[Samba] Samba 4 AD share: Access denied
rowlandpenny at googlemail.com
Fri Aug 15 06:48:29 MDT 2014
On 15/08/14 04:54, Ryan Ashley wrote:
> I just had a thought and would like some input. I just discovered a
> major flaw in the member server guide (it doesn't build the PAM
> modules by default, the guide does not tell you to build them, and
> once you modify your PAM settings, you can no longer login to the box)
> due to a change in the way Samba builds. It no longer builds the PAM
> stuff by default nor does the guide tell you to add "--with-pam" to
> the configuration. Is it possible that something I need has also been
> turned off by default? Right now my member servers are built with
> "--with-ads --with-pam --with-shared-modules=idmap_ad". I do not add
> ANY of those to my AD DC. Do I need PAM, ADS, or anything else on my
> actual DC? Will it hurt to build ADS or PAM on the DC? Is it possible
> that something I need is not built on the DC and the DC is not
> authenticating my requests to the shares on the member server?
> On 8/14/2014 11:38 PM, Ryan Ashley wrote:
>> Alright, I do not know why my first reply to this still has not come
>> back, but I mentioned wanting to try this anyway. I finally did. It
>> took some time because the member server guide does not give
>> instructions for building the PAM modules, and they are not built by
>> default, so I spent hours figuring it out. Anyway, PAM now works, but
>> I still get access denied for the shares from the Windows systems.
>> Now, here is my current theory as to my issue. Back in 4.0 almost
>> everything was built by default. When I did a basic build I got PAM,
>> idmap_ad, everything. Now after viewing the build parameters page on
>> the wiki, I see loads of things which are not built by default
>> anymore. I believe something I need is not being built. What it is, I
>> do not know. I do have the rfc2307 things in my configuration file on
>> the member server and winbind is pulling the correct ID's for both
>> users and groups, so it works. Both getent and id show the correct
>> information. I have also added the user to their groups both the
>> Windows AD way and the NIS group way. Still, only domain admins can
>> access the share at all. Is there a permission I need to grant to
>> domain users for viewing shares they are supposed to have access to?
>> I did grant the domain admins group the permission mentioned in the
>> member server guide, but nothing was granted to other groups.
>> On 8/14/2014 3:44 PM, Sébastien Le Ray wrote:
>>> There's no need to configure PAM to get a working setup
>>> Do you have the rfc2307 stuff in your fileserver smb.conf and do all
>>> your groups have an assigned Unix GID? Did you try running winbindd
>>> in "debug" mode?
>>> Le 2014-08-14 21:01, Ryan Ashley a écrit :
>>>> Well, guess I will be configuring PAM! On a side note, I finally got
>>>> my UNIX Attributes tab! I assigned all built-in groups ID's starting
>>>> at 20001 and all built-in user accounts ID's starting at 10001.
>>>> Assigned primary groups and all, and it went VERY smoothly. No change
>>>> though. I still cannot access the shares as a normal user. Yes, I did
>>>> reboot the file-server and chown the shares to the new ID's.
>>>> Anyway, I will do the PAM configuration now. Just one question. How
>>>> can I prevent login if I do the PAM configuration? Also, why did it
>>>> work without PAM for weeks? On top of that, why do my other locations
>>>> without any PAM configuration work fine and have worked fine for up to
>>>> two years? Seems odd that this one location requires PAM.
OK, getting a bit fed up with this now, so I setup a share on my test
domain, the share is on one PC running Linux Mint 17 and I connected
from another, again running Linux Mint 17. The two AD DC are running
Debian 7.5 with samba 4.1.9 from backports, the two Mint machines are
both running samba 4.1.6 .
This is the ACL's from the share:
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: emily
# group: administration
Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
Running 'id rowland' gets me this:
As you can see, rowland is not mentioned in the shares ACL's, but is a
member of the group 'administration' which is.
So I now try to connect from the other PC:
Enter rowland's password:
Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
smb: \> ls
. D 0 Fri Aug 15 12:55:50 2014
.. D 0 Fri Aug 15 12:55:50 2014
55743 blocks of size 8388608. 43330 blocks available
smb: \> quit
So as far as I can see there is no problem, what do you think ?
More information about the samba