I did
>> reboot the file-server and chown the shares to the new ID's.
>> Anyway, I will do the PAM configuration now. Just one question. How
>> can I prevent login if I do the PAM configuration? Also, why did it
>> work without PAM for weeks? On top of that, why do my other locations
>> without any PAM configuration work fine and have worked fine for up to
>> two years? Seems odd that this one location requires PAM.
More information about the samba