[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 15 13:13:20 MDT 2014


I will show you the ACL's on /home/shared in a sec, but I just ran a 
dcdiag on my DC and got quite a few failures. Is this normal due to the 
server being Linux with Samba or do I have an issue?

C:\Users\reachfp.TRUEVINE>dcdiag /s:dc01

Directory Server Diagnosis

Performing initial setup:
    * Identified AD Forest.
    Got error while checking if the DC is using FRS or DFSR. Error:
    A device attached to the system is not functioning.The VerifyReferences,
    FrsEvent and DfsrEvent tests might fail because of this error.
    Done gathering initial info.

Doing initial required tests

    Testing server: Default-First-Site-Name\DC01
       Starting test: Connectivity
          ......................... DC01 passed test Connectivity

Doing primary tests

    Testing server: Default-First-Site-Name\DC01
       Starting test: Advertising
          ......................... DC01 passed test Advertising
       Starting test: FrsEvent
          ......................... DC01 passed test FrsEvent
       Starting test: DFSREvent
          ......................... DC01 passed test DFSREvent
       Starting test: SysVolCheck
          The SysVol is not ready.  This can cause the DC to not advertise
          itself as a DC for netlogon after dcpromo.  Also trouble with FRS
          SysVol replication can cause Group Policy problems.  Check the FRS
          event log on this DC.
          ......................... DC01 failed test SysVolCheck
       Starting test: KccEvent
          ......................... DC01 passed test KccEvent
       Starting test: KnowsOfRoleHolders
          ......................... DC01 passed test KnowsOfRoleHolders
       Starting test: MachineAccount
          ......................... DC01 passed test MachineAccount
       Starting test: NCSecDesc
          ......................... DC01 passed test NCSecDesc
       Starting test: NetLogons
          ......................... DC01 passed test NetLogons
       Starting test: ObjectsReplicated
          Failed to read object metadata on DC01, error
          The request is not supported.
          Failed to read object metadata on DC01, error
          The request is not supported.
          ......................... DC01 passed test ObjectsReplicated
       Starting test: Replications
          ......................... DC01 passed test Replications
       Starting test: RidManager
          ......................... DC01 passed test RidManager
       Starting test: Services
             Could not open EventSystem Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open RpcSs Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open NTDS Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open DnsCache Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open DFSR Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open IsmServ Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open kdc Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open SamSs Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open LanmanServer Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open LanmanWorkstation Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Could not open w32time Service on DC01, error 0x8
             "Not enough storage is available to process this command."
             Invalid service type: NETLOGON on DC01, current value
             WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
             Invalid service startup type: NETLOGON on DC01, current value
             DEMAND_START, expected value AUTO_START
          ......................... DC01 failed test Services
       Starting test: SystemLog
          ......................... DC01 passed test SystemLog
       Starting test: VerifyReferences
          Some objects relating to the DC DC01 have problems:
             [1] Problem: Missing Expected Value
              Base Object:
             CN=NTDS 
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=truevine,DC=lan
              Base Object Description: "DSA Object"
              Value Object Attribute Name: serverReferenceBL
              Value Object Description: "SYSVOL FRS Member Object"
              Recommended Action: See Knowledge Base Article: Q312862

             [1] Problem: Missing Expected Value
              Base Object: CN=DC01,OU=Domain Controllers,DC=truevine,DC=lan
              Base Object Description: "DC Account Object"
              Value Object Attribute Name: frsComputerReferenceBL
              Value Object Description: "SYSVOL FRS Member Object"
              Recommended Action: See Knowledge Base Article: Q312862

          ......................... DC01 failed test VerifyReferences


    Running partition tests on : Configuration
       Starting test: CheckSDRefDom
          ......................... Configuration passed test CheckSDRefDom
       Starting test: CrossRefValidation
          ......................... Configuration passed test 
CrossRefValidation

    Running partition tests on : Schema
       Starting test: CheckSDRefDom
          ......................... Schema passed test CheckSDRefDom
       Starting test: CrossRefValidation
          ......................... Schema passed test CrossRefValidation

    Running partition tests on : truevine
       Starting test: CheckSDRefDom
          ......................... truevine passed test CheckSDRefDom
       Starting test: CrossRefValidation
          ......................... truevine passed test CrossRefValidation

    Running partition tests on : DomainDnsZones
       Starting test: CheckSDRefDom
             The application directory partition
             DC=DomainDnsZones,DC=truevine,DC=lan is missing a security
             descriptor reference domain.  The administrator should set the
             msDS-SD-Reference-Domain attribute on the cross reference 
object
CN=79666bae-b92d-4b84-b23d-046d4cb433fb,CN=Partitions,CN=Configurati
on,DC=truevine,DC=lan
             to the DN of a domain.
          ......................... DomainDnsZones failed test CheckSDRefDom
       Starting test: CrossRefValidation
          ......................... DomainDnsZones passed test
          CrossRefValidation

    Running partition tests on : ForestDnsZones
       Starting test: CheckSDRefDom
             The application directory partition
             DC=ForestDnsZones,DC=truevine,DC=lan is missing a security
             descriptor reference domain.  The administrator should set the
             msDS-SD-Reference-Domain attribute on the cross reference 
object
CN=f34a927c-9694-44b9-ab86-e88a9b8e8aa0,CN=Partitions,CN=Configurati
on,DC=truevine,DC=lan
             to the DN of a domain.
          ......................... ForestDnsZones failed test CheckSDRefDom
       Starting test: CrossRefValidation
          ......................... ForestDnsZones passed test
          CrossRefValidation

    Running enterprise tests on : truevine.lan
       Starting test: LocatorCheck
          ......................... truevine.lan passed test LocatorCheck
       Starting test: Intersite
          ......................... truevine.lan passed test Intersite

C:\Users\reachfp.TRUEVINE>

I imagine tings like the services checks should fail since it isn't a 
Windows server, but I want to be sure. The sysvol failures concern me. 
Here is the /home/shared ACL.

root at fs01:~# getfacl /home/shared
getfacl: Removing leading '/' from absolute path names
# file: home/shared
# owner: reachfp
# group: domain\040admins
user::rwx
group::---
other::---

I have not changed this since creation. It worked for a few weeks this way.

On 08/15/2014 02:53 PM, Achim Gottinger wrote:
>>>>>>> This is the ACL's from the share:
>>>>>>>
>>>>>>> getfacl /home/shared/staff/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/staff/
>>>>>>> # owner: emily
>>>>>>> # group: administration
>>>>>>> user::rwx
>>>>>>> user:emily:rwx
>>>>>>> group::rwx
>>>>>>> group:administration:rwx
>>>>>>> group:domain_admins:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:emily:rwx
>>>>>>> default:group::---
>>>>>>> default:group:administration:rwx
>>>>>>> default:group:domain_admins:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
> What's the output of "getfacl /home/shared" ? In case this was not yet 
> covered.



More information about the samba mailing list