[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 15 07:34:48 MDT 2014

I removed the 70028 (SYSTEM) group a few days ago thinking it might be 
the issue. I will post my information one final time in an attempt to 
show you that I am doing this the correct way, now with functioning PAM 
support on the member server. If you want ANYTHING else, I will do it, 
just ask. Nothing would make me happier than to be out of your hair. I 
did not come here with the intent to upset people, I simply wanted help.

root at fs01:~# cat /etc/samba/smb.conf
   netbios name = FS01
   workgroup = TRUEVINE
   security = ADS
   realm = TRUEVINE.LAN
   encrypt passwords = true
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config TRUEVINE:backend = ad
   idmap config TRUEVINE:schema_mode = rfc2307
   idmap config TRUEVINE:range = 10001-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind refresh tickets = yes

#  ntlm auth = no
#  lanman auth = no
#  client ntlmv2 auth = yes

   domain master = no
   local master = no
   preferred master = no

   vfs objects = acl_xattr
   map acl inherit = yes
   acl group control = yes
   store dos attributes = yes

   path = /home/shared/install
   comment = "Software installation files"
   read only = no

   path = /home/shared/staff
   comment = "Staff file share"
   read only = no
   create mask = 0660
   force create mode = 0660
   directory mask = 0770
   force directory mode = 0770

   path = /home/shared/fbc
   comment = "Family Bible College file share"
   read only = no
   create mask = 0660
   force create mode = 0660
   directory mask = 0770
   force directory mode = 0770

root at fs01:~# getfacl /home/shared/install/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/install/
# owner: reachfp
# group: domain\040admins
# flags: -s-

root at fs01:~# getfacl /home/shared/staff/
getfacl: Removing leading '/' from absolute path names
# file: home/shared/staff/
# owner: reachfp
# group: staff
# flags: -s-

root at fs01:~# getfacl /home/shared/fbc
getfacl: Removing leading '/' from absolute path names
# file: home/shared/fbc
# owner: reachfp
# group: fbc
# flags: -s-

root at fs01:~# id yolandab
uid=10014(yolandab) gid=20002(domain users) groups=20002(domain 

root at fs01:~# id reach_support
uid=10003(reach_support) gid=20002(domain users) groups=20002(domain 

root at fs01:~# id daquanm
uid=10005(daquanm) gid=20002(domain users) groups=20002(domain 

root at fs01:~# iptables -S

root at fs01:~# cat /etc/krb5.conf
   default_realm = TRUEVINE.LAN
   dns_lookup_realm = false
   dns_lookup_kdc = true

root at fs01:~# cat /etc/pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so

root at fs01:~# cat /etc/pam.d/common-auth
auth    [success=1 default=ignore]      pam_unix.so nullok_secure
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth sufficient pam_winbind.so use_first_pass

root at fs01:~# cat /etc/pam.d/common-password
password        [success=1 default=ignore]      pam_unix.so obscure sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password sufficient pam_winbind.so use_authtok

root at fs01:~# cat /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session [success=1 default=ignore] pam_succeed_if.so service in crond 
quiet use_uid

root at fs01:~# l /lib/security/
total 0
lrwxrwxrwx 1 root root 32 Aug 14 23:19 pam_winbind.so -> 

root at fs01:~# l /lib | grep winbind
lrwxrwxrwx  1 root root    28 Aug 15 09:24 libnss_winbind.so -> 

root at fs01:~# getent passwd
shamekias:*:10012:20002:<hidden for privacy>:/home/shamekias:/bin/sh
richards:*:10011:20002:<hidden for privacy>:/home/richards:/bin/sh
yolandab:*:10014:20002:<hidden for privacy>:/home/yolandab:/bin/sh
joyces:*:10009:20002:<hidden for privacy>:/home/joyces:/bin/sh
patriceb:*:10010:20002:<hidden for privacy>:/home/patriceb:/bin/sh
cynthiaj:*:10004:20002:<hidden for privacy>:/home/cynthiaj:/bin/sh
jessicaj:*:10007:20002:<hidden for privacy>:/home/jessicaj:/bin/sh
reach_support:*:10003:20002:Reach Support:/home/reach_support:/bin/sh
daquanm:*:10005:20002:<hidden for privacy>:/home/daquanm:/bin/sh
ernestj:*:10006:20002:<hidden for privacy>:/home/ernestj:/bin/sh
jovanm:*:10008:20002:<hidden for privacy>:/home/jovanm:/bin/sh
thomasa:*:10013:20002:<hidden for privacy>:/home/thomasa:/bin/sh
reachfp:*:10001:20002:Reach Technology FP:/home/reachfp:/bin/sh
guest:*:10002:20005:Guest Domain User:/home/Guest:/bin/sh

root at fs01:~# getent group
allowed rodc password replication group:x:20012:
enterprise read-only domain controllers:x:20007:
denied rodc password replication group:x:20014:
read-only domain controllers:x:20010:
group policy creator owners:x:20008:
vpn users:x:20042:
ras and ias servers:x:20009:
domain controllers:x:20004:
enterprise admins:x:20006:
domain computers:x:20003:
cert publishers:x:20013:
domain admins:x:20001:
domain guests:x:20005:
schema admins:x:20011:
domain users:x:20002:

Now if you can tell me where in my configuration I am wrong, I will 
gladly apologize for all of the trouble and I will not bother you again. 
I already apologized to you and Steve personally for whatever it was I 
did to get under your skin, but you told me I needed to do more 
googling. I did, and when I found out, from the Samba build parameters 
page, that PAM was not built by default and mentioned it, I was attacked 
for that also, despite me providing proof on the Samba wiki. If googling 
returns false results and you want me to search for results, what do I 
do? Do you see my predicament now? I come here and am told to search. I 
search and find a fix to one of my issues and I am told I am wrong. How 
do I know what to believe?

On 08/15/2014 08:48 AM, Rowland Penny wrote:
> OK, getting a bit fed up with this now, so I setup a share on my test 
> domain, the share is on one PC running Linux Mint 17 and I connected  
> from another, again running Linux Mint 17. The two AD DC are running 
> Debian 7.5 with samba 4.1.9 from backports, the two Mint machines are 
> both running samba 4.1.6 .
> This is the ACL's from the share:
> getfacl /home/shared/staff/
> getfacl: Removing leading '/' from absolute path names
> # file: home/shared/staff/
> # owner: emily
> # group: administration
> user::rwx
> user:emily:rwx
> group::rwx
> group:administration:rwx
> group:domain_admins:rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:emily:rwx
> default:group::---
> default:group:administration:rwx
> default:group:domain_admins:rwx
> default:mask::rwx
> default:other::---
> Virtually the same as the OP, mostly just lacking 'group:70028:rwx'
> Running 'id rowland' gets me this:
> uid=10000(rowland) gid=10000(domain_users) 
> groups=10000(domain_users),10001(administration),2001(BUILTIN\users)
> As you can see, rowland is not mentioned in the shares ACL's, but is a 
> member of the group 'administration' which is.
> So I now try to connect from the other PC:
> smbclient //EmilysPC/staff
> Enter rowland's password:
> Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
> smb: \> ls
>   .                                   D        0  Fri Aug 15 12:55:50 
> 2014
>   ..                                  D        0  Fri Aug 15 12:55:50 
> 2014
>         55743 blocks of size 8388608. 43330 blocks available
> smb: \> quit
> So as far as I can see there is no problem, what do you think ?
> Rowland

More information about the samba mailing list