[Samba] Samba 4 AD share: Access denied
Ryan Ashley
ryana at reachtechfp.com
Fri Aug 15 13:13:20 MDT 2014
I will show you the ACL's on /home/shared in a sec, but I just ran a
dcdiag on my DC and got quite a few failures. Is this normal due to the
server being Linux with Samba or do I have an issue?
C:\Users\reachfp.TRUEVINE>dcdiag /s:dc01
Directory Server Diagnosis
Performing initial setup:
* Identified AD Forest.
Got error while checking if the DC is using FRS or DFSR. Error:
A device attached to the system is not functioning.The VerifyReferences,
FrsEvent and DfsrEvent tests might fail because of this error.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC01
Starting test: Connectivity
......................... DC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC01
Starting test: Advertising
......................... DC01 passed test Advertising
Starting test: FrsEvent
......................... DC01 passed test FrsEvent
Starting test: DFSREvent
......................... DC01 passed test DFSREvent
Starting test: SysVolCheck
The SysVol is not ready. This can cause the DC to not advertise
itself as a DC for netlogon after dcpromo. Also trouble with FRS
SysVol replication can cause Group Policy problems. Check the FRS
event log on this DC.
......................... DC01 failed test SysVolCheck
Starting test: KccEvent
......................... DC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC01 passed test MachineAccount
Starting test: NCSecDesc
......................... DC01 passed test NCSecDesc
Starting test: NetLogons
......................... DC01 passed test NetLogons
Starting test: ObjectsReplicated
Failed to read object metadata on DC01, error
The request is not supported.
Failed to read object metadata on DC01, error
The request is not supported.
......................... DC01 passed test ObjectsReplicated
Starting test: Replications
......................... DC01 passed test Replications
Starting test: RidManager
......................... DC01 passed test RidManager
Starting test: Services
Could not open EventSystem Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open RpcSs Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open NTDS Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open DnsCache Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open DFSR Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open IsmServ Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open kdc Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open SamSs Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open LanmanServer Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open LanmanWorkstation Service on DC01, error 0x8
"Not enough storage is available to process this command."
Could not open w32time Service on DC01, error 0x8
"Not enough storage is available to process this command."
Invalid service type: NETLOGON on DC01, current value
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
Invalid service startup type: NETLOGON on DC01, current value
DEMAND_START, expected value AUTO_START
......................... DC01 failed test Services
Starting test: SystemLog
......................... DC01 passed test SystemLog
Starting test: VerifyReferences
Some objects relating to the DC DC01 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS
Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Si
tes,CN=Configuration,DC=truevine,DC=lan
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[1] Problem: Missing Expected Value
Base Object: CN=DC01,OU=Domain Controllers,DC=truevine,DC=lan
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... DC01 failed test VerifyReferences
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : truevine
Starting test: CheckSDRefDom
......................... truevine passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... truevine passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=DomainDnsZones,DC=truevine,DC=lan is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference
object
CN=79666bae-b92d-4b84-b23d-046d4cb433fb,CN=Partitions,CN=Configurati
on,DC=truevine,DC=lan
to the DN of a domain.
......................... DomainDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
The application directory partition
DC=ForestDnsZones,DC=truevine,DC=lan is missing a security
descriptor reference domain. The administrator should set the
msDS-SD-Reference-Domain attribute on the cross reference
object
CN=f34a927c-9694-44b9-ab86-e88a9b8e8aa0,CN=Partitions,CN=Configurati
on,DC=truevine,DC=lan
to the DN of a domain.
......................... ForestDnsZones failed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running enterprise tests on : truevine.lan
Starting test: LocatorCheck
......................... truevine.lan passed test LocatorCheck
Starting test: Intersite
......................... truevine.lan passed test Intersite
C:\Users\reachfp.TRUEVINE>
I imagine tings like the services checks should fail since it isn't a
Windows server, but I want to be sure. The sysvol failures concern me.
Here is the /home/shared ACL.
root at fs01:~# getfacl /home/shared
getfacl: Removing leading '/' from absolute path names
# file: home/shared
# owner: reachfp
# group: domain\040admins
user::rwx
group::---
other::---
I have not changed this since creation. It worked for a few weeks this way.
On 08/15/2014 02:53 PM, Achim Gottinger wrote:
>>>>>>> This is the ACL's from the share:
>>>>>>>
>>>>>>> getfacl /home/shared/staff/
>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>> # file: home/shared/staff/
>>>>>>> # owner: emily
>>>>>>> # group: administration
>>>>>>> user::rwx
>>>>>>> user:emily:rwx
>>>>>>> group::rwx
>>>>>>> group:administration:rwx
>>>>>>> group:domain_admins:rwx
>>>>>>> mask::rwx
>>>>>>> other::rwx
>>>>>>> default:user::rwx
>>>>>>> default:user:emily:rwx
>>>>>>> default:group::---
>>>>>>> default:group:administration:rwx
>>>>>>> default:group:domain_admins:rwx
>>>>>>> default:mask::rwx
>>>>>>> default:other::---
> What's the output of "getfacl /home/shared" ? In case this was not yet
> covered.
More information about the samba
mailing list