[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 15 12:45:11 MDT 2014

Rowland, I did as you asked and am now running 4.1.9 from backports. 
Steps I took are below.

Left the domain via "net ads leave -Ureachfp"
Uninstalled the custom-built version via "make uninstall"
Manually deleted everything in /var/lib/samba and /var/cache/samba
Deleted /etc/krb5.keytab
Removed my modifications to the PAM files
Installed 4.1.9 from backports with your package-list
Rebooted for good measure

I still get "Access is denied" from the workstations and if I try 
accessing the shares from my Linux laptop I get prompts for the username 
and password and never get in.

Before I get chewed out again, I have not changed any configuration 
since you last saw it, with the exception of removing the lines from the 
PAM files after removing the custom-built Samba. Everything is the same 
including ACLs, id and getent working, etc.

Now, is it possible that when you told me to try 4.1 that going from 4.2 
to 4.1 could have corrupted my AD database somehow? I do not care if it 
did, I just want to fix it if that is the case. On top of that, I have 
now gone from 4.1.11 to 4.1.9, another downgrade. If there were any 
changes to the way the AD data is stored between all of these versions, 
I may have hosed myself in changing versions. If not, then I have no 
clue why I keep getting denied access.

Finally, some information about the hardware setup in case it matters. 
The server is an Intel Xeon system with 16GB of RAM and a RAID10 array 
(hardware, not software). I have an LSI PCI-E card attached to four 1TB 
SATA 6.0Gbps drives. On this I installed XenServer 6.2, which saw the 
one "virtual" drive at 2TB. I then installed a network install of Debian 
7.5 AMD64 and had only a shell with SSH access. I made a template of 
this, and deployed it three times. One is the AD DC, one is the 
print-server, and one is the file-server. I do have the XenServer stuff 
installed on all three VMs and it works fine. I do not know if this 
matters, but I wanted to mention it. I have tried removing the XenServer 
stuff but it did not help.

On 08/15/2014 01:19 PM, Harry Jede wrote:
> On 19:14:56 wrote Rowland Penny:
>> On 15/08/14 17:19, Harry Jede wrote:
>>> On 18:03:42 wrote Rowland Penny:
>>>> On 15/08/14 16:07, Ryan Ashley wrote:
>>>> The problem there is that you are trying to install the wrong
>>>> packages LOL
>>>> try:
>>>> apt-get -t wheezy-backports install samba attr krb5-config
>>>> krb5-user dnsutils winbind libpam-winbind libpam-krb5
>>>> libnss-winbind libsmbclient  smbclient
>>> The problem there is that you are trying to install the wrong
>>> packages LOL.
>>> Just a joke, or not?
>>> Heads up:
>>> If you install dnsutils from backports you can not use samba with
>>> bind- dlz. The bind package from backports is 1:9.9.5 and this
>>> package is NOT compiled with dlz. If bind-dlz is required one must
>>> use bind 1:9.8.4 from Wheezy!
>> Oh dear, is this why my AD DC server with Bind9 and DHCP works ?
>> samba -V
>> Version 4.1.9-Debian
>> And from /var/log/syslog
>> Aug 15 10:19:36 dc01 named[2707]: starting BIND
>> 9.9.5-4~bpo70+1-Debian  -u bind
>> ~~~~~~~~~~
>> Aug 15 10:19:36 dc01 named[2707]: Loading 'AD DNS Zone' using driver
>> dlopen
> OK,
> looks I have made a mistake installing bind 9.9.5 from backports.
> So both bind packages (wheezy and wheezy-backports) seems to work.
> Next time I will try bind from backports again.

More information about the samba mailing list