[Samba] Samba 4 AD share: Access denied

Ryan Ashley ryana at reachtechfp.com
Fri Aug 15 14:28:31 MDT 2014

That was it! It did not work but I was already building 4.1.11 from a 
clean clone. No clue why it did not work with 4.1.9, but it works FINE 
now. What gets me is that it worked that way from day one for about two 
weeks, then it died. I never thought to check above that level due to 
the directory itself not being shared or even accessible remotely. Home 
was 750 and when I reverted it to 755 and the shared directory to 775, 
the shares began working.

Now, this did NOT fix it on the print-server. I am still getting access 
denied. I followed the guide and created /srv/samba/printer_drivers and 
the entire sub-directory structure. The "printer_drivers" directory is 
2755 as per the wiki article. The directories above it are 755 and are 
owned by root and the root group. So I have 755 for /srv, 755 for 
/srv/samba, and 2755 for /srv/samba/printer_drivers and everything below 
it, but I am getting access denied. I have one driver there in x64/3, 
and all files in there are 664. Do these non-executable files need to be 
775 despite being DLLs and such?

On 08/15/2014 04:10 PM, Achim Gottinger wrote:
> Am 15.08.2014 21:19, schrieb Achim Gottinger:
>> Am 15.08.2014 21:13, schrieb Ryan Ashley:
>>> root at fs01:~# getfacl /home/shared
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: home/shared
>>> # owner: reachfp
>>> # group: domain\040admins
>>> user::rwx
>>> group::---
>>> other::---
>> So this is 700 mode. What happens if you change it to 755
>> chmod 755 /home/shared.
> You need atleast the execution right on the preceding dirs /home and 
> /home/shared for group and others.
> Check the permissions on the /home share.
> It sould be atleast 711 on /home and /home/shared.
> Tested it here and i also get access denied if an user has no 
> execution right on any of the preceding folders of the share.
>>> I have not changed this since creation. It worked for a few weeks 
>>> this way.
>>> On 08/15/2014 02:53 PM, Achim Gottinger wrote:
>>>>>>>>>> This is the ACL's from the share:
>>>>>>>>>> getfacl /home/shared/staff/
>>>>>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>>>>>> # file: home/shared/staff/
>>>>>>>>>> # owner: emily
>>>>>>>>>> # group: administration
>>>>>>>>>> user::rwx
>>>>>>>>>> user:emily:rwx
>>>>>>>>>> group::rwx
>>>>>>>>>> group:administration:rwx
>>>>>>>>>> group:domain_admins:rwx
>>>>>>>>>> mask::rwx
>>>>>>>>>> other::rwx
>>>>>>>>>> default:user::rwx
>>>>>>>>>> default:user:emily:rwx
>>>>>>>>>> default:group::---
>>>>>>>>>> default:group:administration:rwx
>>>>>>>>>> default:group:domain_admins:rwx
>>>>>>>>>> default:mask::rwx
>>>>>>>>>> default:other::---
>>>> What's the output of "getfacl /home/shared" ? In case this was not 
>>>> yet covered.

More information about the samba mailing list