[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Thu Aug 14 21:38:25 MDT 2014

Alright, I do not know why my first reply to this still has not come 
back, but I mentioned wanting to try this anyway. I finally did. It took 
some time because the member server guide does not give instructions for 
building the PAM modules, and they are not built by default, so I spent 
hours figuring it out. Anyway, PAM now works, but I still get access 
denied for the shares from the Windows systems.

Now, here is my current theory as to my issue. Back in 4.0 almost 
everything was built by default. When I did a basic build I got PAM, 
idmap_ad, everything. Now after viewing the build parameters page on the 
wiki, I see loads of things which are not built by default anymore. I 
believe something I need is not being built. What it is, I do not know. 
I do have the rfc2307 things in my configuration file on the member 
server and winbind is pulling the correct ID's for both users and 
groups, so it works. Both getent and id show the correct information. I 
have also added the user to their groups both the Windows AD way and the 
NIS group way. Still, only domain admins can access the share at all. Is 
there a permission I need to grant to domain users for viewing shares 
they are supposed to have access to? I did grant the domain admins group 
the permission mentioned in the member server guide, but nothing was 
granted to other groups.

On 8/14/2014 3:44 PM, Sébastien Le Ray wrote:
> Hi,
> There's no need to configure PAM to get a working setup
> Do you have the rfc2307 stuff in your fileserver smb.conf and do all 
> your groups have an assigned Unix GID? Did you try running winbindd in 
> "debug" mode?
> Regards
> Le 2014-08-14 21:01, Ryan Ashley a écrit :
>> Well, guess I will be configuring PAM! On a side note, I finally got
>> my UNIX Attributes tab! I assigned all built-in groups ID's starting
>> at 20001 and all built-in user accounts ID's starting at 10001.
>> Assigned primary groups and all, and it went VERY smoothly. No change
>> though. I still cannot access the shares as a normal user. Yes, I did
>> reboot the file-server and chown the shares to the new ID's.
>> Anyway, I will do the PAM configuration now. Just one question. How
>> can I prevent login if I do the PAM configuration? Also, why did it
>> work without PAM for weeks? On top of that, why do my other locations
>> without any PAM configuration work fine and have worked fine for up to
>> two years? Seems odd that this one location requires PAM.

More information about the samba mailing list