[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Thu Aug 14 21:54:02 MDT 2014

I just had a thought and would like some input. I just discovered a 
major flaw in the member server guide (it doesn't build the PAM modules 
by default, the guide does not tell you to build them, and once you 
modify your PAM settings, you can no longer login to the box) due to a 
change in the way Samba builds. It no longer builds the PAM stuff by 
default nor does the guide tell you to add "--with-pam" to the 
configuration. Is it possible that something I need has also been turned 
off by default? Right now my member servers are built with "--with-ads 
--with-pam --with-shared-modules=idmap_ad". I do not add ANY of those to 
my AD DC. Do I need PAM, ADS, or anything else on my actual DC? Will it 
hurt to build ADS or PAM on the DC? Is it possible that something I need 
is not built on the DC and the DC is not authenticating my requests to 
the shares on the member server?

On 8/14/2014 11:38 PM, Ryan Ashley wrote:
> Alright, I do not know why my first reply to this still has not come 
> back, but I mentioned wanting to try this anyway. I finally did. It 
> took some time because the member server guide does not give 
> instructions for building the PAM modules, and they are not built by 
> default, so I spent hours figuring it out. Anyway, PAM now works, but 
> I still get access denied for the shares from the Windows systems.
> Now, here is my current theory as to my issue. Back in 4.0 almost 
> everything was built by default. When I did a basic build I got PAM, 
> idmap_ad, everything. Now after viewing the build parameters page on 
> the wiki, I see loads of things which are not built by default 
> anymore. I believe something I need is not being built. What it is, I 
> do not know. I do have the rfc2307 things in my configuration file on 
> the member server and winbind is pulling the correct ID's for both 
> users and groups, so it works. Both getent and id show the correct 
> information. I have also added the user to their groups both the 
> Windows AD way and the NIS group way. Still, only domain admins can 
> access the share at all. Is there a permission I need to grant to 
> domain users for viewing shares they are supposed to have access to? I 
> did grant the domain admins group the permission mentioned in the 
> member server guide, but nothing was granted to other groups.
> On 8/14/2014 3:44 PM, Sébastien Le Ray wrote:
>> Hi,
>> There's no need to configure PAM to get a working setup
>> Do you have the rfc2307 stuff in your fileserver smb.conf and do all 
>> your groups have an assigned Unix GID? Did you try running winbindd 
>> in "debug" mode?
>> Regards
>> Le 2014-08-14 21:01, Ryan Ashley a écrit :
>>> Well, guess I will be configuring PAM! On a side note, I finally got
>>> my UNIX Attributes tab! I assigned all built-in groups ID's starting
>>> at 20001 and all built-in user accounts ID's starting at 10001.
>>> Assigned primary groups and all, and it went VERY smoothly. No change
>>> though. I still cannot access the shares as a normal user. Yes, I did
>>> reboot the file-server and chown the shares to the new ID's.
>>> Anyway, I will do the PAM configuration now. Just one question. How
>>> can I prevent login if I do the PAM configuration? Also, why did it
>>> work without PAM for weeks? On top of that, why do my other locations
>>> without any PAM configuration work fine and have worked fine for up to
>>> two years? Seems odd that this one location requires PAM.

More information about the samba mailing list